Single Sign-On with Okta

Log in to the Okta Admin Console using your Okta administrator credentials.

From the Okta Admin Console, create the required user groups.

Navigate to Directory > Groups, click Add group, and create the ccc_user and ccc_admin groups.

Create an OIDC application in Okta.

Navigate to Applications, click Create App Integration, select OIDC as the sign-in method and Web Application as the application type, and click Next.

Configure the application settings by providing a meaningful application name, selecting the appropriate grant type (Authorization Code), selecting the previously created groups (ccc_user and ccc_admin), and leaving the Redirect URI blank (it will be generated during CCC configuration).

Save the application and open its details page.

Copy and securely store the Client ID and Client Secret.

These values are required during SSO configuration on the CCC side.

Assign users and applications to groups.

Navigate to Directory > Groups, and for each group assign the relevant users and assign the CCC application created earlier.

Assign groups and applications to users by navigating to Directory > People, opening each user profile, and verifying that the appropriate group (ccc_user or ccc_admin) and the CCC application are assigned.

Set the organization attribute for the Application Owner.

For the user acting as the Application Owner in CCC, open the user profile, click Edit, locate the Organization attribute, and set the organization value.

The organization value must match an existing organization in CCC.

Create an Authorization Server in Okta.

Navigate to Security > API, click Add Authorization Server, and provide a meaningful name (for example, CCC Auth Server) and the application name created earlier as the audience.

Save the Authorization Server configuration.

Locate the OIDC Discovery URL by opening the Authorization Server and copying the Issuer Metadata URI.

Create an access policy for the Authorization Server.

Navigate to the Access Policies tab, click Add Policy, and provide a name, description, and select the CCC application in the Assign to field.

Create a rule for the access policy.

Click Add Rule, provide a rule name, leave other settings as default, and save the rule.

Configure token claims by navigating to the Claims tab and adding the required role and organization claims, ensuring that both claims are included in the ID token.

Open the Token Preview in Okta.

Configure the token preview request by selecting the CCC application as the OIDC client, choosing Authorization Code as the grant type, selecting a user, setting the scopes to openid, email, and profile, and generating the token.

Verify the token claims by confirming that the role claim is returned as an array and the organization claim is returned as a string.

Log in to CCC as an admin user and start the SSO configuration.

Navigate to Administration > Single Sign-On > Add SSO.

Enter the required SSO configuration values, including the SSO Display Name, Alias, Discovery URL, Client ID, Client Secret, Role Claim Name, and Organization Claim Name.

After entering the Discovery URL, click Connect to fetch and validate endpoint details.

Copy the generated redirect URI and update it in the Okta application settings.

Save the SSO configuration.

Click Add SSO to activate the configuration, then verify the SSO setup by confirming that the SSO entry appears in the SSO list and a new SSO login option appears on the CCC login screen.