# Single Sign-On (SSO) For this guide we will be looking at setting up an **application** and also possibly configuring an **access policy** for the authorization server in Okta. While this guide is using Okta as an example, other OIDC or SAML2 providers, including Azure, can be used as well. {% hint style="info" %} SSO is an additional Enterprise feature. Contact Duplicati sales or support if you need SSO enabled for your license or trial {% endhint %} ### Create a Duplicati application in Okta 1. Sign in to your Okta account. 2. Navigate to the **Admin** page. 3. In the left menu, select **Applications**. {% hint style="info" %} Ensure you have an Okta account available with **super admin rights**. {% endhint %}

### Choose sign-in method and application type In the daiglog for creating the application, choose these two options: * **Sign-in method:** `OIDC - OpenID Connect` * **Application type:** `Web Application` Then click **Next**.

### Configure the Duplicati application in Okta 1. Choose a suitable application name, such as **Duplicati**. 2. Note that **Sign-in redirect URIs** must be provided later — leave it at default for now. 3. Set **controlled access**, preferably limiting access to selected groups for better control.

### Configure Access Policies for the Duplicati application in Okta 1. Go to **Security → API**. 2. Here you can: * Retrieve the **Metadata URI** needed for SSO configuration in Duplicati. * Verify existing **access policies**. If no access policies are present, or you want another one: 1. Click **Add New Access Policy**. 2. Configure it to match your security requirements.

*** ## Add Okta SSO to Duplicati 1. In the **Duplicati Console**, go to the [**Settings**](https://dev-app.duplicati.com/app/settings) page. 2. Click the **SSO** tab. 3. The **bold SSO name** (example shown as “SSO Demo”) is **case-sensitive** and is required later at login. 4. Click **New SSO Configuration** and choose **Add OIDC**. {% hint style="info" %} If the SSO tab is not visible, SSO may not be enabled for your organization; contact Duplicati sales or support. {% endhint %}

### Configure the OIDC connection in Duplicati Console To configure OIDC, fill in values from the Okta application. * **Name:** Used to identify the login method for users. A suggested name is **Okta**. * **Notes:** Free text, only used in this dialog. * **Default security group:**\ New users must be assigned to a group to join the organization.\ Select the standard **owner** group created with the organization. {% hint style="info" %} The default group affects only users who have **not yet logged in** to Duplicati Console. It will **not change** the group(s) of existing users. {% endhint %}

### Enter Client ID, Client Secret, and Metadata URI 1. In Okta, open your application page. 2. Copy: * **Client Id** * **Client secret** 3. Paste both into the Duplicati Console OIDC dialog.

#### Metadata URI 1. In Okta, go to **Security → API → Settings**. 2. Copy the **Metadata URI** and paste into the **metadata address** field in Duplicati.

**If Metadata URI is not shown (some Okta plans):** Use your Okta domain (from the Okta URL or Issuer field) in: ``` https://{yourOktaDomain}/.well-known/openid-configuration ``` ### Initial configured OIDC dialog Your configuration should look similar to the example shown in the guide once the fields are filled.

## Updating Okta for the connection When creating the Okta app earlier, the redirect URI was left at default because it wasn’t available yet. Now we will update it. ### Obtain the redirect URI 1. In **Duplicati Console**, open the SSO configuration list. 2. For the relevant SSO configuration, open the action menu. 3. Click the **copy** button to copy the redirect URI.

### Configure redirect URI in Okta 1. In Okta, open your application front page. 2. Scroll to **General Settings**. 3. Click **Edit**. 4. Paste the redirect URI into **Sign-in redirect URIs**. 5. Click **Save**.

*** ## Sign in with Okta SSO Once configured, you can log in with Okta. ### Add Okta login to your existing account 1. In Duplicati Console, go to [your **Account** page](https://dev-app.duplicati.com/app/settings/account). 2. Click **Add login account**. 3. Choose the new Okta integration. This allows your current account to be accessed with either login method.

*** ### New users logging in with Okta 1. Log out of Duplicati Console. 2. On the login screen, choose **Sign in with SSO**. 3. Enter your organization’s **SSO name** (case-sensitive). * The name appears on the SSO configuration page. * If not, obtain it from Duplicati Inc. 4. After entering a valid name, you’ll see available login options. * Typically there is one option, but multiple can be configured. 5. Click the login button to be redirected to Okta and complete sign-in.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.duplicati.com/duplicati-console/single-sign-on-sso.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.