---
title: Connect Okta | Keycard
description: Connect Okta as an identity provider for zone-level user authentication.
---

Caution

This tutorial configures sign-in for users of **your zone**: the people who use the application Keycard protects. If you are setting up SSO for **Keycard Console administrators** (your team signing into Console to manage Keycard), see [Single sign-on for Console](/admin/single-sign-on/index.md) instead.

In this tutorial, we will configure user authentication to occur through Okta. We will start by creating an application in your Okta [organization](https://developer.okta.com/docs/concepts/okta-organizations/). We will then configure Okta as a [provider](/concepts/providers/index.md) in your Keycard zone. This application and provider pair creates a connection that will allow users to sign in using Okta.

For illustrative purposes, the zone in this tutorial is named “Example”. Each zone also has a unique **Zone ID** that appears in the zone’s domain: `<zone-id>.keycard.cloud`. The Zone ID is distinct from the zone’s name. Throughout this tutorial, `<zone-id>` is a placeholder you will replace with the ID of your own zone.

## Create application in Okta

In the first phase of this tutorial, we will create an application in Okta. You’ll configure the application with the necessary settings to connect it to your zone.

1. In Okta Admin Console, select **Applications > Applications** in the navigation menu.

2. On the **Applications** page, click the **Create App Integration** button. A **Create a new app integration** wizard will appear.

   Select **OIDC - OpenID Connect** as the **Sign-in method**.

   We use OpenID Connect here because it is a more modern and standard authentication protocol.

   An **Application type** section will appear. Select **Web application**.

   Click the **Next** button. You will be directed to a **New Web App Integration** page.

3. The **New Web App Integration** page is where settings are configured.

   Under **General Settings**, enter “Example”, which is the name of your zone, as the **App integration name**.

   Tip

   **Finding your Zone ID:** In Keycard Console, click your zone name in the sidebar to open **Zone Settings**, then copy the **OAuth 2 Redirect URL**. It will be in the form `https://<zone-id>.keycard.cloud/oauth/2/redirect`. The URLs below should use *your* zone ID, not the literal string `<zone-id>` and not `example`.

   Scroll down to **Sign-in redirect URIs** and enter: `https://<zone-id>.keycard.cloud/oauth/2/redirect`

   Scroll down to **Sign-out redirect URIs** and enter `https://<zone-id>.keycard.cloud/openid/connect/redirect/logout`.

   Double check that the domain in the URLs matches the domain of your zone.

   Scroll down to **Assignments**. For the **Controlled access** setting, select **Allow everyone in your organization to access**. An **Enable immediate access** setting will appear, which is enabled by default.

   Click the **Save** button.

You’ve successfully created an application in Okta. You should now be on the settings page for the new Example application. This application will allow users in your organization to sign into your zone using their Okta account.

Remain on this page, as we will need to refer to the settings in the next phase.

## Create provider in Keycard

In the next phase of this tutorial, we will create a provider in Keycard. You’ll configure the provider with the necessary credentials to connect to your Okta organization.

It is recommended that you complete these steps in a new browser tab or window, as you’ll need to copy and paste settings between Okta Admin Console and Keycard Console.

1. In Keycard Console, select **Providers** in the navigation menu.

2. On the **Providers** page, click the **Add provider** button. A **Create provider** screen will appear.

   In the **Name** field, enter “Okta”.

   In the **Issuer URL** field, enter your Okta domain, prefixed with `https://` as the URL scheme. For example: `https://acme.okta.com`. You can [find](https://developer.okta.com/docs/guides/find-your-domain/main/) your domain by clicking your name in the top-right corner of Okta Admin Console. The domain appears in the menu.

   In the **Client ID** field, enter the Client ID that Okta assigned to the newly created Example application. This can be found on the settings page for the application in Okta Admin Console. It is easiest to copy and paste the Client ID from Okta Admin Console to Keycard Console.

   In the **Client Secret** field, enter the Client Secret that Okta generated for the Example application. This can be found on the same settings page. Notice that there is a list of Client Secrets, which should contain a single secret. It is easiest to copy and paste the secret from Okta Admin Console to Keycard Console.

You’ve just create a provider in Keycard that is connected to your Okta organization!

## Use Okta for sign in

In the final phase of this tutorial, we will configure user authentication to occur through Okta.

1. In Keycard Console, select **Zone Settings** in the navigation menu.

2. On the **Zone settings** page, scroll down to the **Zone sign in configuration** settings.

   Toggle **Use an external Identity Provider** to on. In the **Identity Providers** drop-down list, select “Okta”.

   Click the **Save Changes** button.

You have just configured your zone to authenticate users through Okta! Now, whenever an employee in your company attempts to access an application or resource protected by Keycard, they’ll sign in using their Okta account.