Set Up Okta OIDC SSO

最終更新 April 3, 2026

This guide walks you through configuring OpenID Connect (OIDC) SSO between Okta and Compound. After setup, team members with your verified domain will authenticate through Okta when signing in to Compound.

Prerequisites

  • Your team’s email domain must be verified in Compound. See Set Up SSO for Compound for instructions.
  • You must be a Team Owner in Compound and an Admin in Okta.
Important

Complete domain verification before starting this guide. SSO configuration will fail if your domain is not verified.

Setup procedure

OIDC configuration requires three values from Okta: a Client ID, Client Secret, and Issuer URL. You will create an app in Okta, enter those credentials into Compound, then update Okta with the Redirect URI that Compound provides.

Create an OIDC application in Okta

  1. Sign in to the Okta Admin Console.
  2. Navigate to Applications > Applications in the left sidebar.
  3. Click Create App Integration.
  4. Select OIDC - OpenID Connect as the sign-in method.
  5. Select Web Application as the application type and click Next.

Configure the OIDC application in Okta

On the New Web App Integration page, fill in the following:

  • App integration name: Enter Compound (or your preferred display name).
  • Grant type: Ensure Authorization Code is checked (it is selected by default).
  • Sign-in redirect URIs: Enter https://example.com/placeholder as a temporary value. You will replace this with the actual Redirect URI from Compound in a later step.
  • Sign-out redirect URIs: You can leave this blank or remove the default value.
  • Controlled access: Select your preferred assignment policy (e.g., Limit access to selected groups or Allow everyone in your organization to access).

Click Save.

Copy Client ID, Client Secret, and Issuer URL from Okta

After creating the application, Okta displays the General tab with the credentials you need:

  • Client ID — shown on the General tab under Client Credentials.
  • Client Secret — shown on the General tab under Client Credentials. Click Copy to copy it. Note: Okta only displays the full secret once, so copy it now before navigating away.

For the Issuer URL, navigate to Security > API in the Okta Admin Console sidebar. You will see your authorization servers listed. The Issuer URL follows this format: https://your-org.okta.com/oauth2/default. If you are using a custom authorization server, use that server’s Issuer URI instead.

Note

The Issuer URL must point to a valid OIDC discovery endpoint. Okta serves the OpenID configuration at {issuer_url}/.well-known/openid-configuration. Make sure you copy the base URL without a trailing slash.

Enter OIDC credentials in Compound

  1. In Compound, navigate to Settings > Team.
  2. Scroll to the SSO Configuration section.
  3. Click the OIDC protocol button to select OpenID Connect.
  4. Fill in the three fields:
    • Client ID — paste the Client ID from Okta.
    • Client Secret — paste the Client Secret from Okta.
    • Issuer URL — paste the Issuer URL (e.g., https://your-org.okta.com/oauth2/default).
  5. Click Save SSO Configuration.

Compound creates the OIDC provider and updates the SSO Configuration section to show an SSO is active status along with the Redirect URI.

Update the Redirect URI in Okta

After saving, Compound displays the Redirect URI — this is the callback URL where Okta sends users after authentication.

Copy the Redirect URI, then return to the Okta Admin Console:

  1. Go to Applications > Applications and select your Compound app.
  2. Click the General tab, then click Edit in the General Settings section.
  3. Under Sign-in redirect URIs, replace the placeholder value with the Redirect URI from Compound.
  4. Click Save.
Important

The Redirect URI must match exactly. If Okta’s redirect URI does not match what Compound expects, users will see an error after authenticating with Okta.

Assign users and groups in Okta

Users must be assigned to the Compound application in Okta before they can sign in via SSO.

  1. In the Okta Admin Console, go to your Compound application.
  2. Click the Assignments tab.
  3. Click Assign and select either Assign to People or Assign to Groups.
  4. Select the users or groups that should have access to Compound, then click Done.
Note

If you selected Allow everyone in your organization to access during app creation, all Okta users are already assigned and you can skip this step.

Test the connection

  1. Open a new browser window (or use incognito/private mode).
  2. Go to the Compound sign-in page.
  3. Enter an email address that belongs to your verified domain (e.g., user@acme.com).
  4. Compound should detect your SSO configuration and display a Continue with SSO prompt showing your team name.
  5. Click the SSO button. You should be redirected to Okta for authentication.
  6. After signing in through Okta, you should be redirected back to Compound and signed in.
Tip

Test with a user account that is assigned to the Compound app in Okta. If the user is not assigned, Okta will return an access denied error.

Troubleshooting

”Enterprise SSO requires a verified domain”

Your domain has not been verified yet. Go to Settings > Team, ensure your email domain is set, and complete the domain verification process.

”OIDC configuration requires client_id, client_secret, and issuer_url”

All three fields are required. Double-check that you have entered the Client ID, Client Secret, and Issuer URL, and that none of them are blank.

Redirect URI mismatch error

After authenticating with Okta, you see an error mentioning an invalid redirect URI or callback URL. This means the Redirect URI in your Okta application does not match what Compound expects.

  1. Go to Settings > Team > SSO Configuration in Compound and copy the Redirect URI.
  2. In the Okta Admin Console, open your Compound app, click General > Edit, and verify the Sign-in redirect URI matches exactly.

User sees regular password sign-in instead of SSO

  • Confirm the user’s email domain matches the verified domain on your team.
  • Check that the user is entering their full email address on the Compound sign-in page — SSO detection is triggered after the email is entered.

”User not assigned to app” error in Okta

The user has not been assigned to the Compound application in Okta. Go to the Assignments tab in the Okta Admin Console and add the user or their group.

Invalid Client Secret

If you regenerated the Client Secret in Okta after the initial setup, you need to update the secret in Compound as well. Go to Settings > Team > SSO Configuration, remove the existing SSO configuration, and re-configure OIDC with the new Client Secret.

Issuer URL not resolving

Make sure the Issuer URL you entered is correct and accessible. You can verify it by opening {issuer_url}/.well-known/openid-configuration in your browser — it should return a JSON document with OIDC discovery metadata.