LogoLogo
Hotpot documentation
Hotpot documentationChangelog
Hotpot documentation
Hotpot documentationChangelog
  • Overview
  • Getting started
    • Connecting your tools
    • Common terms
  • Scheduling
    • Schedules
    • Multistage schedules
    • Page behavior
    • Shadowing
    • Availability
    • Stints
    • Coverage
    • Backstop behavior
    • Envelope
  • Users
  • Teams
  • Moments
  • Moment groups
  • Triage
  • Handoffs
  • Paging and notifications
  • Integrations
    • Datadog
    • GitHub
    • Grafana
    • Honeycomb
    • Linear
    • PagerDuty
      • PagerDuty OAuth
      • Syncing schedules to PagerDuty
    • Prometheus
    • Sentry
    • Slack
    • Webhooks
  • Authentication
    • Single sign-on with Okta
  • API
    • API Reference
      • Availability
      • Moment
      • Page
      • Request
      • Schedules
Powered by GitBook

© 2024 Oilcan, Inc. All rights reserved.

On this page
  • Creating the App Integration in Okta
  • Configuring Hotpot to use Okta
  • Sign-in URLs
  1. Authentication

Single sign-on with Okta

Hotpot supports SSO with Okta using OpenID Connect (OIDC).

PreviousAuthenticationNextAPI

Last updated 5 months ago

Hotpot does not yet have an application approved in the Okta Integration Network (OIN). To use Okta, you will have to create an application. This guide will be updated when Hotpot is available in the OIN.

Creating the App Integration in Okta

  1. Sign-in to your Okta administrator account

  2. Go to Applications, then click "Create App Integration"

  3. Select "OIDC - OpenID Connect", and for the next question for application type select "Web Application". Click Next, and on the subsequent configuration screen ensure the following are set:

    1. App integration name: "Hotpot" (or whatever suits you!)

    2. [Optional] If you'd like to use a logo, we will provide one

    3. Ensure Refresh token under Core Grants is selected

    4. Under Sign-in Redirect add

Configuring Hotpot to use Okta

Under Assignments, restrict access to a group or whatever works for your organization. This controls who is able to access Hotpot. Hotpot delegates access to Okta.

Do not require PKCE. PKCE is for applications where the Client secret is directly available to users.

Go to https://app.hotpot.works/sso/setup, and enter your organization's domain to complete setup. Enter the OpenID Issuer URL, OpenID Client ID, and OpenID Client Secret.

The OpenID Issuer URL is available in Okta, if you click your name in the top right corner it will be displayed under your email address, with a copy button:

Click the copy icon, then paste it into the OpenID Issuer URL field on the Hotpot setup screen. The Client ID and Client secret fields can be copy and pasted from the General configuration in the Okta application view for the application you created.

Once you add those fields, click Update configuration. You can now sign in to Hotpot via Okta.

Sign-in URLs

Users will sign in via https://app.hotpot.works/sso/okta. The domain can be sent as a parameter, e.g., https://app.hotpot.works/sso/okta?domain=yourcompany.com and Hotpot will automatically initiate the sign-in process.

If users attempt to sign in with a username and password, Hotpot will not give any indication that the email is matched to an SSO-managed account. Users will need to sign-in via the SSO URL.