OKTA setup for OOD

I need help in setting up OKTA authentication for OOD portal. this is my ood_portal.yml file auth part.

Use OIDC authentication

auth:

  • “AuthType openid-connect”
  • “Require valid-user”

oidc_provider_metadata_url: “(removed)”
oidc_client_id: “(removed)”
oidc_client_secret: “(removed)”
oidc_redirect_uri: “(removed)”

oidc_scope: “openid profile email”
oidc_response_type: "code

Do i need to setup anything else? I am new to this.

That’s likely all you need, though I believe the client secret is shared between apache and OKTA so you’ve got to be sure you set everything up right in OKTA.

I assume you’re getting some errors? If you attach the httpd/apache2 error logs I can help diagnose the issue.

I am getting this error at the moment

"
[Fri May 23 06:01:35.791873 2025] [auth_openidc:error] [pid 2840643:tid 139786715113216] [client 10.112.149.20:50812] oidc_check_userid_openidc: configuration error: the authentication type is set to “openid-connect” but OIDCRedirectURI has not been set
"

OK - maybe it’s as simple as bounding httpd/apache2. If you restart httpd/apache2 we should be writing a new .conf file based on what you’ve provided in the .yml file you’ve displayed above.

Once you bounce httpd/apache2 look for the ood-portal.conf file in it’s /etc directory to verify if it has directives like OIDCRedirectURI.

The parameter to set in ood_portal.yml is oidc_uri, not oidc_redirect_uri.

That parameter maps to OIDCRedirectURI in the generated ood-portal.conf, so this mismatch is a little confusing; we made the same mistake at first, even though it’s in the documentation.

1 Like