Skip to main content
Enterprise Feature - SSO is available on superglue Enterprise plans. Contact us to learn more.
superglue supports Single Sign-On through Okta OpenID Connect (OIDC). When SSO is enabled:
  • An Okta provider button appears on the login page.
  • Users are provisioned just-in-time — their superglue account is created on first login, with no manual invitation step.
  • Organization membership and roles are managed in superglue after the account exists.

Okta

Configuration

1. Create the Okta application

In the Okta admin console, create an OIDC - Web Application:
  • Sign-in redirect URI: https://<your-superglue-domain>/api/auth/oauth2/callback/okta
  • Grant type: Authorization Code (PKCE is used automatically)
Note the Client ID and Client Secret.

2. Set environment variables

VariableRequiredDescription
AUTH_PROVIDERSYesInclude okta in the comma-separated provider list.
OKTA_CLIENT_IDYesOIDC application client ID.
OKTA_CLIENT_SECRETYesOIDC application client secret.
OKTA_ISSUERYesYour Okta org URL, e.g. https://your-domain.okta.com (the Org Authorization Server).

Shared behavior

The following applies to Okta SSO deployments.

Make SSO the only login method

To require everyone to sign in through SSO, enable only the SSO provider and disable email/password:
AUTH_PROVIDERS=okta
OKTA_CLIENT_ID=...
OKTA_CLIENT_SECRET=...
OKTA_ISSUER=https://your-domain.okta.com
Only providers listed in AUTH_PROVIDERS appear on the login page.

Provisioning details

  • Provider-driven login. The login page shows exactly the providers enabled in deployment config.
  • Existing users are unaffected. Email, Google, and GitHub accounts continue to work when their providers remain enabled. Enabling Okta only adds a login option.

Deprovisioning

When a user is deactivated in your identity provider, it stops issuing tokens for them, so they can no longer sign in to superglue. Their existing superglue account and any active sessions are not automatically revoked — remove the user from Control Panel → Organization if you need to terminate access immediately.