Skip to content

Configuring Okta integration

If Okta is your SSO solution, this topic shows you how to configure Okta to integrate with Control Plane.

Before you begin

Before you begin, carefully review the following:

Steps for configuring Okta integration with Control Plane

Because you'll be making changes in both the Okta Admin portal and Venafi Control Plane, you'll complete the configuration faster if you open both user interfaces side-by-side.

You'll perform three basic tasks:

  1. Configure Okta and Control Plane to work together
  2. Test the connection between Control Plane and Okta
  3. (Optional) Add a Groups claim

Step 1: Configuring Okta and TLS Protect Cloud to work together

  1. Open the Okta Admin portal and create a new application. Select Web as the platform and choose OpenID Connect as the sign-on method.

  2. In General Settings, type Control Plane as the application name.

  3. (Optional) Upload this logo file if you plan on making the application visible to users on the Okta portal page:

    Control Plane logo

  4. Under Configure OpenID Connect, fill in the Login redirect URIs field with the login URL from the Control Plane SSO configuration page.

  5. (Optional) If you need to support multiple domains, such as,, do the following:

    1. Add the additional domains in Okta. It's a good idea to consult your Okta documentation about how to add additional domains.
    2. (Required) Contact Venafi Support to provide them with your additional domains. This is a security measure that allows Venafi to verify the authenticity of the domains before allowing them. This is a one-time requirement when adding any additional domains.
  6. Save the new application.

  7. (Optional) If you want to publish the Control Plane application on the Okta portal, do the following:
    • Set Login initiated by to Either Okta or App.
    • Under Application visibility, select Display application icon to users.
    • Leave Login flow as OIDC Compliant.
    • Set Initiate login URI to the SSO Login URL.
  8. In Client Credentials, copy the Client ID and Client Secret values and paste them into the Control Plane SSO Configuration page.
  9. Click the Sign On tab of the Control Plane application.
  10. Under OpenID Connect ID Token, copy the Issuer value and paste it into the Issuer field of the Control Plane SSO Configuration page.

After you've finished configuration, the next step is to test your connection.

Step 2: Testing the connection between TLS Protect Cloud and Okta

  1. From the TLS Protect Cloud's Single Sign-On page, click Test Connection.

  2. Type your enterprise credentials into Okta.

    When the authentication succeeds, you're redirected back to the Venafi Control Plane SSO Configuration page. From there, you can view the claims that were returned in the OIDC token issued by Okta. 1. Save your SSO configuration.

Once you've confirmed connection, your users can now sign in using their SSO credentials.

Step 3: Adding a Groups claim (Optional)

Adding a Groups claim in Okta allows group membership information to be sent to Control Plane. While Control Plane doesn't yet utilize group membership information, upcoming releases of Control Plane include new features and functionality that will improve the way you define and manage users and groups.


Did you remember to review the Okta article describing AD Group claim configurations, as described above in the Before you begin section?

So, to configure a Groups claim for sending group information to Control Plane, do the following:

  1. In the Okta Admin portal, click the Sign On tab for the Control Plane application you created earlier.

  2. Configure Groups claim type with either Filter or Expression, depending on how you have your user groups configured in Okta.


    It's a good idea to consult your Okta documentation and configure the Groups claim to return all groups to which a user is a member (both locally in Okta, as well as any Active Directory mastered groups, when applicable).

  3. In Control Plane, from the Single Sign-On page, under Scopes, add the groups scope so that Control Plane will request the Groups claim.

Related links

If you're having issues configuring Okta integration, review the Single sign-on (SSO) section in Troubleshooting.