> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/configure-sso-authentication-with-okta.md). # Configure SSO authentication with Okta Use Okta with Devolutions Cloud for single sign-on (SSO) authentication by following the steps in this page. First see the requirements and supported features below. {% hint style="info" %} Even with a configured SSO, accessing sensitive data still requires entering a password, answering a push notification, scanning a QR code, or fulfilling any other confirmation prompt deemed necessary to respect the zero-knowledge principle. Installing [Devolutions' encryption service](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/encryption-service/) allows you to circumvent this measure. {% endhint %} ### Requirements To use SSO or automatic provisioning (SCIM) with Okta, an [Okta account](https://www.okta.com/) with the appropriate rights is required. The Domain validation procedure (see below) must also be completed to verify ownership of the configured domain(s). Only users with emails whose domains have been verified are allowed to log in via SSO or be provisioned via SCIM. ### Supported features * Connect to the Devolutions Cloud instance via Okta SSO * Just-in-time (JIT) provisioning of connected users via Okta SSO * Synchronize your Okta to Devolutions Cloud * Create/update users from Okta to Devolutions Cloud (create users, update user attributes, and deactivate users) * Create/update groups from Okta to Devolutions Cloud (group push) {% hint style="warning" %} Users provisioned JIT by SSO or created by SCIM synchronization must be invited to Devolutions Cloud in ***Administration – Users*** , as described in the steps below. {% endhint %} ### Configuration steps Here are the steps to validate the domain, configure single sign-on, and perform user provisioning. #### Domain verification **In Devolutions Cloud** 1. Go to ***Administration – Authentication – Domain***, then click on ***Add Domain***. ![](https://cdnweb.devolutions.net/docs/HUBB2000_2024_1.png) 2. Fill in the domain, then click on the checkmark to start the verification process. ![](https://cdnweb.devolutions.net/docs/HUBB2001_2024_1.png) {% hint style="info" %} For security purposes, only emails that end with your domain name are allowed to log in to Devolutions Cloud using Okta authentication. For example, if employees' emails are in the format "", the domain is "windjammer.co". {% endhint %} 3. To have multiple domains, click ***Add domain*** once again, fill in your other domain, then click on the checkmark. Repeat this process for every domain you wish to add. ![](https://cdnweb.devolutions.net/docs/HUBB2002_2024_1.png) 4. Create a [DNS TXT Record](https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) using the provided ***Host name*** and ***TXT value***. This allows us to verify the ownership of the domain(s) supplied. ![](https://cdnweb.devolutions.net/docs/HUBB2003_2024_1.png) It is recommended to verify that the configuration is adequate using DNS querying tools such as [MXToolBox](https://mxtoolbox.com/SuperTool.aspx) or [whatsmydns.net](https://www.whatsmydns.net/). The example below uses MXToolBox's TXT Lookup tool. The first part of the Domain Name must match the ***Host name*** in Devolutions Cloud and the Record must match the ***TXT value*** in Devolutions Cloud as well. {% hint style="warning" %} TXT DNS Records can take a while to propagate. Once the domain is verified, there is no need to keep the TXT DNS record. {% endhint %} ![](https://cdnweb.devolutions.net/docs/docs_en_hub_Hub2236.png) 5. Await domain verification. Upon successful verification, a checkmark within a green circle will display next to the domain. Proceed to configure single sign-on (SSO) during the verification process; however, user provisioning becomes accessible only after the domain has been verified. ![](https://cdnweb.devolutions.net/docs/HUBB2004_2024_1.png) {% hint style="warning" %} This validation lasts for 48 hours and does not restart automatically after that period. If the TXT record is not configured within those 48 hours, the validation status will be ***Expired***. If that happens, click on ***Retry***. If issues occur while trying to verify the domain, visit our [Domain validation troubleshooting](https://docs.devolutions.net/cloud/kb/troubleshooting-articles/domain-validation-troubleshooting/) guide. {% endhint %} #### Single sign-on (SSO) configuration 1. Go to ***Administration – Authentication – Single sign-on (SSO)***, then click on ***Okta single sign-on (SSO)*** to be redirected to the configuration page. 2. ***Name*** the SSO configuration. This name will only appear in the Devolutions Cloud SSO settings menu. The default name is "Okta". {% hint style="warning" %} Do not close this setup page, as the following steps show where to find the information to enter in its fields. {% endhint %} **In Okta** 3. Log in to the Okta account. 4. In ***Applications***, click ***Browse App Catalog***. ![](https://cdnweb.devolutions.net/docs/INTERFACE2055.png) 5. Search for ***Devolutions Cloud***, then click on the application in the search results. 6. Click on ***Add Integration*** at the top. 7. In the ***Sign On*** tab, copy the ***Client ID***. **In Devolutions Cloud** 8. Back to the ***Configure Single Sign-On (SSO)*** page, paste the ***Client ID*** from the last step in the field of the same name. **In Okta** 9. Back to the ***Sign On*** tab, copy the ***Client secret***. **In Devolutions Cloud** 10. Back to the ***Configure Single Sign-On (SSO)*** page, paste the ***Client secret*** from the last step in the ***Client secret Key*** field. 11. In ***Discovery URL***, enter the URL used to access Okta, without the "-admin" part. {% hint style="warning" %} Do not test the connection just yet, as users need to be assigned to the application first. {% endhint %} **In Okta** 12. In the ***Assignments*** tab, ensure each user used to test the configuration is assigned to the application. For more details, see Okta's own documentation on user management and application assignment. **In Devolutions Cloud** 13. Test the configuration in Devolutions Cloud. A new window opens to connect you to Devolutions Cloud through Okta. When connected, a success message appears. {% hint style="warning" %} If the popup does not appear, the browser or a browser extension may be blocking it. Change the browser and/or extension settings. If it still does not work, deactivating/removing the extension or changing browser may also solve the problem. {% endhint %} 14. Click ***Save*** in the ***Summary*** of the Okta SSO configuration. ![](https://cdnweb.devolutions.net/docs/docs_en_hub_Hub2340.png) The SSO configuration is now complete. A green checkmark icon should now be visible next to the configuration, meaning that the SSO configuration through Okta is now enabled on Devolutions Cloud. **Okta SSO login** When logging in to Devolutions Cloud, click on ***Sign in with Okta***. ![](https://cdnweb.devolutions.net/docs/CLOUD2006_2024_3.png) An Okta login page will open. Enter the Okta credentials and click ***Sign in***. Devolutions Cloud will then be accessible. ![](https://cdnweb.devolutions.net/docs/INTERFACE2059.png) #### SCIM provisioning configuration Synchronize users and user groups from providers to Devolutions Cloud by following the steps in this section. First see the list of supported features below. {% hint style="warning" %} Note that we only support synchronization in one direction, from Okta to Devolutions Cloud, specifically for users and groups. Synchronization from Devolutions Cloud to Okta is **not** supported. {% endhint %} **Supported features** * Create users * Update user attributes * Deactivate users * Group push **Provisioning configuration steps** **In Okta** 1. Go to the Devolutions Cloud application. 2. In the ***Provisioning*** tab, click ***Configure API Integration***. 3. Check the ***Enable API Integration*** box. **In Devolutions Cloud** 4. Go to ***Administration – Authentication – Provisioning*** and enable SCIM provisioning. 5. Copy the ***Secret token*** by clicking on the ***Copy to clipboard*** icon next to it. **In Okta** 6. Back to the ***Provisioning*** tab in Okta, paste the ***Secret token*** from the last step in the ***API Token*** field. 7. Click on ***Test API Credentials***. A success message should appear. **In Devolutions Cloud** 8. Back to the ***Provisioning*** configuration in Devolutions Cloud, click on ***Activate synchronization***. **In Okta** 9. ***Save*** the Okta provisioning configuration. 10. Still in the ***Provisioning*** tab, go to the ***To App*** settings, then click on ***Edit***. 11. Enable/disable the following settings: * Enable: * ***Create Users*** * ***Update Attributes*** * ***Deactivate Users*** * Disable: * ***Set password when creating new users*** (under the ***Create Users*** setting) 12. ***Save*** the changes. Synchronization from Okta to Devolutions Cloud is now configured. {% hint style="info" %} It is possible to assign users and groups to be synchronized. For more details, see Okta's own documentation on [assigning applications to users](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm) and [assigning an app integration to a group](https://help.okta.com/en-us/content/topics/provisioning/lcm/lcm-assign-app-groups.htm). {% endhint %} #### Q\&A **Q: Why are users still receiving a password prompt after SSO sign-in?** **A:** This prompt is related to the private key. When users connect, they are prompted to choose how the private key will be stored. If they choose password, they will need to enter it the first time they connect from a new browser or after clearing their browser cache. **Q: Can this private key prompt be disabled?** **A:** The only way to disable the private key prompt is by configuring your own encryption service. For more details, see the [following article](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/encryption-service/). **Q: How can we add guest users to our Devolutions Cloud?** **A:** If guest users are part of Okta, they can be added through the provisioning process. Once guest users no longer need access, simply remove them from the provisioning setup. **Q: The client ID or secret supplied by your organization is invalid, please contact an administrator of your organization.** **A:** This most likely means that the client secret has expired in Okta. The solution is to create a new secret and update it in the Devolutions Cloud SSO configuration. **Q: If the option to force all users and administrators to sign in with SSO is enabled, what would happen if the SSO fails?** **A**: If Force SSO is enabled for all users, they will lose access to Devolutions Cloud in case of a misconfiguration or downtime of the SSO provider. It is strongly recommended to inform all existing users in Devolutions Cloud about this new authentication method prior to activation. Alternatively, see [Disable Force SSO on all users in Devolutions Cloud using PowerShell](https://docs.devolutions.net/powershell/devolutions-cloud-powershell/disable-force-sso-on-all-users/) to temporarily disable the feature. **Q: Can the UPN of a user be changed?** **A:** Devolutions Cloud uses the UPN, not the email, to authenticate users in the database. Changing the UPN also changes information related to the user. Devolutions Cloud considers this a new user, requiring the invitation process to be repeated. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/configure-sso-authentication-with-okta.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.