Resources

Documentation

Everything you need to get started, integrate, and get the most out of Topogy.

Configuring Okta SSO for Topogy

This guide walks your Okta admin through connecting Topogy to your Okta using Express Configuration in the Okta Integration Network (OIN). Express Configuration sets up the connection automatically — there are no client IDs or secrets to copy between Okta and Topogy.

Once SSO is live, users can sign in with their Okta credentials and Topogy creates their account on first sign-in (JIT provisioning). Admins assign Topogy roles per-user inside the app. If you want Okta group memberships to drive role assignment automatically, set up the Okta Group Sync integration after completing this guide.

Prerequisites

Before you start:

  • Admin access to your Okta tenant — enough to add an application from the OIN catalog and manage assignments.
  • Topogy has provisioned your organization. Express Configuration connects your Okta into the organization Topogy sets up for you, so coordinate with your Topogy contact first. They'll confirm your organization is ready and that the administrator who runs the steps below can approve the connection.

Supported features

The Topogy OIDC integration supports:

  • OIDC Single Sign-On — your users sign in to Topogy using their Okta credentials. SP-initiated and IdP-initiated flows both work.
  • Just-In-Time (JIT) user provisioning — Topogy creates the user record on first successful sign-in. No pre-provisioning required.

Not supported in this listing:

  • SAML SSO — only OIDC is offered here.
  • Automatic group-to-role mapping — that requires the separate Okta Group Sync integration.

Configuration steps

1. Add Topogy from the Okta App Catalog

In the Okta Admin Console, open Applications → Browse App Catalog, search for Topogy, and click Add Integration.

2. Run Express Configuration

On the Topogy application, choose Express Configure SSO. Okta redirects you to Topogy's identity provider, where you will:

  1. Select your organization.
  2. Sign in as an administrator authorized to set up the connection.
  3. Approve creating the SSO connection.

When the flow completes, the OpenID Connect connection between your Okta and Topogy is created automatically. There are no credentials to copy or send to Topogy, and there's no authorization-server setup to do by hand.

3. Assign users to the application

On the Topogy application's Assignments tab, assign the people (or groups) who should be able to sign in. Okta enforces this list, so anyone not assigned won't reach Topogy via SSO.

4. First sign-in

Once a user signs in for the first time, Topogy creates their account automatically (JIT) and gives them Topogy's default role. From there, roles can be assigned in one of two ways:

  • Per user, inside Topogy — your Topogy admin assigns roles under Settings → Members. This works with SSO alone; no further Okta setup is needed.
  • Automatically from Okta groups — to have a user's Okta group memberships drive their Topogy role, you must also set up the Okta Group Sync integration. SSO by itself carries no group information, so group-based role assignment requires the separate OIN API Service integration. See Okta Group Sync.

Signing in

From Topogy (SP-initiated):

  1. Go to Topogy's sign-in page and start sign-in.
  2. You're routed to your Okta sign-in page; authenticate with your Okta credentials (plus any MFA your tenant requires).
  3. Okta returns you to Topogy, signed in.

From Okta (IdP-initiated): click the Topogy tile in your Okta End-User Dashboard. Assigned users are taken to the Topogy login page with your Okta organization pre-selected; one click on "Log In" completes the sign-in with no further prompts.

Troubleshoot

  • A user can't reach Topogy via SSO — confirm they're assigned to the Topogy application (step 3). Okta enforces this list at sign-in.
  • Express Configuration didn't complete — confirm with your Topogy contact that your organization was provisioned and that the administrator running the flow is authorized to approve the connection.
  • Anything else — share the Okta System Log entry for the failed attempt (Reports → System Log) with your Topogy contact. The entry includes the exact request, the user, and the policy decision, which usually identifies the issue in one read.

For help during setup or any issues after going live, reach out to your Topogy contact or email support@topogy.com.

Next step — Enable Group Sync

SSO alone assigns no groups. After sign-in, users receive Topogy's default role and admins assign roles per-user inside the app.

To have Okta group memberships automatically drive role assignment in Topogy, install the Okta Group Sync integration. It uses a separate OIN API Service integration (not the OIDC app you just configured) to read group membership from Okta and pre-populate role mappings in Topogy.

Set up Okta Group Sync →