# Okta SSO

Use this guide when your organization signs in with Okta. Lettermint connects to an Okta OIDC app integration.

{/* Screenshot placeholder: /docs/images/sso/providers/okta-oidc-app.png */}

## Before you start

You need administrator access to Okta. The sign-in redirect URI configured in Okta must match the Lettermint OIDC callback URL from the SSO guide exactly.

## Okta setup

1. In the Okta Admin Console, create an **OIDC - OpenID Connect** app integration.
2. Choose **Web Application**.
3. Add the Lettermint OIDC callback URL from the SSO guide as a sign-in redirect URI.
4. Assign the app to the users or groups that should access Lettermint.
5. Copy the client ID and client secret.
6. Note your Okta issuer base URL.

## Lettermint setup

In the Lettermint SSO setup screen, choose **Okta** and enter:

| Field | Value |
|-------|-------|
| Domain | Your managed email domain, for example `example.com`. |
| Metadata URL | `https://{tenant}.okta.com/.well-known/openid-configuration` |
| Client ID | The Okta client ID. |
| Client secret | The Okta client secret. |

If you use a custom authorization server, use that issuer's discovery URL instead.

## References

- [Okta: Create OpenID Connect app integrations](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm)
- [Okta: OIDC sign-in redirect URI](https://support.okta.com/help/s/article/openid-connect-oidc-redirect-uri?language=en_US)