Okta SSO configuration for MCP
This guide explains how to configure Okta as your Single Sign-On (SSO) provider for the Cequence AI Gateway using OAuth 2.0 authentication. You'll learn how to create an Okta application and integrate it with the Cequence AI Gateway.
Configuration scope and reusability
Single application, multiple MCP servers: You need to create only one Okta application that can authenticate users across all your MCP servers. The same client ID and secret can be reused for multiple MCP servers within your organization, simplifying management and reducing configuration overhead.
When to create separate applications: Consider creating separate Okta applications only if you need different access controls, user assignments, or security policies for different groups of MCP servers.
Prerequisites
Before starting, ensure you have:
- Okta admin console access with application management permissions
- Your application's redirect URI:
https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback - Basic understanding of OAuth 2.0 and OpenID Connect
Create your Okta application in the Cequence AI Gateway
Creating an Okta application establishes the OAuth 2.0 connection between your identity provider and the Cequence AI Gateway. This process involves three main steps: accessing the admin console, creating the integration, and selecting the appropriate method for web-based authentication.
Access the Okta admin console
- Navigate to your Okta domain:
https://[your-domain].okta.com - Click Admin in the top right corner
- Sign in with your administrator credentials
Create the Okta application integration
- In the Okta Admin Console, select Applications from the left sidebar
- Click Applications in the submenu
- Click Create App Integration
Select integration method
- Choose OIDC - OpenID Connect for OAuth 2.0 integration
- Select Web Application as your application type
- Click Next
Configure the Okta application settings
Application settings define how your Okta integration behaves and what permissions the integration requires. In this step you'll configure the following elements:
- Basic information
- Grant types for OAuth flows
- Redirect URIs for authentication callbacks
- Initial user access controls
Basic information
Configure these required settings:
| Setting | Value | Notes |
|---|---|---|
| App integration name | Cequence AI Gateway | Use a descriptive name for your organization |
| App logo | Upload your logo (optional) | PNG or JPG format |
Grant types
Select these grant types:
- Authorization Code (required for OAuth 2.0)
- Refresh Token (recommended for session management)
Redirect URIs
Add the Cequence AI Gateway callback URL.
https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback
Important considerations:
- The URL must match exactly, including protocol and path
- No trailing slashes unless required
- Multiple URLs can be added for different environments
User assignments
Choose your access control approach:
- Controlled access: Assign specific users or groups (recommended for production)
- Allow everyone in your organization: All users can access
- Skip group assignment for now: Configure later
Click Save to create the application.
Get the Okta application credentials
After creating your application, Okta generates the credentials and endpoints needed to configure your MCP servers. You'll need to collect the client credentials, note the OAuth 2.0 endpoint URLs, and verify that required scopes are available for user authentication.
Client information
| Field | Purpose | Action |
|---|---|---|
| Client ID | Public identifier | Copy for MCP server configuration |
| Client Secret | Private authentication key | Store securely |
Security note: Never expose your client secret in client-side code or version control. Store it securely in your server configuration.
OAuth 2.0 endpoints
Your Okta endpoints follow this format:
| Endpoint | URL |
|---|---|
| Authorization URL | https://[your-domain].okta.com/oauth2/default/v1/authorize |
| Token URL | https://[your-domain].okta.com/oauth2/default/v1/token |
Confirm required scopes
Your Okta application requires these scopes to access authentication information. Typically a new Okta application, like the one created in this procedure, has those scopes set by default. Confirm that your application has these scopes granted before you continue.
- In your Okta application, go to the Okta API Scopes tab
- Confirm these scopes are granted:
openidemailprofile
- If any are missing, click Grant next to each required scope
Assign users and groups
User and group assignments in Okta determine who can authenticate through your application to access MCP servers. Perform these actions on the Okta Admin Console. Without proper assignments, users will receive authentication errors when attempting to access MCP servers, even if those servers are visible in the AI Gateway dashboard.
Assign individual users
- Navigate to the Assignments tab in your application
- Click Assign → Assign to People
- Search for users by name or email
- Click Assign next to each user
- Configure user-specific settings if needed
- Click Save and Go Back, then Done
Assign groups
- Click Assign → Assign to Groups
- Select the appropriate groups
- Click Assign for each group
- Click Done
Configure MCP servers
Use the Okta credentials to configure authentication across all your MCP servers that need SSO access.
OAuth 2.0 configuration
The Cequence AI Gateway wizard for creating a new MCP server or editing an existing MCP server includes an Authentication step. When the wizard is at the Authentication step, select OAuth 2.0 as the authentication type and click +Add New OAuth 2.0 Client Credentials to add a new OAuth token. Fill in the fields with the following information:
| Parameter | Value |
|---|---|
| clientId | Your client ID |
| clientSecret | Your client secret |
| authorizationUrl | https://[your-domain].okta.com/oauth2/default/v1/authorize |
| tokenUrl | https://[your-domain].okta.com/oauth2/default/v1/token |
| redirectUri | https://auth.aigateway.cequence.ai/v1/outbound/oauth/callback |
| scopes | ["email", "profile", "openid"] |
Configuration reuse: The same client ID, client secret, and endpoint URLs can be used across multiple MCP servers, reducing complexity and maintenance overhead.
The Getting Started section provides complete information on creating MCP servers on the Cequence AI Gateway.
Test your configuration
Testing ensures your Okta integration works correctly before deploying to production. You'll verify the complete authentication flow and troubleshoot any common configuration issues that might prevent successful user authentication.
Verify the OAuth flow
- Initiate authentication from your MCP client
- Confirm redirection to Okta's login page
- Complete authentication
- Verify successful redirect to the callback URL
- Confirm the MCP server receives and processes the authorization code
Common troubleshooting
| Problem | Solution |
|---|---|
| Redirect URI mismatch | Verify the URI in Okta matches your MCP configuration exactly |
| Invalid client credentials | Double-check that client ID and secret are copied correctly |
| User not authorized | Review user and group assignments in Okta |
| Scope errors | Confirm all required scopes are enabled |
Security best practices
Implementing proper security measures protects your OAuth integration and user data. Security best practices focus on three key areas: managing credentials securely, controlling user access appropriately, and monitoring authentication activity for potential threats.
Credential management
- Rotate client secrets regularly
- Update all MCP servers when secrets change
- Use secure secret management tools
Access control
- Apply least privilege principles
- Use groups for easier user management
- Regular review access assignments
Monitoring
- Enable Multi-Factor Authentication (MFA) in Okta
- Monitor Okta access logs
- Set up alerts for suspicious activities
- Review authentication patterns regularly
Advanced configuration
Advanced configuration options allow you to customize your Okta integration beyond the default settings. You can use custom authorization servers for specific organizational requirements or adjust token lifetimes to meet your security policies.
Custom authorization servers
When using a custom authorization server, instead of the default:
- Navigate to Security → API in the Okta Admin Console
- Select your custom authorization server
- Update your MCP configuration with the custom endpoints:
https://[your-domain].okta.com/oauth2/[server-id]/v1/authorize
https://[your-domain].okta.com/oauth2/[server-id]/v1/token
Token lifetime management
Adjust token lifetimes based on security requirements:
- Go to Security → API → Authorization Servers
- Select your authorization server
- Click the Access Policies tab
- Edit policy rules to modify token lifetimes
Additional resources
- Okta Developer Documentation
- OAuth 2.0 Specification
- OpenID Connect Specification
- Cequence AI Gateway Documentation
Next steps
After successful Okta SSO configuration:
- Test integration with representative users
- Configure additional Okta security policies
- Implement monitoring and alerting
- Document your configuration for team reference
- Consider automated user provisioning for larger deployments