Configure OIDC SSO with Okta for your organization¶
From version 1.42, Lightrun offers support for Single Sign-On (SSO) using Okta as your identity provider (IdP) by integrating Lightrun with OIDC (OpenID Connect protocol) integration in Okta.
Using OIDC, Lightrun functions as a service provider, receiving authentication information from Okta, acting as the external identity provider. When SSO is enabled, Lightrun delegates authentication requests to the customer's IdP and grants users access to Lightrun in accordance with the IdP's response.
Once you have set up your SSO with OIDC, proceed to create your Lightrun users in the User Management page.
The process of setting up SSO involves these main stages:
- Setting up the Lightrun-OIDC integration in Okta.
- Configuring and enabling SSO in the Lightrun Management Portal.
Set up the Lightrun OIDC integration in Okta¶
Step 1: Get Lightrun's Redirection URL¶
- Log in to your Lightrun account.
- Click Settings on the top right-hand side of menubar.
-
Set OIDC as your SSO Protocol based on your version:
- For version 1.54 and higher.
- Navigate to the Identity Configuration > Login Method tab.
- From the list, select Single sign-on (SSO).
- Select OIDC as your SSO protocol.
- For version 1.53 and earlier.
- Navigate to the Identity and Access Management > Identity Configuration > Provisioning
- Click SSO toggle to enable SSO.
- Select OIDC as your SSO Protocol.
- For version 1.54 and higher.
-
From the Service Provider's Redirect URL field, click Copy.
This field will serve as the redirect URL used when configuring the identity provider. Note that at this point, SSO is not enabled with OIDC in Lightrun and will be activated in the next steps.
Step 2: Set up a Lightrun Application in Okta¶
-
Create a new application for Lightrun in Okta.
a. Navigate to Connections > Applications and click the Create App Integration tab to create a new OIDC Application type.
b. Under the Sign-in method, select OIDC - OpenID Connect.
c. Under Application type, select Web Application.
d. Click Next.
The New Web App Integration page opens.
-
In the Sign-in redirect URIs field, paste the Service Provider's Redirect URL you copied from the Lightrun SSO settings in the previous step.
-
Click Save.
Step 3: Get Okta’s Identity Provider’s parameters¶
-
Access the Okta management portal, select
and go to the General > Client Credentials. -
From the Client ID, copy the value to be pasted in the Lightrun Management Portal.
-
In the Client Authentication field, select Client secret.
-
Under CLIENTS SECRETS, click Generate new secret and copy the secret to be pasted in the Lightrun Management Portal.
Proceed to configure the Lightrun OIDC settings in the Lightrun Management Portal.
Step 4: Set up SSO OIDC using Okta in Lightrun¶
- Log in to your Lightrun account.
- Click Settings on the top right-hand side of menubar.
-
Set OIDC as your SSO Protocol based on your version:
- For version 1.54 and higher.
- Navigate to the Identity Configuration > Login Method tab.
- From the list, select Single Sign-On (SSO).
- Select OIDC as your SSO protocol.
- For version 1.53 and earlier.
- Navigate to the Identity and Access Management > Identity Configuration > Provisioning
- Click SSO toggle to enable SSO.
- Select OIDC as your SSO Protocol.
- For version 1.54 and higher.
-
Paste the values you copied from Okta into the following fields.
- Identity Provider's Client ID: The unique identifier assigned to Lightrun by Okta.
- Identity Provider’s Client Secret: The secret key assigned to Lightrun by Okta for the OIDC authentication.
-
Provide the Identity Provider’s addiitional parameters.
Choose one of the following methods:
-
Select the Import additional parameters from Discovery URL option.
Enter the following URL, where
<CUSTOMER_NAME_HERE>
is the domain name of your Okta setup, as follows:https://<CUSTOMER_NAME_HERE>.okta.com/.well-known/openid-configuration
.
- [Supported from version 1.61] Select the Import additional parameters from JSON file option.
If your identity provider does not support discovery URLs, you can create using a JSON file that includes all necessary parameters and upload it to the SSO OIDC settings page.
a. Open a text editor (e.g., Notepad, VS Code).
b. Copy and paste the JSON structure as displayed as follows.
Example JSON format:
{ "useJwksUrl": "true", "jwksUrl":"https://your-idp.com/.well-known/jwks.json", "authorizationUrl":"https://your-idp.com/oauth2/authorize", "tokenUrl": "https://your-idp.com/oauth2/token", "userInfoUrl": "https://your-idp.com/oauth2/userinfo", "logoutUrl": "https://your-idp.com/logout", "issuer": "https://your-idp.com", "defaultScope": "openid email profile" }
Your JSON must include the following parameters:
Parameter Description useJwksUrl
Indicates whether to use the JWKS URL for verifying tokens. Set to "true"
to enable.jwksUrl
The URL to the JSON Web Key Set used to validate ID tokens. authorizationUrl
The URL used to initiate the login flow. tokenUrl
The URL used to exchange the authorization code for an access token. userInfoUrl
The URL to retrieve user profile information using the access token. logoutUrl
The URL to redirect users for logging out of the identity provider. issuer
The expected iss
(issuer) claim in tokens. Must match what the identity provider issues.defaultScope
List of scopes requested during login. Typically includes openid
,email
, andprofile
.c. Replace each placeholder (e.g.,
<your-issuer-url>
) with actual values from your identity provider (such as Okta).d. Click Upload.
-
-
Click Save.
Download a Ligthrun OIDC-config JSON file¶
- Log in to your Lightrun account.
- Click Settings on the top right-hand side of the menu bar.
- Navigate to the Identity Configuration > Login Method tab.
- From the list, select Single Sign-On (SSO).
- Select OIDC as your SSO protocol.
-
Under the Import additional parameters from JSON file field, click the download icon.