This guide walks you through setting up an OIDC integration with Okta for Single Sign-On (SSO) in Deel.
In this article:
Before you begin
Before proceeding, check out the initial How to configure OpenID article.
How to connect the OpenID Connect integration
To set up SSO using the OIDC protocol, you need to connect to the OpenID Connect integration. Only organization admins are able to connect integrations on behalf of the organization.
1. Select the More icon and click on the App tab once logged in
2. Look for OpenID Connect and click on it.
3. Now click on "Connect OpenId Connect" and enter the integration set up. Keep this screen open to get the values from Okta.
How to set up a new Okta application
To enable Deel to authenticate users via Okta using OIDC protocol, we'll need to create a new application, following these steps:
1. Go to Okta admin dashboard
2. Applications > Applications > Create App Integration
3. Select "OIDC - OpenID Connect" and "Web Application"
4. Enter the display name for the application, for example, "Deel". Upload a Deel logo from Deel's Brand Assets.
5. Leave sign-in redirect URIs as it is for now
6. Under "Assignments" choose the desired access control to the SSO Application and save.
7. After saving, the general settings for the application will be available. Copy the "Client ID" and paste it in Deel's integration settings.
8. Copy the "Client Secret" and also paste the value in Deel's integration settings.
9. Still in Deel's settings, enter Okta well-known URL. It should be https://<your-okta-domain>.okta.com/.well-known/openid-configuration (replace <your-okta-domain> with actual Okta domain). Click "Connect & Go To Settings".
10. The Single Sign-On configurations panel will now be available. Enter the name to identify the SSO method in an organization custom domain, and copy the Redirect URL.
11. Back to the Okta settings, click on General Settings "Edit" button.
12. Paste the redirect URL from Deel in "Sign-in redirect URIs".
13. Change "Login initiated by" to "Either Okta or App".
14. Select "Display application icon to users"
15. Paste the redirect URL from Deel on "Initiate login URL", and click "Save".
16. Back to Deel's SSO configuration, click on "Enable" to enable SSO login. Once enabled, the organization will require SSO for any employee to login.
To disable SSO at any given time, go back to this integration, and click on More > Disconnect.
Troubleshooting OIDC Authentication Errors
If users experience 400 authentication errors after OIDC is enabled, this typically indicates that the stored credentials (Client ID or Client Secret) are no longer valid or have been regenerated.
Re-entering OIDC Credentials
If authentication fails with a 400 error:
- In Deel, go to More > Apps and search for OpenID Connect.
- Click on the existing OpenID Connect integration.
- Click More › Edit Settings (or Manage).
- You will see the fields for Client ID, Client Secret, and Well-Known URL.
-
In Okta, generate new credentials if needed:
- Go to Applications › Applications and open your Deel OIDC application.
- In the General Settings, under Client Credentials, you can rotate the Client Secret by clicking the rotate icon.
- Copy the new Client ID and Client Secret.
- Return to Deel and paste the updated Client ID and Client Secret into the corresponding fields.
- Click Save or Update to apply the changes.
- Test authentication by logging out and attempting to log back in via SSO.
If 400 errors persist after re-entering credentials, verify in Okta that:
- The Redirect URL in Deel's integration settings matches the Redirect URI configured in Okta General Settings.
- The service account has the correct permissions enabled.
- The well-known/OpenID configuration URL is still valid and accessible.