Private Cloud SSO setup guide – Okta (OIDC)
This guide explains how to set up single sign-on (SSO) with OIDC on a Ninox Private Cloud using Okta
Before you begin
Make sure you have the following before you start:
- Access to a Ninox Private Cloud Enterprise subscription with single sign-on (SSO) enabled.
- Owner or Admin rights for the Ninox Private Cloud you will configure.
- Super admin, app admin, or custom admin role with app management permissions in Okta.
- Your Private Cloud domain, for example acme.ninoxdb.de or acme.ninoxdb.com.
Configure in Okta
Note: This guide covers only the Okta fields required for SSO integration with Ninox to help you configure quickly. For complete documentation and advanced options, please visit Okta's official documentation on OIDC app integrations.
1. Create an app integration
- Follow Okta's Create OpenID Connect app integrations guide.
- If you're familiar with OIDC or have completed prerequisites, skip Before you begin and proceed directly to Launch the wizard to start creating your app integration.
- Select the values in Okta:
Okta field |
Required |
Value |
Sign-in method |
Yes |
OIDC - OpenID Connect |
Application type |
Yes |
Web Application |
2. Configure general settings
- Continue in Okta's Create OpenID Connect app integrations guide to configure general settings.
- Enter the values in Okta:
Okta field |
Required |
Value |
App integration name |
Yes |
Choose a name like Ninox OIDC. Okta only allows UTF-8, three-byte characters. |
Grant type |
Yes |
The grant types available for your app integration depend on the platform that you select. Authorization Code |
Sign-in redirect URIs |
Yes |
This is where Okta sends the authentication response and ID token for the sign-in request. https://my-private-cloud.ninoxdb.de/ums/oidc/callback
|
Assignments |
Yes |
Skip group assignment for now: Create the app without assigning a group. |
3. Assign to people or groups
Warning: Test SSO only with a Ninox user whose email is already active. If the email isn't in Ninox—or later gets deactivated—OIDC sign-in will fail.
- Follow Okta's Assign app integrations guide to assign the OIDC integration to users or groups, based on your organization's needs. This guide provides a quick overview.
- For more detailed instructions, visit Okta's Assign applications to users or Assign an app integration to a group guides.
Configure in Ninox Private Cloud
Enter Okta values
- In Ninox, open Ninox settings > Configuration, switch to the Authentication tab, and select OpenID Connect (OIDC).
- Enter the Okta values:
Ninox field |
Required |
Value |
Discovery URL |
Yes |
https://my-okta-subdomain.okta.com/.well-known/openid-configuration
The path /.well-known/openid-configuration is the standard OIDC discovery endpoint. |
Client ID |
Yes |
Enter the Client ID created in Okta (Applications > General > Client Credentials), e.g., 0oasxq5cznIkNeV2e697. The public identifier required by all OAuth flows, randomly generated when you create the app integration. |
Client secret |
Yes |
Enter the Client secret created in Okta (Applications > Applications > General > Client Credentials), e.g., PNz4fZcOo1tag7SSywBJKbLTAjdjF-jY4khLhU8hxj255fXZVY6815r-r0UlG_EO. This value is known only to Okta and your app integration. |
Redirect URI (comma-separated) |
Yes |
https://my-private-cloud.ninoxdb.de/ums/oidc/callback (same as Sign-in redirect URI)
|
Permission scopes |
Yes |
Comma-separate the scopes: email,openid. The minimum configuration needed for Ninox to know:
|
Session expiration limit (days) |
No |
Any positive number, e.g., 7. |
Auto-assign to workspace |
No |
Enter a workspace ID if you want every new user added to that workspace automatically.
|
Auto-assign role |
No |
Comma-separate any roles (e.g. user,editor,admin) you want to assign to a user. Setting a default role prevents the user from logging in without permissions.
|
Auto-provision collaborators |
No |
Toggle ON if you want users created automatically on first login. |
- Click Save and restart.
Test single sign-on in Okta
After successful authentication, you're redirected to your Private Cloud:
- If the user is auto-assigned to a workspace, they land on its home screen and see its databases.
- If the user isn't assigned to a workspace, the home screen will appear empty until an owner or admin assigns them to one.
Note: If the SSO setup was done incorrectly and the test sign-in fails, your cloud's SSO configuration will need to be reset before you can try again.
Troubleshooting
- 400 Bad Request error: confirm every value in Ninox matches the values in Okta exactly, e.g., Error: The ‘redirect_uri' parameter must be a Login redirect URI in the client app: settings: https://my-okta-subdomain.okta.com/admin/app/oidc_client/instance/clientid#tab-general
- Need deeper diagnostics: The Okta error codes and descriptions reference lists all errors that the Okta API returns.
Tip: If Okta's interface changes, refer to their latest Create OpenID Connect app integrations guide. The Ninox-specific values remain the same and should be entered as shown.
Additional help
Add an app integration to Okta
Create OpenID Connect app integrations