0

Private Cloud SSO setup guide – Okta (OIDC)

This guide explains how to set up single sign-on (SSO) with OIDC on a Ninox Private Cloud using Okta

Before you begin

Make sure you have the following before you start:

  • Access to a Ninox Private Cloud Enterprise subscription with single sign-on (SSO) enabled.
  • Owner or Admin rights for the Ninox Private Cloud you will configure.
  • Super admin, app admin, or custom admin role with app management permissions in Okta.
  • Your Private Cloud domain, for example acme.ninoxdb.de or acme.ninoxdb.com.

Configure in Okta

ℹ️ Note: This guide covers only the Okta fields required for SSO integration with Ninox to help you configure quickly. For complete documentation and advanced options, please visit Okta's official documentation on OIDC app integrations.

1. Create an app integration

  • Follow Okta's Create OpenID Connect app integrations guide.
  • If you're familiar with OIDC or have completed prerequisites, skip Before you begin and proceed directly to Launch the wizard to start creating your app integration.

 

  • Select the values in Okta:

Okta field

Required

Value

Sign-in method

Yes

OIDC - OpenID Connect

Application type

Yes

Web Application

2. Configure general settings

Okta field

Required

Value

App integration name

Yes

Choose a name like Ninox OIDC. Okta only allows UTF-8, three-byte characters.

Grant type

Yes

The grant types available for your app integration depend on the platform that you select.

Authorization Code
(this is the default)

Sign-in redirect URIs

Yes

This is where Okta sends the authentication response and ID token for the sign-in request.

https://my-private-cloud.ninoxdb.de/ums/oidc/callback

ℹ️ Note Replace my-private-cloud with your own subdomain. Some environments use the .ninoxdb.com top-level domain instead of .ninoxdb.de; enter whichever matches your Private Cloud.

✅ Tip: Same as the value for Redirect URI (comma-separated) in the Ninox settings.

Assignments

Yes

Skip group assignment for now: Create the app without assigning a group.

3. Assign to people or groups

⚠️ Warning: Test SSO only with a Ninox user whose email is already active. If the email isn't in Ninox—or later gets deactivated—OIDC sign-in will fail.

Configure in Ninox Private Cloud

Enter Okta values

  • In Ninox, open Ninox settings > Configuration, switch to the Authentication tab, and select OpenID Connect (OIDC).
  • Enter the Okta values:

Ninox field

Required

Value

Discovery URL

Yes

https://my-okta-subdomain.okta.com/.well-known/openid-configuration

ℹ️ Note: Replace my-okta-subdomain with your Okta subdomain, which you can find at the start of your Okta URL, e.g., trial-3582454-admin.

The path /.well-known/openid-configuration is the standard OIDC discovery endpoint.

Client ID

Yes

Enter the Client ID created in Okta (Applications > General > Client Credentials), e.g., 0oasxq5cznIkNeV2e697.

The public identifier required by all OAuth flows, randomly generated when you create the app integration.

Client secret

Yes

Enter the Client secret created in Okta (Applications > Applications > General > Client Credentials), e.g., PNz4fZcOo1tag7SSywBJKbLTAjdjF-jY4khLhU8hxj255fXZVY6815r-r0UlG_EO.

This value is known only to Okta and your app integration.

Redirect URI (comma-separated)

Yes

https://my-private-cloud.ninoxdb.de/ums/oidc/callback (same as Sign-in redirect URI)

ℹ️ Note: Replace my-private-cloud with your own subdomain. Some environments use the .ninoxdb.com top-level domain instead of .ninoxdb.de; enter whichever matches your Private Cloud.

Permission scopes

Yes

Comma-separate the scopes: email,openid. The minimum configuration needed for Ninox to know:

  • That it's an SSO request (openid)
  • Who the user is (email)

Session expiration limit (days)

No

Any positive number, e.g., 7.

Auto-assign to workspace

No

Enter a workspace ID if you want every new user added to that workspace automatically.

✅ Tip: When you auto-assign users to a workspace, they land on its home screen and see its databases. If you don't assign them, their home screen stays empty until you add them.

Auto-assign role

No

Comma-separate any roles (e.g. user,editor,admin) you want to assign to a user. Setting a default role prevents the user from logging in without permissions.

✅ Tip: Enter keepNinox to keep the roles you already have in the workspace and ignore roles coming from OIDC.

Auto-provision collaborators

No

Toggle ON if you want users created automatically on first login.

  • Click Save and restart.

Test single sign-on in Okta

After successful authentication, you're redirected to your Private Cloud:

  • If the user is auto-assigned to a workspace, they land on its home screen and see its databases.
  • If the user isn't assigned to a workspace, the home screen will appear empty until an owner or admin assigns them to one.

ℹ️ Note: If the SSO setup was done incorrectly and the test sign-in fails, your cloud's SSO configuration will need to be reset before you can try again.

Troubleshooting

✅ Tip: If Okta's interface changes, refer to their latest Create OpenID Connect app integrations guide. The Ninox-specific values remain the same and should be entered as shown.

Additional help

OIDC app integrations

OpenID Connect & OAuth 2.0

Add an app integration to Okta

Create OpenID Connect app integrations

Assign app integrations

Assign applications to users

Assign an app integration to a group

Okta error codes and descriptions

Reply

null