Okta OIDC

Last Updated: April 07, 2026

An Okta OpenID Connect (OIDC) configuration is required if your organization uses an Okta SAML connection for identity management and Microsoft Microsoft Intune for mobile app deployment. Microsoft Intune's Mobile Application Management (MAM) policies require OIDC authentication for mobile apps to access protected documents.

Key Points

  • This configuration is specifically for mobile Microsoft Intune environments.
  • OIDC works alongside existing Okta SAML connections for desktop and web users (doesn't replace them).
  • Ensure Microsoft Intune mobile settings are enabled. Contact your Vasion representative for assistance.
  • This authentication method is specific to mobile sign-in to enable the PrinterLogic app to access documents protected by Intune's Mobile Application Management (MAM) policies.

Requirements

  • Existing Okta SAML connection configured for Vasion Print.
  • Multi-IdP and Microsoft Intune features enabled for your Vasion Print instance.
  • Microsoft Microsoft Intune environment with Mobile Application Management (MAM) policies.
  • Administrative access to both Okta and Vasion Print Admin Console.

These requirements assume an existing Okta SAML connection is configured for your Vasion Print instance. If your deployment only supports mobile devices through Microsoft Intune, the SAML configuration is not required.

Configure the Connection

To connect Vasion Print with Okta OIDC do the following:

  1. Create the Okta app.
  2. Add the IDP template.
  3. Configure OIDC authentication.
  4. Create the Okta SCIM app.
  5. Configure SCIM provisioning.
  6. Assign Users & Groups.

1. Create the Okta App

  1. Log in to your Okta Admin Portal.

  2. In the left-side menu, expand Applications and select the Applications option.

    Okta Applications

  3. Select the Create App Integration button.
  4. In the Sign-in method section select OIDC - OpenID Connect.
  5. In the Application type section select Web Application.
  6. Select Next.
  7. Leave the current browser open to the new app page.

To continue the app configuration, you need to open another browser and open the Vasion Automate / Vasion PrintAdmin Console and access the service provider information.

New app integratrion modal with OIDC and Web application selected.

2. Add the IdP Template

If the IdP Settings modal does not look like the image below, you may not be using the latest version and should contact Product Support to upgrade your IdP settings.

  1. In a separate browser tab, open your Vasion PrintAdmin Console and sign in.
  2. Select Tools then Settings then General, and scroll down to the Identity Provider Settings section.
  3. Select IdP, and then select Add.
  4. Select Custom from the IdP Template dropdown.
  5. Select OIDC in the Authentication Protocol section.

  6. In the Provisioning section, leave the JIT option unchecked.

  7. In the Name field, enter the name you want displayed on the sign in button for users. For example My Company, Login, Acme Corp, etc.
  8. Keep the IdP Settings modal open so that the Service Provider Information at the bottom is available for the following steps.

Do not select the Enable for End User Login or the Enable for Admin Login options. Microsoft Intune authentication is only supported by the mobile app.

Custom IdP Settings template

3. Configure the OIDC Authentication

  1. In the New Web App Integration page enter a name to identify the integration in the Okta Admin Console into the App integration name field.
  2. From the IdP Settings modal, copy the SSO URL and paste it into the Okta app Sign-in redirect URIs section to replace the default localhost URL.
  3. Use the Add URI button to add a new URI field.
  4. Return to the IdP Settings modal and copy the Mobile SSO URL then paste it into the new URI field you added.
  5. In the Sign-out redirect URIs section, remove the localhost URL.
  6. In the Assignments section, select Skip group assignments for now.
  7. Select Save.
  8. Keep your new Okta web app open to complete the IdP settings configuration in Vasion Print.

Okta New Web App Integration page

Complete the IdP Settings Configuration

  1. In the Discovery Endpoint field, enter the following URL, replacing your-okta-domain with your actual Okta domain:

    Copy Code 
    https://your-okta-domain.okta.com/.well-known/openid-configuration

  2. Copy the Client ID from the new Okta web app.

    Okta web app Client Credentials section.

  3. Return to the IdP Settings modal and paste the Client ID into the Client Id for Clients and the Client Id for Server fields.

  4. Return to the Okta web app and use the Generate new secret button to add a new secret to the app.

    Okta web app Client Secrets section.

  5. Copy the first secret and return to the IdP Settings modal to paste the secret into the Client Secret for Clients field.
  6. Return to the Okta app and copy the second secret and return to the IdP Settings modal to paste the second secret into the Client Secret for server fields.
  7. Select Apply.
  8. Under the CPA Specific Settings section select Enable PIN Authentication. This selection enables you to save the new IdP configuration.
  9. Scroll to the top of the General Settings screen and Select Save in the upper-right corner.

Complete IdP Settings for OIDC Connection

4. Create the Okta SCIM App.

  1. Return to the Applications page your Okta Admin Portal.

  2. Select Create App Integration.

    Okta Applications

  3. In the Create a new app integration modal choose SAML 2.0, then select Next.

  4. In the Create SAML Integration wizard, General Settings section, enter the name you want to identify the app in the Okta Admin Console and select Next.

  5. In step 2 Configure SAML, A. SAML Settings section enter the following into the Single sign-on URL, Audience URI (SP Entity ID), and Default Relay State fields:

    Copy Code 
    https://www.okta.com

    This will pass validation

  6. Scroll to the bottom and select Next.

  7. Select This is an internal app we have created.

  8. Select Finish.

    Step 3 of the Okta new app intergration wizard.

SAML Settings General section for the new app.

Enable SCIM Provisioning

  1. Select the General tab of the new SAML app.

  2. In the App Settings section select the Edit button.
  3. In the Provisioning section select SCIM.
  4. Select Save.
  5. Select the Provisioning tab and leave the page open to complete the SCIM configuration in Vasion Print.

New Okta App Settings with SCIM provisioning selected.

5. Configure SCIM Provisioning

  1. Go to your existing Okta SAML connection for desktop / web access.

  2. In the Service Provider Information section, select the SCIM Tenant URL and copy it.

    Service provider info for the base Okta connection app.

  3. On the Okta app Provisioning tab, SCIM Connection section, select Edit.

  4. Paste the SCIM Tenant URL into the SCIM Connection base URL field.

  5. In the Unique identifier field for users enter email.

  6. In the Supported provisioning actions section, select:

    1. Import New Users and Profile Updates.

    2. Push New Users.

    3. Push Profile Updates.

    4. Push Groups.

  7. Use the Authentication Mode dropdown to select HTTP Header.

  8. Leave the page open while you generate the SCIM token because you need to paste the token here.

Okta SCIM App Provisioning settings.

Generate SCIM Token

  1. Return to the Vasion Print Admin Console Identity Provider Settings section and select SCIM.
  2. Use the dropdown to select the Okta OIDC connection you just created.
  3. Select Generate SCIM token.
  4. Copy the token then select Close.
  5. Paste the token into the HTTP Heater section of the Provisioning tab.
  6. Select Test Connector Configuration.
  7. When you get the message that the connector tested successfully, select Save.

Vasion Print SCIM Settings.

Provision Users

  1. On the Provisioning tab, select To App under Settings on the left.
  2. In the Provisioning to App section, select the Edit.

  3. Enable the following:

    1. Create Users.

    2. Update User Attributes.

    3. Deactivate users.

  4. Select Save.

Okta SCIM To App Provisioning settings.

6. Assign Users & Groups

All three Okta applications (SAML, OIDC, SCIM) should have the same groups assigned to ensure consistent user provisioning across all applications.

Assign to OIDC App

  1. In your Okta OIDC app, select the Assignments tab.
  2. Use the Assign dropdown to select:
    1. Assign to People: Use this option to assign app access to individual users.
    2. Assign to Groups: Use this option to assign app access to groups and all their members.
    3. Search for and select the desired people / groups.
  3. Select Assign and then Done.

Okta app assignments.

Assign to SCIM App & Push Groups

  1. In your Okta OIDC app, select the Assignments tab.
  2. Use the Assign dropdown to select:
    1. Assign to People: Use this option to assign app access to individual users.
    2. Assign to Groups: Use this option to assign app access to groups and all their members.
    3. Search for and select the desired people / groups.
  3. Select Assign and then Done.
  4. Select the Push Groups tab.
  5. Use the Push Groups dropdown to select:
    1. Find groups by name: Use this option to search for the name of the group.
    2. Find groups by rule: Use this option to create a search rule that pushes any matching groups automatically.
  6. If you are adding more than one group or rule, select Save & Add Another.
  7. After you select the last group or rule, select Save.

Push Groups to app page.

7. Enable Microsoft Intune Login

  1. Go to Tools then Settings then Mobile in the Admin Console.

  2. In the Intune Settings section, select Enable Microsoft Intune Login.

  3. Select the IdP you want to use for Microsoft Intune authentication from the dropdown.

  4. Select Save in the upper-right corner.