Single sign-on with Okta

Hotpot supports SSO with Okta using OpenID Connect (OIDC).

Hotpot does not yet have an application approved in the Okta Integration Network (OIN). To use Okta, you will have to create an application. This guide will be updated when Hotpot is available in the OIN.

Creating the App Integration in Okta

Sign-in to your Okta administrator account
Go to Applications, then click "Create App Integration"
Select "OIDC - OpenID Connect", and for the next question for application type select "Web Application". Click Next, and on the subsequent configuration screen ensure the following are set:
1. App integration name: "Hotpot" (or whatever suits you!)
2. [Optional] If you'd like to use a logo, we will provide one
3. Ensure Refresh token under Core Grants is selected
4. Under Sign-in Redirect add

Configuring Hotpot to use Okta

Under Assignments, restrict access to a group or whatever works for your organization. This controls who is able to access Hotpot. Hotpot delegates access to Okta.

Do not require PKCE. PKCE is for applications where the Client secret is directly available to users.

Go to https://app.hotpot.works/sso/setup, and enter your organization's domain to complete setup. Enter the OpenID Issuer URL, OpenID Client ID, and OpenID Client Secret.

The OpenID Issuer URL is available in Okta, if you click your name in the top right corner it will be displayed under your email address, with a copy button:

Click the copy icon, then paste it into the OpenID Issuer URL field on the Hotpot setup screen. The Client ID and Client secret fields can be copy and pasted from the General configuration in the Okta application view for the application you created.

Once you add those fields, click Update configuration. You can now sign in to Hotpot via Okta.

Users will sign in via https://app.hotpot.works/sso/okta. The domain can be sent as a parameter, e.g., https://app.hotpot.works/sso/okta?domain=yourcompany.com and Hotpot will automatically initiate the sign-in process.

If users attempt to sign in with a username and password, Hotpot will not give any indication that the email is matched to an SSO-managed account. Users will need to sign-in via the SSO URL.

PreviousAuthentication NextAPI

Last updated 5 months ago

Creating the App Integration in Okta

Sign-in to your Okta administrator account

Go to Applications, then click "Create App Integration"

Select "OIDC - OpenID Connect", and for the next question for application type select "Web Application". Click Next, and on the subsequent configuration screen ensure the following are set:

App integration name: "Hotpot" (or whatever suits you!)
[Optional] If you'd like to use a logo, we will provide one
Ensure Refresh token under Core Grants is selected
Under Sign-in Redirect add

Configuring Hotpot to use Okta

Under Assignments, restrict access to a group or whatever works for your organization. This controls who is able to access Hotpot. Hotpot delegates access to Okta.

Do not require PKCE. PKCE is for applications where the Client secret is directly available to users.

Go to https://app.hotpot.works/sso/setup, and enter your organization's domain to complete setup. Enter the OpenID Issuer URL, OpenID Client ID, and OpenID Client Secret.

The OpenID Issuer URL is available in Okta, if you click your name in the top right corner it will be displayed under your email address, with a copy button:

Once you add those fields, click Update configuration. You can now sign in to Hotpot via Okta.

Sign-in URLs

If users attempt to sign in with a username and password, Hotpot will not give any indication that the email is matched to an SSO-managed account. Users will need to sign-in via the SSO URL.