Okta OIDC SSO Integration

These instructions will help administrators configure Fiddler for use with an existing Okta single sign-on application.

Okta Setup:

  1. Set up an OIDC configuration in Okta:

  • Select "Web Application" as the application type.

  • Configure the following URLs (replace {base_url} with your Fiddler deployment URL):

    • Sign-in redirect URI - {base_url}/api/sso/okta/callback

    • Sign-out redirect URI - {base_url}

    • Base URI - {base_url}

  • Enable "Authorization Code" grant for user authorization.

    Configuring Okta grant type and sign-in redirect URI
    Configuring Okta sign-out redirect URI and base URI
  1. Copy the client credentials from the "General" section:

Fetching Okta client credentials
  1. Note your Okta domain and set up the group claim filter in the "Sign On" section:

Fetching Okta domain and setting up group claim filter
  1. Share the following details with the Fiddler services team:

  • Okta domain

  • Client ID

  • Client Secret

  • Okta Account Type (default or custom)

Deployment instructions

  1. Create a <secret-filename>.yaml file using this template:

apiVersion: v1
kind: Secret
metadata:
  name: fiddler-sso-okta-credentials
  namespace: <NAMESPACE_NAME>
data:
  sso-okta-issuer: <OKTA_ISSUER> # https://<okta_domain>
  sso-okta-authorize-url: <AUTHORIZE_URL> # https://<okta_domain>/oauth2/v1/authorize
  sso-okta-token-url: <TOKEN_URL> # https://<okta_domain>/oauth2/v1/token
  sso-okta-user-info-url: <USER_INFO_URL> # https://<okta_domain>/oauth2/v1/userinfo
  sso-okta-client-id: <CLIENT_ID>
  sso-okta-client-secret: <CLIENT_SECRET>
  sso-okta-domain: <DOMAIN> # <okta_domain>
  authorization-type: <AUTHORIZATION_TYPE> # default
type: Opaque

Important:

  • Base64 encode all values (On macOS, use echo -n "string to encode" | base64).

  • Do not use double quotes in any values.

  • You can retrieve Okta URLs from https://<okta_domain>/.well-known/openid-configuration.

  1. Apply the Kubernetes secret to your cluster:

kubectl apply -f <secret-filename>.yaml -n fiddler
  1. Update your Helm values file with these settings:

fiddler:
  auth:
    sso:
      provider: okta
      okta:
        secretName: fiddler-sso-okta-credentials

Note: The new SSO settings apply once deployments are updated.

Logging into Fiddler:

After setup is complete:

  1. Go to the Fiddler login page.

  2. Click "Sign in with SSO".

  3. Complete authentication on the Okta login screen.

  4. If authentication succeeds, you'll be redirected to the Fiddler homepage.

Image displaying the login flow from Fiddler login screen to Okta login and back to Fiddler homepage on successful authentication.

Important Notes

  • Users must register with Fiddler using an invitation link from their Fiddler Org Admin before using SSO (unless auto-provisioning is configured).

  • Fiddler stores only the user's first name, last name, email address, and OIDC token.

  • For API access, you need to create an access token from the "Credentials" tab in Fiddler's Settings page (direct Okta authentication isn't supported for APIs).

Last updated

Was this helpful?