Login to your Okta account.
Navigate to Admin > Applications > Add Application > Create New App.
In Create a New Application Integration set these values and click Create:
Sign on method: OpenID Connect
In Create OpenID Connect Integration set these values and click Save:
Application name: The name of your kPow instance, e.g. 'kPow Staging'.
Login redirect URIs: The absolute kPow callback URI, e.g.
You will be redirected to the applications settings page.
Navigate to General Settings > Edit, and configure:
Initiate login URI: The absolute kPow login URI, e.g:
Optionally, if you would like Okta to appear in your organization's list of Okta apps:
Login initiated by: "Either Okta or App" selected.
"Display application icon to users" selected.
"Display application icon in the Okta Mobile app" selected.
Allowed grant types:
"Implicit (Hybrid)" selected.
"Allow ID Token with implicit grant type" selected.
"Allow Access Token with implicit grant type" selected.
Make note of the Client Credentials section that appears below.
Click Assignments and assign users to kPow.
Set the following environment variables and start kPow:
OKTA_ORGANISATION= the name of your Okta organization, e.g. mycorp
OPENID_CLIENT_ID= the Client ID found in Client Credentials.
OPENID_CLIENT_SECRET= the Client Secret found in Client Credentials.
OPENID_LANDING_URI= The absolute kPow URI, e.g:
kPow will now authenticate users with Okta (OpenID).
See the guide to Role Based Access Control for full configuration details.
When RBAC is enabled kPow will request
groups scope to view the groups associated with an authenticated user. kPow considers Okta groups as roles in your RBAC configuration.
You will need to configure a relevant group claim filter for the kPow OpenID integration: