Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.barndoor.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

This guide walks you through configuring Okta as an OIDC Identity Provider for Barndoor. Once complete, your users will be able to sign in to Barndoor with their Okta credentials, and their group memberships will flow through for automatic role mapping.
Prerequisites:
  • Admin access to your Barndoor account
  • Admin access to your Okta org (Super Admin or an admin role that can create OIDC apps and edit groups)
  • An Okta OIDC (Web) application — you’ll create one below
For the generic, IdP-agnostic version of this flow (Entra ID, Google Workspace, JumpCloud, etc.), see the Connect your IdP overview.

Step 1: Configure IdP Connection in Barndoor

1

Navigate to Identity Provider Settings

Go here in your Barndoor dashboard and start the Set up single sign-on (SSO) flow.
2

Complete IdP Setup Form

  • Provide a display name, such as your domain name (e.g. Okta — Acme Corp).
From your Okta OIDC application collect:
  • Issuer URL: Your Okta org URL, e.g. https://<your-org>.okta.com
  • Client ID: OAuth client ID from your Okta app
  • Client Secret: OAuth client secret from your Okta app
Auto discover will prefill your Authorization, Token, User Info, JWKS, and Logout URLs. If they are not autodiscovered, enter them manually.
3

Test the Connection

Click Test Connection to verify that Barndoor can communicate with Okta.Expected result: “Connection successful” message
4

Save Configuration

Click Save to activate the IdP connection. Barndoor will reveal the Redirect URI for your Okta app — copy it into your Okta application’s Sign-in redirect URIs.

Step 2: Verify SSO Login Works

1

Log Out of Barndoor

Sign out of your current Barndoor session.
2

Attempt Login with Enterprise User

Try logging in with the enterprise test user from Step 1 using a user’s email connected to Okta.You should now be redirected to Okta’s login page.
3

Authenticate via Okta

Complete authentication through Okta (enter credentials, complete MFA if required).
4

Verify Access to Barndoor

After successful Okta authentication, you should be logged into Barndoor.Expected result: User is logged in but has standard user permissions (not admin yet).
SSO is now working! Users can authenticate via Okta.

Step 3: Configure Role Mapping (Auto-Provision Admins)

Now we’ll set up automatic role assignment based on Okta group membership.

Create Admin Group in Okta

1

Navigate to Groups in Okta

In the Okta Admin Console, go to DirectoryGroups.
2

Create or Select Admin Group

Create a new group called “Barndoor Admins” (or use an existing admin group).
3

Assign Users to Admin Group

Add the test user to the Barndoor Admins group.💡 Note: Any user in this group will automatically receive admin permissions in Barndoor.

Send Okta Groups to Barndoor

Barndoor can only map roles and evaluate group-based policies when Okta sends group names during login. For OIDC connections, include a claim named exactly groups in the ID token or UserInfo response.
Role mappings are synced on login. If the mapped group claim is missing or does not match exactly, the corresponding Barndoor role can be removed the next time the user signs in.
1

Add a groups claim filter in Okta

In Okta, open the Barndoor OIDC application and go to Sign OnOpenID Connect ID TokenToken claims (if needed, expand Show legacy configuration and set Group Claims):
  • Groups claim type: Filter
  • Groups claim filter: groups
  • Match type: Matches regex
  • Regex: ^Barndoor Admins$
This emits a claim like:
{
  "groups": ["Barndoor Admins"]
}
Use .* as the regex if you want Okta to emit every group the user belongs to. Use a tighter regex (as above) to keep the token small and limit exposure to just the groups Barndoor needs.
2

Verify the emitted claim

Use Okta’s Token Preview tab (on the application’s Sign On page), the System Log, or a fresh test login to confirm the token or UserInfo response contains groups with the exact group name you will configure in Barndoor.

Map Okta Group to Barndoor Admin Role

1

Open Role Mapping Settings

In Barndoor, go to SettingsIdentity ProviderRole Mapping.
2

Configure Admin Group Mapping

Set the group name that defines administrators:
  • IdP Group Name: Enter Barndoor Admins (exact name from Okta)
  • Barndoor Role: Select Admin
3

Save Role Mapping

Click Save Role Settings.Expected result: “Role mapping saved successfully” message

Verify Role Provisioning

1

Log Out and Back In

Sign out of Barndoor and log back in with the test user.
2

Verify Admin Access

After logging in, confirm:
  • ✅ User now has Admin role
  • ✅ Additional admin functionality is visible in the UI
  • ✅ User appears in the Barndoor Admins user group
Role mapping is working! Users in the Okta admin group automatically receive admin permissions.

Step 4: Test User Offboarding (Remove Admin Access)

1

Remove User from Admin Group in Okta

In Okta, go to DirectoryGroupsBarndoor Admins.Remove the test user from the Barndoor Admins group.
2

Log Out and Back In

In Barndoor, sign out and log back in with the test user.
3

Verify Standard User Access

Confirm that:
  • ✅ User is now a standard user (no longer admin)
  • ✅ Admin-only functionality is no longer visible
  • ✅ User group reflects the change
Changes to Okta group membership are reflected immediately upon next login to Barndoor.

Step 5: Remove SSO Connection (Optional)

If you need to disconnect the Okta integration:
1

Navigate to IdP Settings

Go to SettingsIdentity Provider in Barndoor.
2

Remove Connection

Click Remove SSO Connection (or similar option).Confirm the removal when prompted.
3

Verify SSO Disabled

Log out and attempt to log in with an enterprise user.Expected result: Login should fail since SSO is now disconnected.
Removing the SSO connection will immediately revoke access for all users who authenticate via Okta. Only users with direct Barndoor credentials will be able to log in.

Summary

You’ve successfully configured Okta integration with Barndoor! Here’s what you accomplished: Connected Okta for SSO/OIDC authentication
Enabled automatic role provisioning based on Okta groups
Tested user onboarding (SSO login and admin access)
Tested user offboarding (removed admin access via Okta)
Verified SSO disconnection process

Key Benefits

Centralized authentication: Users log in via Okta Automated role management: No manual user provisioning needed Streamlined onboarding: New employees automatically get access Instant offboarding: Removing users from Okta immediately revokes access

Troubleshooting

Common causes:
  • Incorrect Client ID or Client Secret
  • Okta app not configured with the correct sign-in redirect URI
  • OIDC endpoints not properly discovered
  • Domain mismatch
Solution: Double-check credentials in both Barndoor and Okta. Confirm the Sign-in redirect URI in Okta exactly matches the Redirect URI Barndoor generated. Re-test the connection and review the Okta System Log.
Common causes:
  • Group name mismatch (case-sensitive)
  • User not actually in the Okta group
  • OIDC groups claim is missing from the ID token or UserInfo response
  • Okta sends group IDs or a different claim name instead of the group display name
  • Role mapping not saved properly
Solution: Verify the exact group name in Okta matches the Barndoor configuration. Confirm user membership in the Okta group. Use Okta’s Token Preview to confirm the token includes groups with the expected value, such as Barndoor Admins. Re-save role mapping settings and have the user sign out and back in.
Common causes:
  • Users not assigned to the Okta application
  • Okta application deactivated or suspended
  • Network/firewall blocking communication
Solution: Verify users are assigned to the Barndoor application in Okta (Applications → Barndoor app → Assignments). Check the Okta app status. Test the connection from Barndoor settings.

Recap

ValueWhere it comes fromWhere it goes
Client IDOkta app → General → Client CredentialsBarndoor Client ID
Client SecretOkta app → General → Client CredentialsBarndoor Client Secret
Issuer URL (https://<your-org>.okta.com)Okta org URLBarndoor Issuer URL
Redirect URIBarndoor SSO setupOkta app → General → Sign-in redirect URIs
groups claim filterOkta app → Sign On → OpenID Connect ID TokenEmitted in token for Barndoor role mapping
You’ve now connected Okta to Barndoor for SSO and automatic role provisioning.