> ## Documentation Index
> Fetch the complete documentation index at: https://backstage.spotify.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Setup auth provider

> Create an OIDC app integration in Okta and configure Portal to use it as the sign-in authentication provider.

export const providerName_0 = "Okta"

<Warning>
  It is important to follow all the steps in this guide to ensure a successful configuration of {providerName_0} authentication.

  If you encounter any issues, [please contact support](https://backstage.spotify.com/account/support/).
</Warning>

Portal includes a built-in Okta authentication provider that uses OAuth for user authentication. To enable Okta authentication for your Portal instance, follow these steps.

## Create App integration In Okta

Within your Okta dashboard create a new app integration where the sign-in method is `OIDC - OpenID Connect`.
In addition, your application type should be set to `Web Application`.

Once created, you can fill out the new web app integration form:

1. App integration name: "Spotify Portal" (or your own custom app name)
2. Grant type: Authorization Code & Refresh Token
3. Sign-in redirect URIs: `https://<your-organization>.spotifyportal.com/api/auth/okta/handler/frame`
4. Sign-out redirect URIs: `https://<your-organization>.spotifyportal.com`
5. Store your Client ID and generate and store your Client Secret
6. Click Save

> For more information on how to Create an OIDC App Integration in Okta, refer to the [Okta documentation](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm).

## Configure the Authentication Provider in Portal

Now navigate to **App Settings** and click on **Auth**.
We will now set up the authentication:

1. Open **App Settings** in Portal and navigate to **Auth**.
2. Scroll to `auth.providers.okta`
3. Add a new configuration entry with "Key name" of `production`
4. Enter the following details from your Okta Web App Integration:

* `Client ID`
* `Client secret`
* `Audience` (URL of your Okta instance, eg: `https://<your-company>.okta.com`)

<Frame>
  <img src="https://mintcdn.com/spotify-89f50c35/kykdsAI0E-YoCN7A/portal/assets/okta-auth-app-credentials.png?fit=max&auto=format&n=kykdsAI0E-YoCN7A&q=85&s=b478e3a26431da4e3d01ee21487681c9" alt="Add app credentials" width="2358" height="1666" data-path="portal/assets/okta-auth-app-credentials.png" />
</Frame>

In the **Use for Sign in** section, select `Enable` and keep `Email matching user entity profile email` as **Resolve strategy**.

<Frame>
  <img src="https://mintcdn.com/spotify-89f50c35/kykdsAI0E-YoCN7A/portal/assets/okta-auth-sign-in-resolver.png?fit=max&auto=format&n=kykdsAI0E-YoCN7A&q=85&s=0608337ce08037fce229a184e3301c1b" alt="Add sign in resolver" width="1281" height="650" data-path="portal/assets/okta-auth-sign-in-resolver.png" />
</Frame>

Click Save changes.

Your Portal instance is now set up to authenticate users via Okta.
