Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Dev Portal
  • Access And Approval
  • Configure Okta SSO for Dev Portal
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • Introduction
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Private Connections to Other Cloud Providers
      • Create a private connection with AWS PrivateLink
    • Geographic Regions
    • Centralized consumer management
    • Compatibility
    • Stages of Software Availability
    • Release Notes
    • Support
      • Control Plane Upgrades FAQ
      • Supported Installation Options
  • Get Started
    • Overview
    • Add your API
    • Migrating a Self-Managed Kong Gateway into Konnect
  • Gateway Manager
    • Overview
    • Dedicated Cloud Gateways
      • Overview
      • Provision a Dedicated Cloud Gateway
      • Securing Backend Traffic
      • Transit Gateways
      • Azure VNET Peering
      • Custom Domains
      • Custom Plugins
      • Data plane logs
    • Serverless Gateways
      • Overview
      • Provision a serverless Gateway
      • Securing Backend Traffic
      • Custom Domains
    • Data Plane Nodes
      • Installation Options
      • Upgrade a Data Plane Node
      • Verify a Data Plane Node
      • Secure Control Plane/Data Plane Communications
      • Renew Data Plane Certificates
      • Parameter Reference
      • Using Custom DP Labels
    • Control Plane Groups
      • Overview
      • Working with Control Plane Groups
      • Migrate Configuration into Control Plane Groups
      • Conflicts in Control Planes
    • Kong Gateway Configuration in Konnect
      • Overview
      • Manage Plugins
        • Overview
        • Adding Custom Plugins
        • Updating Custom Plugins
        • How to Create Custom Plugins
      • Create Consumer Groups
      • Secrets Management
        • Overview
        • Konnect Config Store
        • Set Up and Use a Vault in Konnect
      • Manage Control Plane Configuration with decK
    • Active Tracing
      • Overview
    • KIC Association
    • Backup and Restore
    • Version Compatibility
    • Troubleshooting
  • Mesh Manager
    • Overview
    • Create a mesh with the Kubernetes demo app
    • Federate a zone control plane to Konnect
    • Migrate a self-managed zone control plane to Konnect
  • Service Catalog
    • Overview
    • Integrations
      • Overview
      • Datadog
      • GitHub
      • GitLab
      • PagerDuty
      • SwaggerHub
      • Traceable
      • Slack
    • Scorecards
  • API Products
    • Overview
    • Product Documentation
    • Productize a Service
  • Dev Portal
    • Overview
    • Dev Portal Configuration Preparation
    • Create a Dev Portal
    • Sign Up for a Dev Portal Account
    • Publish an API to Dev Portal
    • Access and Approval
      • Manage Developer Access
      • Manage Developer Team Access
      • Add Developer Teams from IdPs
      • Manage Application Registrations
      • Configure generic SSO for Dev Portal
      • Configure Okta SSO for Dev Portal
    • Application Lifecycle
    • Register and create an application as a developer
    • Enable and Disable App Registration for API Product Versions
    • Dynamic Client Registration
      • Overview
      • Okta
      • Curity
      • Auth0
      • Azure
      • Custom IdP
    • Portal Management API Automation Guide
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Portal Customization
      • Overview
      • About Self-Hosted Dev Portal
      • Host your Dev Portal with Netlify
      • Custom Domains
    • Dev Portal SDK
    • Troubleshoot
  • Advanced Analytics
    • Overview
    • Dashboard
    • Explorer
    • Analyze API Usage and Performance with Reports
    • Requests
  • Org Management
    • Plans and Billing
    • Authentication and Authorization
      • Overview
      • Teams
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Manage System Accounts
      • Personal Access Tokens
      • Social Identity Login
      • Org Switcher
      • Configure Generic SSO
      • Configure Okta SSO
      • Login Sessions Reference
      • Troubleshoot
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Account and Org Deactivation
  • API
    • Overview
    • API Request API (Beta)
      • API Spec
    • API Products API
      • API Spec
    • Audit Logs API
      • API Spec
      • Audit Log Webhooks
    • Control Plane API
      • API Spec
    • Control Plane Configuration API
      • API Spec
    • Cloud Gateways API
      • API Spec
    • Identity API
      • API Spec
      • Identity Integration Guide
      • SSO Customization
    • Konnect Search API (Beta)
      • API Spec
    • Mesh Manager API
      • API Spec
      • Kong Mesh API Reference
    • Portal Client API
      • API Spec
    • Portal Management API
      • API Spec
    • Reference
      • Filtering
      • API Errors
  • Reference
    • Labels
    • Plugin Ordering Reference
    • Konnect Search
    • Terraform Provider
    • Audit Logs
    • Verify audit log signatures
    • IdP SAML attribute mapping
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
  • Configure an Okta Application
  • Set up Konnect
    • Configure Okta connection details
  • Debug and test the configuration
  • (Optional) Enable Kong Konnect Dev Portal as a dashboard app in Okta
Looking for the new Developer Portal beta docs? Try the beta now.

Configure Okta SSO for Dev Portal
Available with Kong Gateway Enterprise subscription - Contact Sales

You can set up single sign-on (SSO) access to Dev Portals through Okta using OpenID Connect or SAML. These authentication methods allow developers to log in to a Dev Portal using their Okta credentials without needing a separate Kong Konnect Dev Portal login.

This page provides specific instructions for configuring SSO with Okta. See Configure Generic SSO for general instructions on setting up SSO for other identity providers.

It is recommended to use a single authentication method, however, Konnect supports the ability to combine built-in authentication with either OIDC or SAML based SSO. Combining both OIDC and SAML based SSO is not supported. Keep built-in authentication enabled while you are testing IdP authentication and only disable it after successfully testing your SSO configuration.

Prerequisites

  • An Okta account with administrator access to configure Applications and Authorization Server settings.
  • A non-public Kong Konnect Dev Portal created in your Konnect organization.

Configure an Okta Application

OIDC
SAML
  1. From the Applications section of the Okta console, select Create App Integration and choose OIDC - OpenID Connect with Web Application for the Application type. Provide the following configuration details:
    • Grant type: Authorization Code

    Using the portal URL from the Dev Portal Overview page, provide the following configuration details substituting <portal-url> with your portal’s URL:

    • Sign-in redirect URIs: https://<portal-url>/login
    • Sign-out redirect URIs: https://<portal-url>/login
  2. Optional: If you want to map Okta group claims to Konnect Dev Portal Teams, modify the OpenID Connect ID Token claims in the Application->Sign On section of the Okta configuration, setting the following values:

    • Group claims type: Filter
    • Group claims filter: Enter groups for the claim name and enter Matches regex as the filter type and .* for the filter value.

    This claim specifies which user’s groups to include in the token, in this case the wildcard regex specifies that all groups will be included.

    If the authorization server is retrieving additional groups from third-party applications (for example, Google groups), the groups claim will not contain them. If it is desired to use these third-party groups, the Okta administrator will need to duplicate them directly in Okta or use a custom token to include them in the groups claim.

  3. Assign desired groups and users to the new Okta application.

  4. Locate the following values in the Okta console, which will be used later for the Konnect configuration.

    • Client ID: Located in your Application General -> Client Credentials settings.
    • Client Secret: Located in your Application General -> Client Secrets settings.
    • Issuer URI : The Issuer is typically found in the Security -> API -> Authorization Servers settings. It should look like the following: https://<okta-org-id>.okta.com/oauth2/default
  1. From the Applications section of the Okta console, select Create App Integration and choose SAML 2.0. Provide the following configuration details:
    • Give the application a name that signifies it is for Konnect SAML SSO.

    Using the portal URL from the Dev Portal Overview page, provide the following configuration details:

    • Single Sign-On URL: https://<portal-url>/api/v2/developer/authenticate/saml/acs

    • Audience URI (SP Entity ID): https://cloud.konghq.com/sp/SP_ID

  2. Optional: To include additional user attributes beyond authentication, add the following three attributes in the Attribute Statements:

    Name Name format Value
    firstName Unspecified user.firstName
    lastName Unspecified user.lastName
    email Unspecified user.email
  3. Optional: If you want to use group claims for Konnect developer team mappings, configure a groups attribute claim and fill in the following fields:

    Name Name format Filter Filter Value
    groups Unspecified Matches regex .*
  4. Generate a signing certificate to use in Konnect.

  5. Assign desired groups and users to the new Okta application.

Set up Konnect

Configure Okta connection details

OIDC
SAML
  1. Open your Konnect Dev Portal overview, and select the Dev Portal you want to configure for SSO. Choose Settings in the sidebar and then the Identity tab.

  2. Select the Configure option for OIDC.

  3. Insert your Issuer URI, Client ID and Client Secret in the OIDC configuration fields.

  4. Under Advanced Settings, specify the Scopes Konnect requests from Okta. The openid scope is required for OIDC authentication. The profile and email scopes are recommended so Konnect obtains the user’s name and email address in the token response.

  5. In the Claim Mappings section, set the values of each field to their appropriate token response field name. Use the Okta Token Preview feature to verify the response token field names will match what you enter in these mappings. The default values are as follows:

    • Name: name
    • Email: email
    • Groups: groups
  6. Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.

  7. Save the configuration and then select Enable OIDC.

  1. In a separate browser tab, open Konnect Dev Portal, click the Dev Portal you want to configure SSO for, click Settings in the sidebar and then click the Identity tab.

  2. Click Configure for SAML.

  3. In Okta, go to Sign On page in the Okta application created in the previous step and copy the IDP Metadata URL under the Settings section. It should look like: https://<okta-org-id>.okta.com/app/exkgzjkl0kUZB06Ky5d7/sso/saml/metadata

  4. Save this configuration, Konnect will generate two new values. A Single Sign-On URL and an Audience URI.

  5. In the Okta console, update the previous placeholder Single Sign-On URL and Audience URI (SP Entity ID) with the new values generated by Konnect.

  6. Optional: Map existing developer teams from Okta groups to Konnect Dev Portal teams.

  7. In Konnect, close the configuration dialog and click Enable SAML from the context menu.

Debug and test the configuration

The Okta console provides a Token Preview feature which will be useful in verifying configuration values for these SSO configuration instructions. If you encounter issues configuring SSO with Okta, start by checking the Token Preview for the Okta application you created.

  1. Test the SSO configuration by navigating to the portal URL for your Dev Portal. For example: https://{portalId}.{region}.portal.konghq.com/login.

    You will see the Okta sign in window if your configuration is set up correctly.

  2. Using an account that belongs to one of the groups you just mapped, log in with your Okta credentials.

    If a group-to-team mapping exists, the user is automatically provisioned with a Kong Konnect Dev Portal developer account with the relevant team membership.

  3. In Konnect Dev Portal, click the Dev Portal you configured SSO for and click Developers in the sidebar.

    You should see a list of users in this org, including a new entry for the user you used to log in.

(Optional) Enable Kong Konnect Dev Portal as a dashboard app in Okta

If you want your users to have easy access to Kong Konnect Dev Portal alongside their other apps, you can add it to your Okta dashboard.

In Okta, navigate to the General Settings of your application and configure the application icon for users as needed.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025