Enterprise Feature - SSO is available on superglue Enterprise plans. Contact
us to learn more.
- An Okta provider button appears on the login page.
- Users are provisioned just-in-time — their superglue account is created on first login, with no manual invitation step.
- Organization membership and roles are managed in superglue after the account exists.
Okta
Configuration
1. Create the Okta application
In the Okta admin console, create an OIDC - Web Application:- Sign-in redirect URI:
https://<your-superglue-domain>/api/auth/oauth2/callback/okta - Grant type: Authorization Code (PKCE is used automatically)
2. Set environment variables
| Variable | Required | Description |
|---|---|---|
AUTH_PROVIDERS | Yes | Include okta in the comma-separated provider list. |
OKTA_CLIENT_ID | Yes | OIDC application client ID. |
OKTA_CLIENT_SECRET | Yes | OIDC application client secret. |
OKTA_ISSUER | Yes | Your Okta org URL, e.g. https://your-domain.okta.com (the Org Authorization Server). |
Shared behavior
The following applies to Okta SSO deployments.Make SSO the only login method
To require everyone to sign in through SSO, enable only the SSO provider and disable email/password:AUTH_PROVIDERS appear on the login page.
Provisioning details
- Provider-driven login. The login page shows exactly the providers enabled in deployment config.
- Existing users are unaffected. Email, Google, and GitHub accounts continue to work when their providers remain enabled. Enabling Okta only adds a login option.