some file

Okta SSO with NetBird Self-Hosted

Okta is a cloud-based identity and access management service for enterprise use, providing single sign-on, multi-factor authentication, and lifecycle management.

Add Okta as an external IdP directly in the NetBird Management Dashboard. This is the simplest approach and recommended for most deployments.

Prerequisites

  • NetBird self-hosted with embedded IdP enabled
  • Okta Workforce Identity Cloud account

Step 1: Start Creating OIDC Application in Okta

  1. Navigate to Okta Admin Dashboard
  2. Click ApplicationsApplications
  3. Click Create App Integration

Create app integration

  1. Select:
    • Sign-in method: OIDC - OpenID Connect
    • Application type: Web Application

OIDC Web Application

  1. Click Next
  2. Fill in:
    • App integration name: NetBird
    • Grant type: Authorization Code
    • Leave redirect URIs empty for now (you'll add this in Step 3)
  3. Under Assignments, select an option for controlled access:
    • Allow everyone in your organization to access (recommended for testing)
    • Limit access to selected groups (for production)
    • Skip group assignment for now (assign later)

Assignments

  1. Don't click Save yet — keep this tab open and proceed to Step 2

Step 2: Get Redirect URL from NetBird

  1. Open a new tab or window and log in to your NetBird Dashboard
  2. Navigate to SettingsIdentity Providers
  3. Click Add Identity Provider
  4. Fill in the fields:
FieldValue
TypeOkta
NameOkta (or your preferred display name)
Client IDFrom Okta application (will fill after Step 3)
Client SecretFrom Okta application (will fill after Step 3)
IssuerYour Okta URL (e.g., https://your-org.okta.com)
  1. Copy the Redirect URL that NetBird displays (but don't click Add Provider yet)

Copy redirect URL

Step 3: Complete Okta Application Setup

  1. Return to the Okta tab
  2. In the Sign-in redirect URIs field, paste the redirect URL you copied from NetBird

Sign-in redirect URIs

  1. Click Save
  2. Note the Client ID and Client Secret — you'll need these for Step 4

Client ID

Step 4: Complete NetBird Setup

  1. Return to the NetBird tab
  2. Fill in the Client ID and Client Secret from Step 3

Complete configuration

  1. Click Add Provider

Step 5: Test the Connection

  1. Log out of NetBird Dashboard
  2. On the login page, you should see an "Okta" button
  3. Click it and authenticate with your Okta credentials
  4. You should be redirected back to NetBird and logged in. Unless your user approval setting were changed you will need to log back into your local admin account to approve the user.

Configuring JWT 'groups' Claim

To sync Okta groups with NetBird, you need to configure Okta to include a groups claim in the ID token. There are two methods depending on your Okta setup.

This method works with Okta's org authorization server and is the simplest approach:

  1. In Okta Admin Console, go to ApplicationsApplications
  2. Select your NetBird application
  3. Go to the Sign On tab
  4. Click Edit in the OpenID Connect ID Token section
  5. Under Group claim type, select Filter
  6. In Group claims filter:
    • Claim name: groups
    • Filter: Select Matches regex and enter .* (to include all groups)
  7. Click Save

Groups claim configuration

Method 2: Custom Authorization Server

If you're using a custom authorization server (required for access token claims):

  1. In Okta Admin Console, go to SecurityAPI
  2. Select your custom authorization server
  3. Go to the Claims tab
  4. Click Add Claim
  5. Configure the claim:
    • Name: groups
    • Include in token type: ID Token (select Always)
    • Value type: Groups
    • Filter: Select Matches regex and enter .*
  6. Click Create

Custom authorization server groups claim configuration

The groups claim has a limit of 100 groups. If a user belongs to more than 100 groups that match the filter, the request will fail. Use a more specific filter (e.g., ^NetBird-.*) to limit the groups included.

Enable JWT Group Sync in NetBird

After configuring Okta:

  1. In NetBird Dashboard, go to SettingsGroups
  2. Enable JWT group sync
  3. Set JWT claim to groups
  4. Optionally configure JWT allow groups to restrict access

Standalone Setup (Advanced)

Use Okta as your primary identity provider instead of NetBird's embedded IdP. This option gives you full control over authentication and user management, is recommended for experienced Okta administrators as it also requires additional setup and ongoing maintenance.

For most deployments, the embedded IdP is the simpler choice — it's built into NetBird, fully integrated, and requires minimal configuration to get started. For this implementation, go back up to the Management Setup (Recommended) section above.

For detailed instructions on the standalone setup, see the Okta SSO with NetBird Self-Hosted (Legacy) documentation.

If you prefer to have full control over authentication, consider self-hosted alternatives like PocketID.

Troubleshooting

"Invalid redirect URI" error

  • Ensure all redirect URIs are configured in Okta
  • Check for trailing slashes
  • Verify the application type matches the use case

"Invalid issuer" error

  • Ensure the issuer is set to use the Okta URL (not dynamic)
  • Verify the OIDC configuration endpoint returns valid JSON