In this article, we explain how Okta authentication works in PPM Express, including how to configure it and how users sign in.
Configuring Okta authentication requires setup on both the Okta side and the PPM Express side.
Please note that it is not possible to sign up for PPM Express using Okta authentication. The tenant must first be created using the Email authentication method. After the tenant is created and the Okta authentication type is enabled, an administrator can configure Okta authentication, allowing users from the Okta tenant to be automatically registered in PPM Express upon sign-in. To learn more about enabling Okta authentication for your PPM Express tenant, please contact our Support team at support@ppm.express.
It is very important not to remove the original admin account until Okta authentication is fully configured and verified.
Before removing or replacing this account, make sure to:
- Verify that Okta login works correctly
- Ensure that at least one Okta user has Administrator permissions
- Confirm that administrators can successfully sign in via Okta
Removing the original admin account too early may result in loss of access to the tenant.
Once Okta login is fully verified, you can choose to keep or disable other authentication providers according to your organization’s security policy.
Okta Application Configuration
In Okta, every external service that users sign in to must be represented as an application.
To create the application for PPM Express in Okta, perform the following:
1. Create the application
- Sign in to the Okta Admin Console.
- Navigate to Applications, then select Create App Integration to create a new application.
- Select OIDC - OpenID Connect as the sign-in method.
- Choose Web Application.
- Type in the name of the application.
- Make sure the authorization code is selected.
Scroll down to the Assignments section.
2. Assign users to the application
Okta applications must be assigned to users or groups. Only assigned users will see the PPM Express app on their Okta End User Dashboard and be able to sign in.
There are three available options, all of which are valid and depend on how your organization manages access:
- Allow everyone in your organization to access
- Limit access to selected groups
- Skip group assignments for now (it will be needed to assign users later in this case)
Click Save.
3. Configure application settings
After the application is created, navigate to its General Settings, click Edit, and under the LOGIN section, configure the following:
- Sign-in redirect URIs
- Sign-out redirect URIs
- Initiate login URI
These three values are generated in PPM Express -> Tenant Settings. To display and copy them, follow these steps:
- Navigate to Tenant Settings -> Features and Modules -> Enable the Okta Authentication option
- Scroll down to the Okta Authentication section
- Click Show Okta configuration URLs
- Copy the three values one by one
- Paste them into the corresponding fields in Okta.
- Switch the Login initiated by setting to Either Okta or APP
- Check the Display application icons to users checkbox
- Leave the Login flow setting as per default
- Click Save
4. Configure API settings
After the application is created and configured, navigate to the Security section -> API. and perform the following:
- Under the Authorization Services, select to Edit the default one.
- Switch to the Access Policies tab, then click Add New Access Policy.
- Type in the name and the description.
- If the All clients option is selected, click Create Policy.
If The following client option is selected, add the app for PPM Express first, then click Update Policy.
- Open the newly created policy for editing. Under the Scopes requested, choose: openid, profile, email.
- Configure the token access and refresh lifetimes as needed.
- Click Update Rules to save.
Okta Authentication Configuration in PPM Express
Once the Okta configuration is complete, proceed with the Okta authentication setup in PPM Express. To do this, open PPM Express -> Tenant Settings -> Features and Modules, and ensure Okta Authentication is enabled.
Scroll down to Okta Authentication settings. Click Edit Section on the right and paste the Okta Domain, Client ID, and Client Secret from Okta into PPM Express.
-
Okta Domain
Use the URL copied from the End User Dashboard, not from the Okta Admin Console. URLs from the Admin Console will not work for authentication. -
Client ID
Open Okta -> Applications -> open the application created for PPM Express -> General -> Client Credentials section -> Copy the Client ID.
-
Client Secret
On the same page with Client ID, under the Client Secrets section, copy the Client Secret.
Once Okta authentication is configured, the Okta authentication type will appear and can be enabled on the Tenant Settings -> Organization Authentication section.
Recommended settings:
- Autoregistration: On
- Open Invites: Off
- Email: On (Email or any other provider that was used to create the PPM Express tenant must be on until Okta authentication is fully configured and tested).
- Office365: Off
- Gmail: Off
- Okta: On
- Default authentication provider for invitations: Okta
After enabling Okta, you must link the Okta organization to PPM Express. This is also done from the Tenant Settings -> Organization Authentication section.
Click the Link organization in the corresponding prompt, select Okta, and then click Link.
Using Okta Login in PPM Express
Once the configuration is complete, Okta becomes an additional login option that works the same way as other authentication providers.
To sign in to PPM Express, users can perform the following:
- Open the Okta End User Dashboard -> My Apps
- Click the application created for PPM Express (the app appears for all assigned users)
They will be automatically redirected and signed in to the correct PPM Express tenant.
This is the most reliable and recommended login flow.
Another way to sign in is using the tenant-specific login URL. The Okta authentication page will appear on the PPM Express login page when users navigate to the tenant-specific login URL.