## Requirements

* You must be the `Admin` of the Statsig Organization you intend to add SSO with Okta to.
* You must be the Administrator of the Okta account you want to link.

## Supported Features

Statsig supports the OIDC protocol for SSO with the following flows:

* Service Provider(SP)-Initiated Authentication for Single Sign-On (SSO). This flow starts when you log in on the Statsig website.
* Identity Provider(IDP)-Initiated Authentication for SSO. This flow starts when you launch the Statsig App from Okta.
* Just-In-Time (JIT) provisioning for SSO. Upon successful first-time login, Statsig automatically provisions an account for the user.

## Configure SSO with Okta

### Adding the Statsig OIDC Application in Okta

1. Navigate to your Okta portal.
2. On your Okta portal, click on `Applications` on the left-hand-column, and click into `Applications` in the dropdown.
   {% figure %}
   ![Okta portal navigation highlighting Applications menu](/images/access-management/sso/okta_sso/129780676-c04bd2fb-83ed-4d17-9ae2-4e286f2b3b52.png)
   {% /figure %}
3. On the Applications page, click on the `Browse App Catalog` button.
   {% figure %}
   ![Okta Applications page with Browse App Catalog button](/images/access-management/sso/okta_sso/129780681-c48a6012-a882-475a-bbc9-924ec1391126.png)
   {% /figure %}
4. On the App Catalog page, use the searchbox to search for Statsig and click on the Statsig OIDC Application.
5. In the Statsig Application, click on the `Add` button.
   {% figure %}
   ![Statsig app listing within Okta catalog showing Add button](/images/access-management/sso/okta_sso/129780685-e6e141c6-8fdf-42f0-8ed6-edc734f4c2a7.png)
   {% /figure %}
6. After creating the Statsig OIDC Application in Okta, go to the `Sign On` tab to find the `Client ID` and `Client Secret` fields. You need both values to enable SSO on the Statsig Project. Statsig automatically configures the sign-in and sign-out redirect URIs.
   {% figure %}
   ![Okta Sign On tab showing Client ID and Client Secret values](/images/access-management/sso/okta_sso/129780687-bacc68c7-4fb1-4740-bb3e-a7c6b27d006e.png)
   {% /figure %}

After completing these steps, you have configured the Statsig OIDC Application in Okta. Navigate to [SSO configuration on your Statsig Organization](/access-management/sso/overview#in-statsig-console) to finish setup.

## SP-Initiated SSO

1. Navigate to https://console.statsig.com/sso
2. Enter your email address and click on "Authenticate"
3. Statsig redirects you to authenticate with Okta. If prompted, enter your Okta credentials.
4. After you authenticate, Statsig redirects you and logs you in.

### Proof Key for Code Exchange (PKCE)

Statsig doesn't currently support the PKCE Flow, so you need to turn off the feature in Okta when you enable SSO with Statsig.