1. Support Portal
  2. RadiantOne IDDM (Formerly Known As FID)
  3. Advanced Configuration

How to Configure Okta OIDC Single Sign‑On for Environment Operations Center (EOC) v1.5.0+

Aashik Shetty
Updated

Overview

This article explains how to configure Okta as an OpenID Connect (OIDC) Identity Provider for RadiantOne Environment Operations Center (EOC) v1.5.0+ so that users can sign in to EOC with their Okta accounts.

 

Prerequisites

  • RadiantOne Environment Operations Center (EOC) v1.5.0 or later.
  • Access to the Okta Admin Console with permissions to create and configure OIDC applications.
  • EOC users already created with correct Email values (these will be matched to Okta users).

Step 1 – Create an Okta OIDC Web Application

  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications → Applications → Create App Integration.
  3. In the wizard, select:
    • Sign‑in method: OIDC – OpenID Connect
    • Application type: Web Application Click Next.
  4. Configure application basics:
    • App integration name: for example RadiantOne EOC.
    • Leave default grant types (Authorization Code, Refresh Token).
  5. Under Sign‑in redirect URIs, enter any valid HTTPS URL as a temporary value (for example https://example.com/temp). You will replace this with the EOC Redirect URL later.
  6. Choose Controlled access (either everyone or specific groups), according to your policy.
  7. Click Save.
  8. On the app’s General tab, record the:
    • Client ID
    • Client secret
  9. Identify your Okta domain from the browser URL, for example:
    • https://admin-123456.okta.com or https://yourcompany.okta.com
  10. Build the Discovery URL that EOC will use:
    • https://<your-okta-domain>/.well-known/openid-configuration

 

Step 2 – Configure Okta as OIDC Provider in EOC

  1. Log in to EOC v1.5.0+ as an administrator.
  2. Go to Admin → Authentication.
  3. Click New Provider and choose OpenID Connect Provider (or edit an existing provider).
  4. Toggle OIDC Provider to Enabled.
  5. Set OIDC Provider to Custom or Okta (if available).
  6. Provider Name: enter a label such as Okta (this appears on the EOC login page).
  7. Discovery URL: paste the Okta discovery URL, for example:
    • https://yourcompany.okta.com/.well-known/openid-configuration
  8. Click Discover Endpoint URLs. EOC automatically populates:
    • Authorization Endpoint URL
    • Token Endpoint URL
    • Redirect URL
  9. Use the copy icon next to Redirect URL to copy it exactly. You will paste this URL into the Okta app as the Sign‑in redirect URI in the next step.
  10. Enter the Client ID and Client Secret from the Okta app.
  11. Under Email Scope, select and add email.

  12.  Click Save.

    After saving and reopening the provider, the Client ID and Client Secret fields may show as empty in the UI, but the values are stored and used unless you deliberately change them again.

Note about scopes
The EOC OIDC Provider UI only exposes the email scope explicitly. This is expected. The underlying Okta OIDC Web App still uses the standard openid scope as part of the authorization flow. EOC only requires the email claim from the ID token to map the Okta user to the matching EOC user. You do not need to add openid manually in EOC.

 

Step 3 – Update the Redirect URI in Okta

  1. In the Okta Admin Console, open the EOC OIDC application created in Step 1.
  2. Go to the General tab.
  3. In the Login section, click Edit next to Sign‑in redirect URIs.
  4. Remove the temporary URI you originally entered.
  5. Paste the exact Redirect URL copied from the EOC OIDC Provider configuration (Step 2).
  6. Save the changes.

Okta now recognizes the EOC Redirect URL as a valid login redirect URI and will accept authorization requests using that URL.

 

Step 4 – Assign Okta Users and Map to EOC Users

4.1 Assign users to the EOC app in Okta

  1. In the Okta app, select the Assignments tab.
  2. Click Assign → Assign to People (or Assign to Groups).
  3. Add the users or groups that should be able to log in to EOC, then click Save and Go Back.

Ensure each Okta user has the correct Primary email address in their Okta profile.

4.2 Ensure matching users exist in EOC

  1. In EOC, go to Admin → Users.
  2. For each Okta user that should use SSO:
    • Verify there is an EOC user whose Email value exactly matches the user’s primary email in Okta (for example user@company.com).
    • Confirm the user is Active and has appropriate roles (Tenant Admin, Environment Admin, Environment Creator, etc.).
  3. If necessary, click New User in EOC to create additional users and set their Email and roles.

EOC uses the email claim from the Okta ID token to locate the corresponding EOC user. If there is no matching Email in EOC, the login attempt will fail.

 

Step 5 – Multi‑Factor Authentication (MFA)

EOC relies on Okta for MFA behavior. Any MFA prompts, authenticators (Okta Verify, Google Authenticator, etc.), and policies are controlled entirely in Okta.

If a user needs to re‑enroll MFA specifically for EOC SSO:

  1. In EOC, go to Admin → Users.
  2. Use the menu (…) next to the user and select Reset MFA token.
  3. On the next Okta SSO login into EOC, the user will be prompted by Okta to enroll or re‑enroll an authenticator for that Okta account, and then use that factor going forward.

 

Step 6 – Test the SSO Login

  1. Open a private/incognito browser window.
  2. Navigate to your EOC login URL.
  3. On the login screen, click the Okta button (or the provider name you configured).
  4. You are redirected to Okta. Sign in with an Okta user that has been assigned to the EOC app and complete MFA if prompted.
  5. After successful authentication, Okta redirects back to EOC using the configured Redirect URL.
  6. EOC reads the email claim from the ID token, finds the matching EOC user, and signs you in with that user’s roles.

 

Troubleshooting

Redirect URI error from Okta

Symptom

  • Okta displays an error like: “The redirect_uri parameter must be a Login redirect URI in the client app settings.”

Resolution

  1. In EOC, copy the Redirect URL from the OIDC Provider configuration using the copy icon.
  2. In Okta, open the EOC app General tab and edit Sign‑in redirect URIs.
  3. Ensure that one of the entries is an exact match for the Redirect URL from EOC (same protocol, hostname, path, and trailing slash).
  4. Save and retry SSO.

User not found or unauthorized in EOC

Symptom

  • After successful Okta login, you return to EOC but see a message indicating the user is not found or not authorized.

Resolution

  1. Check the user’s primary email in Okta.
  2. In EOC → Admin → Users, verify that there is an EOC user with the same Email value.
  3. If no matching user exists, create or update an EOC user with that Email and appropriate roles, then try again.

If you encounter an error that is not covered here, collect a browser Network trace of the login attempt (including the /authorize and /token calls) and contact Radiant Logic Support for further assistance.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more