Skip to content

Configure OIDC SSO with Okta for your organization

From version 1.42, Lightrun offers support for Single Sign-On (SSO) using Okta as your identity provider (IdP) by integrating Lightrun with OIDC (OpenID Connect protocol) integration in Okta.

Using OIDC, Lightrun functions as a service provider, receiving authentication information from Okta, acting as the external identity provider. When SSO is enabled, Lightrun delegates authentication requests to the customer's IdP and grants users access to Lightrun in accordance with the IdP's response.

Once you have set up your SSO with OIDC, proceed to create your Lightrun users in the User Management page.

The process of setting up SSO involves these main stages:

  • Setting up the Lightrun-OIDC integration in Okta.
  • Configuring and enabling SSO in the Lightrun Management Portal.

Set up the Lightrun OIDC integration in Okta

Step 1: Get Lightrun's Redirection URL

  1. Log in to your Lightrun account.
  2. Click Settings on the top right-hand side of menubar.
  3. Set OIDC as your SSO Protocol based on your version:

    • For version 1.54 and higher.
      1. Navigate to the Identity Configuration > Login Method tab.
      2. From the list, select Single sign-on (SSO).
      3. Select OIDC as your SSO protocol.

        SSO OIDC Settings

    • For version 1.53 and earlier.
      1. Navigate to the Identity and Access Management > Identity Configuration > Provisioning
      2. Click SSO toggle to enable SSO.
      3. Select OIDC as your SSO Protocol.
  4. From the Service Provider's Redirect URL field, click Copy.

    This field will serve as the redirect URL used when configuring the identity provider. Note that at this point, SSO is not enabled with OIDC in Lightrun and will be activated in the next steps.

Step 2: Set up a Lightrun Application in Okta

  1. Create a new application for Lightrun in Okta.

    a. Navigate to Connections > Applications and click the Create App Integration tab to create a new OIDC Application type.

    New OIDC App --half

    b. Under the Sign-in method, select OIDC - OpenID Connect.

    c. Under Application type, select Web Application.

    d. Click Next.

    The New Web App Integration page opens.

    Sign-in redirect URl --half

  2. In the Sign-in redirect URIs field, paste the Service Provider's Redirect URL you copied from the Lightrun SSO settings in the previous step.

  3. Click Save.

Step 3: Get Okta’s Identity Provider’s parameters

  1. Access the Okta management portal, select and go to the General > Client Credentials.

  2. From the Client ID, copy the value to be pasted in the Lightrun Management Portal.

  3. In the Client Authentication field, select Client secret.

    Sign-in redirect URL --half

  4. Under CLIENTS SECRETS, click Generate new secret and copy the secret to be pasted in the Lightrun Management Portal.

Proceed to configure the Lightrun OIDC settings in the Lightrun Management Portal.

Step 4: Set up SSO OIDC using Okta in Lightrun

  1. Log in to your Lightrun account.
  2. Click Settings on the top right-hand side of menubar.
  3. Set OIDC as your SSO Protocol based on your version:

    • For version 1.54 and higher.
      1. Navigate to the Identity Configuration > Login Method tab.
      2. From the list, select Single Sign-On (SSO).
      3. Select OIDC as your SSO protocol.
    • For version 1.53 and earlier.
      1. Navigate to the Identity and Access Management > Identity Configuration > Provisioning
      2. Click SSO toggle to enable SSO.
      3. Select OIDC as your SSO Protocol.
  4. Paste the values you copied from Okta into the following fields.

    • Identity Provider's Client ID: The unique identifier assigned to Lightrun by Okta.
    • Identity Provider’s Client Secret: The secret key assigned to Lightrun by Okta for the OIDC authentication.
  5. Provide the Identity Provider’s addiitional parameters.

    SSO OIDC Import Additional Parameters

    Choose one of the following methods:

    • Select the Import additional parameters from Discovery URL option.

      Enter the following URL, where <CUSTOMER_NAME_HERE> is the domain name of your Okta setup, as follows: https://<CUSTOMER_NAME_HERE>.okta.com/.well-known/openid-configuration.

    • [Supported from version 1.61] Select the Import additional parameters from JSON file option.

      If your identity provider does not support discovery URLs, you can create using a JSON file that includes all necessary parameters and upload it to the SSO OIDC settings page.

      a. Open a text editor (e.g., Notepad, VS Code).

      b. Copy and paste the JSON structure as displayed as follows.

       Example JSON format:
      
         {  
            "useJwksUrl": "true",
            "jwksUrl":"https://your-idp.com/.well-known/jwks.json",
            "authorizationUrl":"https://your-idp.com/oauth2/authorize",
            "tokenUrl": "https://your-idp.com/oauth2/token",
            "userInfoUrl": "https://your-idp.com/oauth2/userinfo",
            "logoutUrl": "https://your-idp.com/logout",
            "issuer": "https://your-idp.com", 
            "defaultScope": "openid email profile"
         }  
      

      Your JSON must include the following parameters:

      Parameter Description
      useJwksUrl Indicates whether to use the JWKS URL for verifying tokens. Set to "true" to enable.
      jwksUrl The URL to the JSON Web Key Set used to validate ID tokens.
      authorizationUrl The URL used to initiate the login flow.
      tokenUrl The URL used to exchange the authorization code for an access token.
      userInfoUrl The URL to retrieve user profile information using the access token.
      logoutUrl The URL to redirect users for logging out of the identity provider.
      issuer The expected iss (issuer) claim in tokens. Must match what the identity provider issues.
      defaultScope List of scopes requested during login. Typically includes openid, email, and profile.

      c. Replace each placeholder (e.g., <your-issuer-url>) with actual values from your identity provider (such as Okta).

      d. Click Upload.

  6. Click Save.

Download a Ligthrun OIDC-config JSON file

  1. Log in to your Lightrun account.
  2. Click Settings on the top right-hand side of the menu bar.
  3. Navigate to the Identity Configuration > Login Method tab.
  4. From the list, select Single Sign-On (SSO).
  5. Select OIDC as your SSO protocol.
  6. Under the Import additional parameters from JSON file field, click the download icon.

    download JSON field

Further reading


Last update: June 29, 2025