Okta OIDC SSO Integration

Learn how to integrate Fiddler with Okta for seamless Single Sign-On (SSO) authentication using the OpenID Connect (OIDC) protocol.

Overview

This integration allows your users to access Fiddler using their existing Okta credentials. Users are automatically provisioned in Fiddler on their first successful login, eliminating the need for manual user invitations.

Prerequisites

Before starting, ensure you have:

  • Okta Administrator Access: Permissions to create and configure applications in your Okta organization

  • Fiddler AuthN Administrator Access: "Org Owner" role in Fiddler's AuthN management console

  • Deployment Information: Your Fiddler deployment base URL

Configuring Okta

Fiddler requires two Redirect URIs when creating the Okta application and follow these patterns:

  • https://authn-{base_url}/ui/login/login/externalidp/callback

  • https://authn-{base_url}/idps/callback

where your Fiddler base URL is the URL of your Fiddler deployment.

1

Create New Okta Application Integration

  1. On the Okta admin console, navigate to Applications and select the Create App Integration button:

    Okta admin console applications list
  2. Select OIDC - OpenID Connect for the Sign-in method, select Web Application for the Application type, and then select the Next button to create the new application:

    Okta admin console create a new app and set type
  3. Assign a name for your application integration in the App integration name text box

    1. Enter the first Redirect URI into the Sign-in redirect URIs text box, e.g. https://authn-example2.dev.fiddler.ai/ui/login/login/externalidp/callback

    2. Select the + Add URI button and add the second Redirect URI, e.g. https://authn-example2.dev.fiddler.ai/idps/callback

    3. Enter your base Fiddler URL into the Sign-out redirect URIs text box, e.g. https://example2.dev.fiddler.ai :

      Okta admin console application page with sign-in and sign-out URLs
  4. Select the Save button to create the application

  5. With the application integration created, copy the following values to use in configuring the identity provider in the Fiddler AuthN console:

    1. On the General tab, copy the Client ID and Secret values:

      Okta admin console application page with client id and secret
    2. On the Sign On tab, copy the Issuer URL:

      Okta admin console application page with client id and secret

Configuring Fiddler

1

Fiddler AuthN Console Sign-in

The URL to the Fiddler AuthN management console is your Fiddler instance base URL prepended with authn-. For example, if your Fiddler base URL is https://acme.cloud.fiddler.ai then you will access the AuthN management console at https://authn-acme.cloud.fiddler.ai.

Sign in using the AuthN Console Org Owner user account credentials provided by your Fiddler representative:

Fiddler AuthN console sign in page
2

Select Your Organization

Ensure your organization is selected in the dropdown. You may see the fiddler organization, but this is reserved for system use and should not be edited. Here we are using the example1 organization:

Fiddler AuthN console home page
3

Select Settings tab from the top menu and then select Identity Providers from the left navigation menu:

Fiddler AuthN console add provider page
4

Add and Configure New OIDC Provider

  1. Select the Generic OIDC option in the Add provider section which brings up the OIDC Provider form.

  2. Copy the Callback URL and then navigate to your Okta admin console

Fiddler AuthN console add new OIDC provider form with callback URL
5

Configure the Identity Provider in Fiddler

  1. Return to the Fiddler AuthN console where we left off and enter the following values:

    1. Assign a name and enter it in the Name text box. Note that this name will be displayed on the SSO login button on the Fiddler sign-in page so choose a name your users will recognize.

    2. In the Issuer text box, paste the Issuer URL copied from the Okta admin console

    3. In the Client ID and Client Secret, past those values copied from the Okta admin console:

      Okta admin console application page with client id and secret
6

Configure Additional Parameters

  1. Expand the optional section

  2. Add the text groups to the Scopes List text box and ensure it is listed along with openid, profile, and email

  3. Ensure the Automatic create and Automatic update checkboxes are selected

  4. Set the Determines whether an identity will be prompted to be linked to an existing account dropdown to Check for existing Username

  5. Select the Create button and the select the Save button

Fiddler AuthN console additional required settings
7

Save the Configuration Changes

Select the Create button and then select the Save button. You will be returned to the Organization Settings page:

Fiddler AuthN console with newly created Okta OIDC IdP
8

Activate the Okta OIDC IdP

  1. Select your IdP from the list and select the Activate button on the identity provider settings page:

    Fiddler AuthN console activate new Okta OIDC IdP
  2. Close the settings and then select Login Behavior and Security from the left nav menu and ensure the External login allowed checkbox is selected.

  3. Select the Save button

    Fiddler AuthN console allow external login behavior
9

Create a Custom Action

Select the Actions tab from the top menu

Fiddler AuthN console new custom Action script
  1. Select the New button in the Scripts section to create a new action script

  2. Copy the Okta OIDC Action Script below and paste it into the script text area

  3. Enter setAttributesOnOktaOIDCAuth in the Name text box

  4. Select the Add button

Okta OIDC Action Script
function setAttributesOnOktaOIDCAuth(ctx, api) {  
    let firstName = ctx.v1.providerInfo.given_name;
    let lastName = ctx.v1.providerInfo.family_name;
    let email = ctx.v1.providerInfo.email;
    let groups = ctx.getClaim('groups');
    
    let nameParts = [firstName, lastName];
    let filteredParts = nameParts.filter(part => part);
	  let displayName = filteredParts.join(' ');
  
    if (firstName != undefined) {
      api.setFirstName(firstName);
    }
    if (lastName != undefined) {
      api.setLastName(lastName);
    }
    if (email != undefined) {
      email = email.toLowerCase();
      api.setEmail(email);
      api.setEmailVerified(true);
      api.setPreferredUsername(email);
    }

    api.v1.user.appendMetadata('fiddler_authentication_type', 'SSO:OKTA:OIDC');
    if (groups === null || groups === undefined){
      groups = []
    }
    api.v1.user.appendMetadata('fiddler_groups', groups);
}
10

Configure the Action Trigger

Scroll down to the Flows section

Fiddler AuthN console new Action trigger creation
  1. Select the + Add trigger button

  2. Select the Post Authentication option for the Trigger Type dropdown

  3. Select the setAttributesOnOktaOIDCAuth option for the Actions dropdown

  4. Select the Save button

11

Validate the Integration

  1. Enter your Fiddler URL. This is https://example2.dev.fiddler.ai in our example. Your Fiddler URL will vary according to your company name and the Fiddler deployment type.

  2. Ensure you see the Fiddler Sign-on page and that the page displays the SSO Login - Okta OIDC button:

    Fiddler application homepage displaying the new SSO login method in addition to the email sign-in form
  3. Select the button and confirm that the Fiddler application loads:

    Fiddler application landing page

The first user to sign in to the Fiddler Applicatin is automatically assigned the Fiddler Org Admin role: subsequent members are Org Members by default

Ensure your Okta user account is assigned to the new Okta application you created.

Getting Help

For additional assistance:

  • Review Okta system logs for authentication attempts

  • Verify network connectivity between Fiddler and Okta

  • Contact your Fiddler representative with specific error messages

Reference Documentation

For detailed configuration guidance, refer to the official documentation:

Important Notes

  • Automatic User Provisioning: Users are automatically created on first successful login—no manual invitations required

  • Data Storage: Fiddler stores only the user's first name, last name, email address, and SAML token from Okta

  • API Access: For programmatic API access, users must create access tokens from the "Credentials" tab in Fiddler's Settings page

  • Single Authentication Method: Users can only authenticate via either SSO or email authentication, not both

Next Steps

After successful integration:

  1. Train Users: Provide guidance on accessing Fiddler through Okta SSO

  2. Configure Teams: Set up Fiddler teams to match your organizational structure

  3. Test Group Sync: Verify automatic group synchronization is working as expected

  4. Monitor Usage: Review authentication logs and user access patterns


Questions? Talk to a product expert or request a demo.

💡 Need help? Contact us at [email protected].