Okta OIDC SSO Integration

Learn how to integrate Fiddler with Okta for seamless Single Sign-On (SSO) authentication using the OpenID Connect (OIDC) protocol.

Overview

This integration allows your users to access Fiddler using their existing Okta credentials. Users are automatically provisioned in Fiddler on their first successful login, eliminating the need for manual user invitations.

Prerequisites

Before starting, ensure you have:

Okta Administrator Access: Permissions to create and configure applications in your Okta organization
Fiddler AuthN Administrator Access: "Org Owner" role in Fiddler's AuthN management console
Deployment Information: Your Fiddler deployment base URL

Configuring Okta

Fiddler requires two Redirect URIs when creating the Okta application and follow these patterns:

https://authn-{base_url}/ui/login/login/externalidp/callback
https://authn-{base_url}/idps/callback

where your Fiddler base URL is the URL of your Fiddler deployment.

Create New Okta Application Integration

On the Okta admin console, navigate to Applications and select the Create App Integration button:
Select OIDC - OpenID Connect for the Sign-in method, select Web Application for the Application type, and then select the Next button to create the new application:
Assign a name for your application integration in the App integration name text box
1. Enter the first Redirect URI into the Sign-in redirect URIs text box, e.g. https://authn-example2.dev.fiddler.ai/ui/login/login/externalidp/callback
2. Select the + Add URI button and add the second Redirect URI, e.g. https://authn-example2.dev.fiddler.ai/idps/callback
3. Enter your base Fiddler URL into the Sign-out redirect URIs text box, e.g. https://example2.dev.fiddler.ai :
Select the Save button to create the application
With the application integration created, copy the following values to use in configuring the identity provider in the Fiddler AuthN console:
1. On the General tab, copy the Client ID and Secret values:
2. On the Sign On tab, copy the Issuer URL:

Configuring Fiddler

The URL to the Fiddler AuthN management console is your Fiddler instance base URL prepended with authn-. For example, if your Fiddler base URL is https://acme.cloud.fiddler.ai then you will access the AuthN management console at https://authn-acme.cloud.fiddler.ai.

Select Your Organization

Ensure your organization is selected in the dropdown. You may see the fiddler organization, but this is reserved for system use and should not be edited. Here we are using the example1 organization:

Navigate to Identity Providers in Settings

Select Settings tab from the top menu and then select Identity Providers from the left navigation menu:

Add and Configure New OIDC Provider

Select the Generic OIDC option in the Add provider section which brings up the OIDC Provider form.
Copy the Callback URL and then navigate to your Okta admin console

Fiddler AuthN console add new OIDC provider form with callback URL

Configure the Identity Provider in Fiddler

Return to the Fiddler AuthN console where we left off and enter the following values:
1. Assign a name and enter it in the Name text box. Note that this name will be displayed on the SSO login button on the Fiddler sign-in page so choose a name your users will recognize.
2. In the Issuer text box, paste the Issuer URL copied from the Okta admin console
3. In the Client ID and Client Secret, past those values copied from the Okta admin console:

Configure Additional Parameters

Expand the optional section
Add the text groups to the Scopes List text box and ensure it is listed along with openid, profile, and email
Ensure the Automatic create and Automatic update checkboxes are selected
Set the Determines whether an identity will be prompted to be linked to an existing account dropdown to Check for existing Username
Select the Create button and the select the Save button

Fiddler AuthN console additional required settings

Save the Configuration Changes

Select the Create button and then select the Save button. You will be returned to the Organization Settings page:

Fiddler AuthN console with newly created Okta OIDC IdP

Activate the Okta OIDC IdP

Select your IdP from the list and select the Activate button on the identity provider settings page:
Close the settings and then select Login Behavior and Security from the left nav menu and ensure the External login allowed checkbox is selected.
Select the Save button

Create a Custom Action

Select the Actions tab from the top menu

Fiddler AuthN console new custom Action script

Select the New button in the Scripts section to create a new action script
Copy the Okta OIDC Action Script below and paste it into the script text area
Enter setAttributesOnOktaOIDCAuth in the Name text box
Select the Add button

Okta OIDC Action Script

function setAttributesOnOktaOIDCAuth(ctx, api) {  
    let firstName = ctx.v1.providerInfo.given_name;
    let lastName = ctx.v1.providerInfo.family_name;
    let email = ctx.v1.providerInfo.email;
    let groups = ctx.getClaim('groups');
    
    let nameParts = [firstName, lastName];
    let filteredParts = nameParts.filter(part => part);
	  let displayName = filteredParts.join(' ');
  
    if (firstName != undefined) {
      api.setFirstName(firstName);
    }
    if (lastName != undefined) {
      api.setLastName(lastName);
    }
    if (email != undefined) {
      email = email.toLowerCase();
      api.setEmail(email);
      api.setEmailVerified(true);
      api.setPreferredUsername(email);
    }

    api.v1.user.appendMetadata('fiddler_authentication_type', 'SSO:OKTA:OIDC');
    if (groups === null || groups === undefined){
      groups = []
    }
    api.v1.user.appendMetadata('fiddler_groups', groups);
}

Configure the Action Trigger

Scroll down to the Flows section

Fiddler AuthN console new Action trigger creation

Select the + Add trigger button
Select the Post Authentication option for the Trigger Type dropdown
Select the setAttributesOnOktaOIDCAuth option for the Actions dropdown
Select the Save button

Validate the Integration

Enter your Fiddler URL. This is https://example2.dev.fiddler.ai in our example. Your Fiddler URL will vary according to your company name and the Fiddler deployment type.
Ensure you see the Fiddler Sign-on page and that the page displays the SSO Login - Okta OIDC button:
Select the button and confirm that the Fiddler application loads:

The first user to sign in to the Fiddler Applicatin is automatically assigned the Fiddler Org Admin role: subsequent members are Org Members by default

Ensure your Okta user account is assigned to the new Okta application you created.

Getting Help

For additional assistance:

Review Okta system logs for authentication attempts
Verify network connectivity between Fiddler and Okta
Contact your Fiddler representative with specific error messages

Reference Documentation

For detailed configuration guidance, refer to the official documentation:

Okta OIDC Configuration Guide - Comprehensive setup instructions
General SSO Authentication Guide - Overview of SSO concepts and troubleshooting
Mapping AD Groups to Fiddler Teams - Group synchronization details

Important Notes

Automatic User Provisioning: Users are automatically created on first successful login—no manual invitations required
Data Storage: Fiddler stores only the user's first name, last name, email address, and SAML token from Okta
API Access: For programmatic API access, users must create access tokens from the "Credentials" tab in Fiddler's Settings page
Single Authentication Method: Users can only authenticate via either SSO or email authentication, not both

Next Steps

After successful integration:

Train Users: Provide guidance on accessing Fiddler through Okta SSO
Configure Teams: Set up Fiddler teams to match your organizational structure
Test Group Sync: Verify automatic group synchronization is working as expected
Monitor Usage: Review authentication logs and user access patterns

❓ Questions? Talk to a product expert or request a demo.

💡 Need help? Contact us at [email protected].

PreviousEmail Authentication NextOkta SAML SSO Integration