Documentation

Private Cloud SSO setup guide – Okta (OIDC)

updated 2 wk ago

This guide explains how to set up single sign-on (SSO) with OIDC on a Ninox Private Cloud using Okta

Before you begin

Make sure you have the following before you start:

Access to a Ninox Private Cloud Enterprise subscription with single sign-on (SSO) enabled.
Owner or Admin rights for the Ninox Private Cloud you will configure.
Super admin, app admin, or custom admin role with app management permissions in Okta.
Your Private Cloud domain, for example acme.ninoxdb.de or acme.ninoxdb.com.

Configure in Okta

Note: This guide covers only the Okta fields required for SSO integration with Ninox to help you configure quickly. For complete documentation and advanced options, please visit Okta's official documentation on OIDC app integrations.

1. Create an app integration

Follow Okta's Create OpenID Connect app integrations guide.
If you're familiar with OIDC or have completed prerequisites, skip Before you begin and proceed directly to Launch the wizard to start creating your app integration.

Select the values in Okta:

Okta field	Required	Value
Sign-in method	Yes	OIDC - OpenID Connect
Application type	Yes	Web Application

2. Configure general settings

Continue in Okta's Create OpenID Connect app integrations guide to configure general settings.
Enter the values in Okta:

Okta field	Required	Value
App integration name	Yes	Choose a name like Ninox OIDC. Okta only allows UTF-8, three-byte characters.
Grant type	Yes	The grant types available for your app integration depend on the platform that you select. Authorization Code (this is the default)
Sign-in redirect URIs	Yes	This is where Okta sends the authentication response and ID token for the sign-in request. https://my-private-cloud.ninoxdb.de/ums/oidc/callback Note Replace my-private-cloud with your own subdomain. Some environments use the .ninoxdb.com top-level domain instead of .ninoxdb.de; enter whichever matches your Private Cloud. Tip: Same as the value for Redirect URI (comma-separated) in the Ninox settings.
Assignments	Yes	Skip group assignment for now: Create the app without assigning a group.

3. Assign to people or groups

Warning: Test SSO only with a Ninox user whose email is already active. If the email isn't in Ninox—or later gets deactivated—OIDC sign-in will fail.

Follow Okta's Assign app integrations guide to assign the OIDC integration to users or groups, based on your organization's needs. This guide provides a quick overview.
For more detailed instructions, visit Okta's Assign applications to users or Assign an app integration to a group guides.

Configure in Ninox Private Cloud

Enter Okta values

In Ninox, open Ninox settings > Configuration, switch to the Authentication tab, and select OpenID Connect (OIDC).
Enter the Okta values:

Ninox field	Required	Value
Discovery URL	Yes	https://my-okta-subdomain.okta.com/.well-known/openid-configuration Note: Replace my-okta-subdomain with your Okta subdomain, which you can find at the start of your Okta URL, e.g., trial-3582454-admin. The path /.well-known/openid-configuration is the standard OIDC discovery endpoint.
Client ID	Yes	Enter the Client ID created in Okta (Applications > General > Client Credentials), e.g., 0oasxq5cznIkNeV2e697. The public identifier required by all OAuth flows, randomly generated when you create the app integration.
Client secret	Yes	Enter the Client secret created in Okta (Applications > Applications > General > Client Credentials), e.g., PNz4fZcOo1tag7SSywBJKbLTAjdjF-jY4khLhU8hxj255fXZVY6815r-r0UlG_EO. This value is known only to Okta and your app integration.
Redirect URI (comma-separated)	Yes	https://my-private-cloud.ninoxdb.de/ums/oidc/callback (same as Sign-in redirect URI) Note: Replace my-private-cloud with your own subdomain. Some environments use the .ninoxdb.com top-level domain instead of .ninoxdb.de; enter whichever matches your Private Cloud.
Permission scopes	Yes	Comma-separate the scopes: email,openid. The minimum configuration needed for Ninox to know: That it's an SSO request (openid) Who the user is (email)
Session expiration limit (days)	No	Any positive number, e.g., 7.
Auto-assign to workspace	No	Enter a workspace ID if you want every new user added to that workspace automatically. Tip: When you auto-assign users to a workspace, they land on its home screen and see its databases. If you don't assign them, their home screen stays empty until you add them.
Auto-assign role	No	Comma-separate any roles (e.g. user,editor,admin) you want to assign to a user. Setting a default role prevents the user from logging in without permissions. Tip: Enter keepNinox to keep the roles you already have in the workspace and ignore roles coming from OIDC.
Auto-provision collaborators	No	Toggle ON if you want users created automatically on first login.

Click Save and restart.

Test single sign-on in Okta

After successful authentication, you're redirected to your Private Cloud:

If the user is auto-assigned to a workspace, they land on its home screen and see its databases.
If the user isn't assigned to a workspace, the home screen will appear empty until an owner or admin assigns them to one.

Note: If the SSO setup was done incorrectly and the test sign-in fails, your cloud's SSO configuration will need to be reset before you can try again.

Troubleshooting

400 Bad Request error: confirm every value in Ninox matches the values in Okta exactly, e.g., Error: The ‘redirect_uri' parameter must be a Login redirect URI in the client app: settings: https://my-okta-subdomain.okta.com/admin/app/oidc_client/instance/clientid#tab-general

Need deeper diagnostics: The Okta error codes and descriptions reference lists all errors that the Okta API returns.

Tip: If Okta's interface changes, refer to their latest Create OpenID Connect app integrations guide. The Ninox-specific values remain the same and should be entered as shown.