---
title: OpenID Connect
description: Configuring OpenID Connect
documentId: access-control-openid-connect
locale: en-US
---

## Configuring an OpenID Connect connection

There are four steps to configure an **OpenID Connect** connection:

- [Create a federated login in Access Control](/docs/en/openid-connect#create-federated-login-acc)
- [Create an app in OKTA](/docs/en/openid-connect#create-app-okta)
- [Configure the federated login in Access Control](/docs/en/openid-connect#configure-federated-login-acc)
- [Create a user in OKTA](/docs/en/openid-connect#create-user-okta)

<Callout type="NOTE" title="NOTE">
- It is not possible to generate *Client Credentials* using federated logins.
- Each environment allows **only one** active federated login provider at a time.
  If there is already a provider with **Active** status, it will not be possible to activate or create another provider.
  To configure a new provider, first deactivate the active provider. Once the status has been changed, the creation or activation of another provider will be permitted.
</Callout>

<Callout type="WARNING" title="WARNING">
When you delete a federated login provider:

- Users **originally created as local users** in Access Control regain access via login and password, after a password reset.
- Users **created exclusively through federated login**, who were never local users, are permanently deleted, automatically and without prior notice. This data cannot be recovered after deletion.
</Callout>

Check out the step-by-step configuration below:

<a id="create-federated-login-acc"></a>
### Create a federated login in Access Control

<Steps>
<Step>
Access the **Federated Login** screen from the left menu.
</Step>

<Step>
Select the **OpenID** federated login type and click **CONFIGURE FEDERATED LOGIN**.
</Step>

<Step>
Copy the URL from the **Callback URL** field.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/openid_federated_login_99cea49188.png)
</Step>
</Steps>

<Callout type="IMPORTANT" title="IMPORTANT">
This is the URL to which the user should be returned after authentication and will be used later in the OKTA configuration.
</Callout>

<a id="create-app-okta"></a>
### Create an app in OKTA

<Steps>
<Step>
In a new tab, access [OKTA](https://login.okta.com/).
</Step>

<Step>
Create a new integration application.

To do this, access **Applications** and then **Create App Integration**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_create_app_integration_8ff20f9acb.png)
</Step>

<Step>
In the **Create a new app integration** modal window:

- In the **Sign-in-method** section: select the **OIDC-OpenID Connect** option.
- In the **Application type** section: select **Web Application**.
- Click **NEXT**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_oidc_openid_connect_c9605853f4.png)
</Step>

<Step>
On the **New Web App Integration** screen:

- In the **General Settings** section: fill in the **App integration name** field with the desired name for your *app*.
- In **Sign-in Redirect URIs**, paste the return URL address (*Callback URL*) that you copied when creating the integration in Access Control.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_new_web_integration_40bdf62f29.png)

- Scroll the page to the end and, in the **Assignments** section, select "Allow everyone in your organization to access".
- Click **SAVE**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_assignments_50695f85c6.png)
</Step>

<Step>
On the **My Web App** screen, in the **General** tab:

- Copy the **Client ID** and **Client secret** values and save them to use later.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_clientid_client_secret_df41afb7c2.png)
</Step>

<Step>
You will also need to obtain the **Issuer URI**.

To do this, in the left menu, access **Security** > **API**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_security_api_d19f56afb2.png)

On the **API** screen copy the **Issuer URI** and save it to use later.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_issuer_uri_5c1e69a04f.png)
</Step>
</Steps>

<a id="configure-federated-login-acc"></a>
### Configure the federated login in Access Control

<Steps>
<Step>
After creating the app in OKTA, return to Access Control and fill in the fields below with the obtained data:

- **Client ID**: information obtained in step 5, on the **My Web App** screen.
- **Client secret**: information obtained in step 5, on the **My Web App** screen.
- **Issuer**: information obtained in step 6, on the **API** screen.
- **Role**: select the role you want to apply for federated users.

<Callout type="NOTE" title="NOTE">
If there are roles configured on your identity provider side, they will prevail over this one.
</Callout>
</Step>

<Step>
Click **CREATE**.
</Step>

<Step>
Click **AGREE AND CONNECT**.

You will see a message confirming the creation of the federated login.
</Step>
</Steps>

<a id="create-user-okta"></a>
### Create a user in OKTA

<Steps>
<Step>
To create a user in OKTA, access **Directory** > **People** in the left menu.
</Step>

<Step>
Then click **Add person** at the top of the **People** screen.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_directory_people_add_person_5ba626455a.png)
</Step>

<Step>
In the **Add Person** modal, fill in the fields with user information and click **Save**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_add_person_630d9fb4f1.png)
</Step>

<Step>
You will see a screen with the registered users.

If the user doesn't appear, refresh the page.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_select_user_c7c7699f54.png)
</Step>

<Step>
Select the user and click **Assign Applications**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_assign_applications_0ab740193a.png)
</Step>

<Step>
In the **Assign Applications** modal, click the **Assign** button corresponding to your *app*.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_assign_801b428f50.png)
</Step>

<Step>
In the presented modal, scroll the screen and click **Save and Go Back**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_save_and_go_back_700ddc05d2.png)
</Step>

<Step>
Then click **Done**.

![](https://creative-ball-51b3fc85c0.media.strapiapp.com/okta_done_bafeb27f81.png)
</Step>
</Steps>

Now you can authenticate with your user via federated login with OpenID.

## Deleting or editing an OpenID Connect connection

Once active, the connection can be updated at any time.
To do this, click on any field you want to edit, make the necessary changes and click **UPDATE**.

To disable a connection, click the **Delete Login** button.

<Callout type="WARNING" title="WARNING">
- When you click **Delete Login**, the federated login provider is deleted. Users originally created as local users in Access Control regain access via login and password after a password reset; users created exclusively through federated login are permanently deleted. See the details at the top of this page.
- To re-establish the connection, follow the steps above again (Configuring an OpenID Connect connection).
- Clicking **Delete Login** does not change your settings with your identity provider.
</Callout>

## Login and user control

Unlike what happened with login through the Sensedia Platform, now login with username and password continues to be possible even after configuring OpenID Connect.

A user will be able to log into Sensedia products both through OpenID Connect and separately.