Requirements
- An Okta organization account with admin permission
- A Bright Data account with admin permission
Enforced Okta SSO disables password-based login.When Okta SSO is enforced for your organization, password-based login and password reset emails are disabled for all users on the account. Users must sign in via Okta. Contact your IT / Okta administrator if access issues arise.
Steps:
- On your Okta admin dashboard, choose ‘Applications > Applications’
https://[your_domain]-admin.okta.com/admin/apps/active
- Click ‘Create App Integration’
-
Select ‘OIDC - OpenID Connect’ as the Sign-in method,
-
Select’Web Application’ as the Application type and click ‘Next’
-
At this point you should be redirected to a new web app integration page. Here you can name your app integration (we recommend to use “Bright Data Control Panel” name).
-
At ‘Grant type’ select Implicit along with Authorization Code
-
Go to Bright Data Control Panel
-
Open OKTA configuration dialog
- Copy “Sign-in redirect URI”
- Paste it to according field in New App setup in OKTA
-
Repeat the same for “Sign-out URI”
-
At ‘Assignments’, select an access level as you want
-
Click ‘Save’
-
Now, you should land on your new app integration settings page.
Copy your Client ID, Client Secret, and Okta domain to OKTA setup dialog in your Bright Data Control Panel.
- Click “Activate”.
Skip step 16 if you selected “Allow everyone to access”
- Go to “Assignments” tab and assign users allowed to use this integration
- Go to Bright Data Settings page and make sure all required users presented.
We’re working on users provisioning support, at the moment - you should manage it manually.
The following steps are optional. They are for enabling your users to launch authentication from their dashboard or the Okta Chrome extension.
-
Scroll down to ‘General Settings’ and click Edit
-
Set these settings:
- Login initiated by: Either Okta or App
- Application visibility: Display application icon to users
- Login flow: Redirect to app to initiate login (OIDC Compliant)
- Copy Initiate login URI from Control Panel
- Save changes. Now the integration is ready to work.
Notes
-
Okta Domain should be the one that appears in your app integration settings (yourcompany.okta.com), NOT the one you are seeing as an admin (yourcompany-admin.okta.com)
-
Make sure the Credentials provided to Bright Data are correct, we cannot check them on our side.
- Sign-in Redirect URI is a must in order to make the SSO feature work correctly
- Initiate login URI is needed if the you wants to be able to use the feature from the Okta Chrome extension or the Okta dashboard
SSO technical reference
This section is for enterprise security teams completing vendor SSO questionnaires.
Which SSO protocol is supported
Bright Data supports SSO via OpenID Connect (OIDC) only. SAML 2.0 is not supported. There is no SAML metadata XML, Entity ID, or ACS URL.
Supported identity providers
- Okta
- Microsoft Entra ID (Azure AD)
- Google Workspace
| Parameter | Value |
|---|
| Protocol | OpenID Connect (OIDC) |
| User identifier | email claim |
| Required scopes | profile email |
| Required claims | email |
| Optional claims | givenName, familyName |
How account provisioning works
| Identity provider | Provisioning method |
|---|
| Okta | Manual. Add users in the Bright Data Control Panel. User record is created automatically on first sign-in. |
| Microsoft Entra ID | Automatic via SCIM. |
| Google Workspace | Manual. Add users in the Bright Data Control Panel. User record is created automatically on first sign-in. The OIDC hd claim enforces the configured Workspace Domain. See Google Workspace SSO setup. |
Other SSO details
- Password logins can be disabled entirely.
- Access is controlled by users added to the account, not by email domain.
- Different user roles are available to restrict access per user.
Google OAuth 2.0
Bright Data also supports login via Google OAuth 2.0.
| Parameter | Value |
|---|
| Required scopes | https://www.googleapis.com/auth/userinfo.profile, https://www.googleapis.com/auth/userinfo.email |
| Account provisioning | User must be added to the account via the Bright Data Control Panel first. User record is created after signing up using “Continue with Google”. |