Skip to main content

How To Set Up Custom Okta Application

Written by Jared
Updated over 2 weeks ago

Okta Single Sign-On (SSO) Setup for Kadence (Custom Okta App)

This guide explains how to configure Okta as an Identity Provider (IdP) for Kadence using OpenID Connect (OIDC).

By the end of this guide you will be able to:

  • Create a custom Okta application

  • Add the Okta integration in Kadence

  • Control which users can access Kadence

  • Test the SSO login flow

Estimated setup time:

5–10 minutes

Kadence Login Domain

Your Kadence environment uses a regional login domain.

Region

Login Domain

EU

https://login.onkadence.co

US

https://login.us.onkadence.co

Throughout this guide you will see the placeholder:

{KADENCE_LOGIN_DOMAIN}

Replace this with the login domain for your region.

Example:

EU → <https://login.onkadence.co> US → <https://login.us.onkadence.co>

Prerequisites

Before starting, make sure you have:

  • Admin access to Okta Admin Console

  • Admin access to Kadence

  • An active Okta tenant

  • At least one test user in Okta

For testing we recommend using a private/incognito browser window.

Step 1 — Create a Custom Okta Application

Log in to the Okta Admin Console.

In the left navigation menu, go to:

Applications

Then click:

Applications

At the top right of the page, click:

Create App Integration

You will see the Create App Integration screen.

Select:

Sign-in method: OIDC – OpenID Connect Application type: Web Application

Click:

Next

Step 2 — Configure the Okta Application

You will now see the New Web App Integration screen.

App Name

Enter a name for the application.

Example:

Kadence SSO

Grant Types

Under Grant type, enable:

Authorization Code Refresh Token

Leave other settings as default.

Sign-in Redirect URL

Scroll to Login settings.

In Sign-in redirect URLs, add:

{KADENCE_LOGIN_DOMAIN}/sso/authenticate

Example:

EU → <https://login.onkadence.co/sso/authenticate> US → <https://login.us.onkadence.co/sso/authenticate>

⚠ Important

Kadence uses a shared OAuth callback endpoint:

/sso/authenticate

This is not the Kadence login page.

If this URL is missing, Okta will return an error such as:

redirect_url must be a Login redirect URL

Sign-out Redirect URL (optional)

Under Sign-out redirect URLs, add:

{KADENCE_LOGIN_DOMAIN}

Step 3 — Choose How Users Access the Application

Scroll further down the page until you see:

Assignments

Here you decide how users are allowed to access the application.

There are two supported configurations.

Option 1 — Federation Broker Mode Enabled (Recommended)

This is the simplest and most common setup.

Where to find the setting

At the bottom of the application setup screen you will see:

Enable immediate access (Recommended)

This includes the option:

Enable immediate access with Federation Broker Mode

Configure the settings like this

Under Controlled access, select:

Allow everyone in your organization to access

Ensure the checkbox is enabled:

Enable immediate access with Federation Broker Mode

What this configuration does

With Federation Broker Mode enabled:

  • Okta acts only as the authentication provider

  • Users authenticate through Kadence

  • The Okta application does not require manual user assignment

After saving the application, open:

Applications → Kadence SSO → Assignments

You will see the message:

This app is implicitly assigned to users

This is expected behaviour.

Users can sign in as long as:

  • the user exists in Okta

  • the user satisfies the Okta sign-on policy

This option is recommended because it simplifies setup and scales better for large organisations.

Option 2 — Manual User Assignment

If you prefer to control exactly which users can access Kadence, you can disable Federation Broker Mode.

⚠ Note

Okta warns that disabling Federation Broker Mode may impact performance at scale, because Okta must evaluate application assignments during login.

Most organisations will not notice a difference but large deployments may prefer to leave this enabled.

How to Disable Federation Broker Mode

After creating the application:

  1. Navigate to:

Applications → Applications

  1. Click your Kadence SSO application.

  2. Open:

General

  1. Click:

Edit

  1. Locate:

Enable immediate access with Federation Broker Mode

  1. Disable the checkbox.

  2. Click:

Save

Step 4 — Copy Okta Credentials

Inside the Okta application open:

General

Scroll to:

Client Credentials

Copy the following values:

Client ID Client Secret

You will also need your Okta Base URL.

Example:

<https://integrator-5977303.okta.com>

⚠ Use the base domain only.

Do not include:

/oauth2/default

Step 5 — Add the Okta Integration in Kadence

Log in to Kadence.

Navigate to:

Settings → Integrations → Single Sign-On

Select:

Okta

Enter the following values.

Field

Value

Client ID

From Okta

Client Secret

From Okta

Base URL

Your Okta domain

Kadence SSO Alias

Example: okta

Example configuration:

Base URL: <https://integrator-5977303.okta.com> Alias: okta

Click:

Add

Step 6 — Kadence Login URL

Users start the login process from:

{KADENCE_LOGIN_DOMAIN}/en/login/sso

Example:

EU → <https://login.onkadence.co/en/login/sso> US → <https://login.us.onkadence.co/en/login/sso>

Kadence will then redirect users to Okta for authentication.

Step 7 — Test the Login

Open a private/incognito browser window.

Visit:

{KADENCE_LOGIN_DOMAIN}/en/login/sso

Expected login flow:

User opens Kadence login page ↓ Kadence redirects user to Okta ↓ User enters Okta credentials ↓ Okta redirects back to Kadence ↓ User is logged in

Step 8 — Add Users in Okta

Users must exist in Okta before they can authenticate.

Navigate to:

Directory → People

Click:

Add Person

Example user:

[email protected]

Save the user.

Step 9 — Assign Users to the App (Only if Federation Broker Mode is Disabled)

If Federation Broker Mode is disabled users must be assigned manually.

Navigate to:

Applications → Applications → Kadence SSO

Open:

Assignments

Click:

Assign → Assign to People

Select users and click Save.

If you instead see:

This app is implicitly assigned to users

manual assignment is not required.

Access is controlled through Okta sign-on policies.

Troubleshooting

redirect_url error

Ensure the Okta application contains:

{KADENCE_LOGIN_DOMAIN}/sso/authenticate

404 route not found

Ensure you are starting login from:

{KADENCE_LOGIN_DOMAIN}/en/login/sso

User cannot log in

Check:

  • the user exists in Okta

  • the user has a password set

  • the user is assigned to the application (if assignment is enabled)

  • MFA requirements are satisfied

Quick Reference

Okta App Type

OIDC → Web Application

Redirect URL

{KADENCE_LOGIN_DOMAIN}/sso/authenticate

Kadence Login URL

{KADENCE_LOGIN_DOMAIN}/en/login/sso

image.png

Common Okta SSO Errors and How to Fix Them

If users encounter issues during setup or login, the following table lists the most common errors and how to resolve them.

Error Message

Cause

Solution

redirect_uri must be a Login redirect URI

The OAuth redirect URL is missing or incorrect in the Okta app configuration.

Ensure the following redirect URI is added to the Okta application: https://login.onkadence.co/sso/authenticate

404 Route not found

The incorrect Kadence login URL was used.

Start login from: https://login.onkadence.co/en/login/sso

User is not assigned to this application

The user has not been assigned to the Okta application (when manual assignment is enabled).

Assign the user via: Applications → Kadence SSO → Assignments → Assign to People

Cannot assign users / "This app is implicitly assigned to users"

Federation Broker Mode is enabled, which disables manual user assignment.

Either leave this enabled (recommended) or disable Enable immediate access with Federation Broker Mode in the Okta app settings if you want manual user assignment.

User login loops back to login page

The Okta base URL was entered incorrectly in Kadence.

Ensure the base URL is your Okta domain only, for example: https://your-company.okta.com

Invalid client or authentication error

The Client ID or Client Secret entered in Kadence does not match the Okta app configuration.

Copy the Client ID and Client Secret directly from the Okta application’s General tab and re-enter them in Kadence.

Visual Setup Guide (Okta Screens)

The screenshots below show what the Okta configuration screens should look like during setup.

Use these as checkpoints while configuring the integration.

1. Create App Integration

Navigate to:

Applications → Applications → Create App Integration

Select:

Sign-in method: OIDC – OpenID Connect Application type: Web Application

Expected screen:

Create App Integration -------------------------------- Sign-in method   ○ OIDC - OpenID Connect  Application type   ○ Web Application

Click Next.

2. Configure the Application

Enter the application name.

Example:

Kadence SSO

Enable the following grant types:

☑ Authorization Code ☑ Refresh Token

Your configuration should look similar to:

Application type: Web Grant types:  ☑ Authorization Code ☑ Refresh Token

3. Configure Redirect URLs

Under Login settings, add the redirect URL:

{KADENCE_LOGIN_DOMAIN}/sso/authenticate

Optional sign-out redirect URL:

{KADENCE_LOGIN_DOMAIN}

Your screen should look like:

Sign-in redirect URIs -------------------------------- {KADENCE_LOGIN_DOMAIN}/sso/authenticate  Sign-out redirect URIs -------------------------------- {KADENCE_LOGIN_DOMAIN}

4. Configure Access Settings

In the Assignments / Controlled Access section select:

Allow everyone in your organization to access

Example configuration:

Controlled access  ● Allow everyone in your organization to access ○ Limit access to selected groups ○ Skip group assignment for now

5. Federation Broker Mode

You may see this option enabled:

Enable immediate access with Federation Broker Mode

This is expected.

If enabled, the application page will display:

This app is implicitly assigned to users

This means:

  • Users do not need to be manually assigned

• Access is controlled via Okta sign-on policies

6. Locate Client Credentials

After saving the application, open the General tab.

Copy the following values:

Client ID Client Secret

These will be entered in Kadence.

Your screen should show something similar to:

Client Credentials  Client ID xxxxxxxxxxxxxxxxxxxx  Client Secret xxxxxxxxxxxxxxxxxxxx

7. Verify the Assignments Tab

Open:

Applications → Kadence SSO → Assignments

You may see the message:

This app is implicitly assigned to users

This is expected when Federation Broker Mode is enabled.

If you want manual assignment instead:

Disable Federation Broker Mode

You will then see:

Assign → Assign to People

8. Test the Kadence Login Page

Open a private browser window.

Visit the Kadence SSO login page:

{KADENCE_LOGIN_DOMAIN}/en/login/sso

Expected flow:

Kadence login page ↓ Redirect to Okta ↓ User enters credentials ↓ Redirect back to Kadence ↓ User logged in

What a Successful Login Looks Like

Successful authentication will redirect the user to Kadence and create a session.

Authentication sequence:

Kadence → Okta → Kadence

Behind the scenes this uses:

OAuth 2.0 Authorization Code Flow

Helpful Tip

Always test SSO setup using:

Private / Incognito browser window

This prevents existing Okta sessions from interfering with testing.

Need Help?

For support, reach out to:
​📩 [email protected]

For more helpful articles see:
​📚 Kadence Help Center

Related Articles
Microsoft Single-Sign On (SSO)
Okta Single Sign-On (SSO) Setup Guide
OneLogin Single Sign-On (SSO) Setup Guide
JumpCloud Single Sign-On (SSO) Setup Guide
Trouble Logging In via SSO on iOS
Did this answer your question?