Skip to content
Cased Documentation

Okta SSO

Configure Okta single sign-on for Cased CD Enterprise

This guide walks through setting up Okta as your identity provider for Cased CD Enterprise.

Prerequisites

Section titled “Prerequisites”
  • Okta account with admin access
  • Cased CD Enterprise deployed
  • ArgoCD 2.0+

Setup

Section titled “Setup”

  1. Create an Okta Application

    In your Okta Admin Console:

    1. Navigate to ApplicationsApplications
    2. Click Create App Integration
    3. Select OIDC - OpenID Connect
    4. Select Single-Page Application
    5. Click Next

  2. Configure the application

    • App integration name: Cased CD
    • Grant type: Authorization Code
    • Sign-in redirect URIs: https://cased-cd.example.com/auth/callback
    • Sign-out redirect URIs: https://cased-cd.example.com/login
    • Controlled access: Select your assignment policy

    For local development, also add http://localhost:5173/auth/callback to redirect URIs.

  3. Note your credentials

    After creating the app, note:

    • Client ID (from the application’s General tab)
    • Okta domain (e.g., dev-123456.okta.com)

  4. Configure ArgoCD

    Terminal window
    kubectl patch configmap argocd-cm -n argocd --type merge -p '
    data:
      url: "https://cased-cd.example.com"
      oidc.config: |
        name: Okta
        issuer: https://dev-123456.okta.com
        clientID: YOUR_CLIENT_ID
        requestedScopes: ["openid", "profile", "email", "groups"]
    '

  5. Restart ArgoCD

    Terminal window
    kubectl rollout restart deployment argocd-server -n argocd

Test the login

Section titled “Test the login”
  1. Navigate to your Cased CD login page
  2. Click “Sign in with Okta”
  3. Log in with your Okta credentials
  4. You’ll be redirected back and logged in

Configure groups

Section titled “Configure groups”

Create groups in Okta

Section titled “Create groups in Okta”
  1. In Okta Admin Console, go to DirectoryGroups
  2. Create groups like cased-cd-admins, cased-cd-developers
  3. Assign users to groups

Add groups claim to the application

Section titled “Add groups claim to the application”
  1. Go to ApplicationsCased CDSign On
  2. Click Edit in the OpenID Connect ID Token section
  3. Add a groups claim:
    • Name: groups
    • Include in token type: ID Token, Always
    • Value type: Filter
    • Filter: Matches regex .* (or filter to specific groups)

Configure ArgoCD RBAC

Section titled “Configure ArgoCD RBAC”
Terminal window
kubectl patch configmap argocd-rbac-cm -n argocd --type merge -p '
data:
  policy.csv: |
    p, role:developer, applications, get, */*, allow
    p, role:developer, applications, sync, */*, allow
    p, role:admin, applications, *, */*, allow
    g, cased-cd-developers, role:developer
    g, cased-cd-admins, role:admin
'

Troubleshooting

Section titled “Troubleshooting”

”Invalid redirect_uri” error

Section titled “”Invalid redirect_uri” error”

Verify that:

  1. The redirect URI in Okta matches your Cased CD URL exactly
  2. Include the /auth/callback path
  3. Protocol (http vs https) matches

Groups not appearing

Section titled “Groups not appearing”
  1. Verify the groups claim is configured in the Okta application
  2. Check that users are assigned to groups in Okta
  3. Ensure groups is in the requestedScopes in ArgoCD config

”unauthorized_client” error

Section titled “”unauthorized_client” error”
  1. Verify the Client ID is correct in ArgoCD config
  2. Check that the application type is “Single-Page Application”
  3. Ensure “Authorization Code” grant type is enabled