> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowla.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta SSO setup

> Connect Flowla to Okta using OpenID Connect (OIDC) to enable Single Sign-On for your organization.

SSO lets your team sign in to Flowla using their existing Okta credentials — no separate passwords, no extra accounts to manage.

### Prerequisites

* Admin access to your Okta account
* Admin access to your Flowla workspace

***

### Step 1 — Create an App Integration in Okta

Sign in to your Okta Admin Console, then navigate to **Applications → Applications** and click **Create App Integration**.

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/create-app-integration.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=b993e551fe84fad097ce9a0ad8e5c5f2" alt="Okta Applications page with Create App Integration button highlighted" width="1914" height="1194" data-path="images/Okta/create-app-integration.png" />
</Frame>

***

### Step 2 — Select sign-in method and app type

Choose **OIDC - OpenID Connect** as the sign-in method and **Web Application** as the application type, then click **Next**.

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/select-oidc-app-type.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=3c89bdd9c9b2051dd594191dfbb09f33" alt="New App Integration dialog with OIDC - OpenID Connect and Web Application selected" width="1908" height="1522" data-path="images/Okta/select-oidc-app-type.png" />
</Frame>

***

### Step 3 — Configure the app integration

Fill in the following fields on the configuration page:

| Field                     | Value                                                         |
| ------------------------- | ------------------------------------------------------------- |
| **App integration name**  | Any name you wish (e.g. `Flowla`)                             |
| **Client credentials**    | Enabled                                                       |
| **Sign-in redirect URI**  | `https://app.flowla.com/sso`                                  |
| **Sign-out redirect URI** | `https://app.flowla.com/signin`                               |
| **Access**                | Allow everyone in your organization to access *(recommended)* |
| **Immediate access**      | Enable immediate access *(recommended)*                       |

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/app-config-name-credentials.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=a934de92ca0939de3ff88cc96ccb8310" alt="App integration name and client credentials settings" width="1872" height="950" data-path="images/Okta/app-config-name-credentials.png" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/app-config-redirect-uris.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=d7416bf970e810feed70a792633a9dd4" alt="Sign-in and sign-out redirect URI settings" width="1856" height="1374" data-path="images/Okta/app-config-redirect-uris.png" />
</Frame>

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/app-config-access.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=5b01ca388a344eac2f69407211e8c540" alt="Access settings with Allow everyone and Enable immediate access options" width="1836" height="950" data-path="images/Okta/app-config-access.png" />
</Frame>

<Tip>
  Enabling **Allow everyone in your organization to access** ensures all users can log in via SSO without needing individual app assignments in Okta.
</Tip>

Click **Save** to create the integration.

***

### Step 4 — Copy your Client ID and Client Secret

After saving, open the **General** tab of your newly created app integration. Copy both the **Client ID** and **Client Secret** — you'll need these when configuring Flowla.

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/copy-client-credentials.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=7e69f0c1cbc16e9e37aecc88f5dffd37" alt="General tab showing Client ID and Client Secret fields" width="1484" height="1374" data-path="images/Okta/copy-client-credentials.png" />
</Frame>

<Note>The Client Secret is only shown once — copy it before navigating away. If you lose it, you'll need to generate a new one from the General tab.</Note>

<Warning>
  Protect your Client Secret by keeping it confidential. Avoid sharing it in public repositories, forums, or unencrypted channels.
</Warning>

***

### Step 5 — Find your Identity Provider URL

Your **Identity Provider URL** is the base URL of your Okta account — the part of the address bar that appears **before** `/admin`.

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/identity-provider-url.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=85cfd356dc960ee253d13ccafac43d32" alt="Browser address bar showing the Okta URL with the base domain highlighted before /admin" width="1260" height="102" data-path="images/Okta/identity-provider-url.png" />
</Frame>

For example, if your Okta Admin Console URL is:

```
https://yourcompany.okta.com/admin/dashboard
```

Your Identity Provider URL is:

```
https://yourcompany.okta.com
```

***

### Step 6 — Enable SSO in Flowla

In Flowla, go to **Settings → Security & Permissions** and click **Enable SSO**. Fill in the form with the values you copied from Okta:

<Frame>
  <img src="https://mintcdn.com/flowla/J5UXn8nMRWseTCPa/images/Okta/flowla-enable-sso.png?fit=max&auto=format&n=J5UXn8nMRWseTCPa&q=85&s=a0d87276ad6103155df309f3c758773a" alt="Flowla SSO setup form with Identity Provider URL, Client ID, Client Secret, and Email Domain fields" width="2940" height="1660" data-path="images/Okta/flowla-enable-sso.png" />
</Frame>

<Steps>
  <Step title="Enter your Identity Provider URL">
    Paste the base URL of your Okta account (e.g. `https://yourcompany.okta.com`)
  </Step>

  <Step title="Enter your Client ID">
    Paste the Client ID from the Okta app's General tab
  </Step>

  <Step title="Enter your Client Secret">
    Paste the Client Secret from the Okta app's General tab
  </Step>

  <Step title="Set your email domain">
    Enter the email domain your organization uses (e.g. `yourcompany.com`). Users with this domain will be required to sign in via SSO.
  </Step>

  <Step title="Save and test">
    Click **Save** to activate SSO. Open a new browser session and verify you can sign in via Okta.
  </Step>
</Steps>

<Check>
  Once set up, users with your organization's email domain will be automatically redirected to Okta when signing in to Flowla.
</Check>

***

### Troubleshooting

<AccordionGroup>
  <Accordion title="Users are not being redirected to Okta on sign-in">
    **Likely cause:** The email domain entered in Flowla does not exactly match the domain of your users' email addresses.

    **Fix:** Check the domain setting in Flowla for typos or extra spaces, ensuring it exactly matches your users' email domain (e.g. `yourcompany.com`).
  </Accordion>

  <Accordion title="Sign-in fails with a redirect URI mismatch error">
    **Likely cause:** The Sign-in redirect URI in the Okta app is incorrect or has a trailing slash.

    **Fix:** Verify the **Sign-in redirect URI** in your Okta app is set to exactly `https://app.flowla.com/sso` with no trailing slash.
  </Accordion>

  <Accordion title="Client Secret error on save">
    **Likely cause:** The Client Secret was not copied at creation time and is no longer visible in Okta.

    **Fix:** Generate a new Client Secret from the **General** tab of your Okta app integration, then update it in Flowla.
  </Accordion>

  <Accordion title="Only some users can sign in via SSO">
    **Likely cause:** Individual users or groups are not assigned to the Okta app integration.

    **Fix:** Check the **Assignments** tab of your Okta app. If access is not set to **Everyone**, explicitly assign the required users or groups.
  </Accordion>
</AccordionGroup>