Layer

In order to enable the Okta integration, you need to have an active Enterprise plan with Layer. If you haven't already done so, please go to your workspace plan settings and subscribe to an Enterprise plan.

Layer's Okta integration supports the following features:

IdP-initiated SSO (through <a href="https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin" target="_blank" rel="nofollow noopener noreferrer">Third-party Initiated Login</a>)

- SP-initiated SSO (Single Sign-On)
- IdP-initiated SSO (through <a href="https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin" target="_blank" rel="nofollow noopener noreferrer">Third-party Initiated Login</a>)
- Just-In-Time provisioning

For more information on the listed features, visit the <a href="https://help.okta.com/okta_help.htm?type=oie&amp;id=ext_glossary" target="_blank" rel="nofollow noopener noreferrer">Okta Glossary</a>.

In Okta, Go to Applications → Create App Integration.

Choose OIDC as the Sign-in method. Choose Web Application as your Application Type. Click Next.

Enter "<a href="https://auth.app.layer.ai/login/callback" target="_blank" rel="nofollow noopener noreferrer">https://auth.app.layer.ai/login/callback</a>" into the Sign-in redirect URIs.

Enter "<a href="https://app.layer.ai" target="_blank" rel="nofollow noopener noreferrer">https://app.layer.ai</a>" into the Sign-out redirect URIs.

If you'd like to be able to initiate login from Okta:

1. Choose "Either Okta or App" for Login initiated by
2. Set Application visibility checkboxes as needed
3. Choose "Redirect to app to initiate login" for Login flow
4. Enter "<a href="" target="_blank" rel="nofollow noopener noreferrer">https://app.layer.ai/login</a>" into the Initiate login URI

Assign the users or groups that should be able to log into Layer.

Note the Client ID and Client Secret.

Contact <a href="mailto:support@layer.ai" target="_blank" rel="nofollow noopener noreferrer">support@layer.ai</a> with the following information:

1. Okta Domain (looks like acme.okta.com)
2. Client ID
3. Client Secret

1. In Okta, Go to Applications → Create App Integration.
2. Choose OIDC as the Sign-in method. Choose Web Application as your Application Type. Click Next.
3. Enter "<a href="https://auth.app.layer.ai/login/callback" target="_blank" rel="nofollow noopener noreferrer">https://auth.app.layer.ai/login/callback</a>" into the Sign-in redirect URIs.
4. Enter "<a href="https://app.layer.ai" target="_blank" rel="nofollow noopener noreferrer">https://app.layer.ai</a>" into the Sign-out redirect URIs.
5. If you'd like to be able to initiate login from Okta:
 1. Choose "Either Okta or App" for Login initiated by
 2. Set Application visibility checkboxes as needed
 3. Choose "Redirect to app to initiate login" for Login flow
 4. Enter "<a href="" target="_blank" rel="nofollow noopener noreferrer">https://app.layer.ai/login</a>" into the Initiate login URI
6. Click Create.
7. Assign the users or groups that should be able to log into Layer.
8. Note the Client ID and Client Secret.
9. Contact <a href="mailto:support@layer.ai" target="_blank" rel="nofollow noopener noreferrer">support@layer.ai</a> with the following information:
 1. Okta Domain (looks like acme.okta.com)
 2. Client ID
 3. Client Secret

Prerequisites

Supported Features

Configuration Steps