> ## Documentation Index > Fetch the complete documentation index at: https://playerzero.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Okta SSO Setup > Connect your organization's identity provider to PlayerZero for secure, centralized authentication using Okta. Organization **Owner** access is required in PlayerZero to configure SSO. **Okta Administrator** access is required in Okta to create the app registration and adjust settings. ## Overview This guide walks you through creating an Okta app registration and wiring it to PlayerZero. We use the **OIDC Authorization Code** flow with **PKCE**. PlayerZero only requests standard OIDC claims. *** ## Prerequisites * A PlayerZero organization where you are an **Owner** * Admin access to **Okta Portal** for your tenant * PlayerZero redirect URL: `https://playerzero.ai/api/auth/sso` *** ## Multi-Tenant SSO If your organization uses multiple email domains, each domain requires its **own SSO configuration** in PlayerZero. You may reuse the same Entra app registration for all domains if you choose. For each domain: * Sign in to PlayerZero **using an account from that domain** * Create a new SSO configuration starting at **Step 3 — Configure PlayerZero** PlayerZero will simply have **one SSO configuration per domain**, regardless of how you organize Entra (single app or multiple apps). ## Step 1 — Create the App Registration in Okta: 1. Select Sign-in method `OIDC - OpenID Connect`: 2. Select Application Type as Web registration: *** ## Step 2 — App Settings On the New Web App Integration Screen: 1. Toggle Core Grants: * `Authorization Code` * `Refresh Token` 2. Set redirect URL: `https://playerzero.ai/api/auth/sso` 3. Remove Sign-out redirect URL 4. Toggle `Limit Access to selected groups` and select your PlayerZero (or equivalent) group. 5. Under the newly created App `General` settings tab, toggle on `Require PKCE as additional verification` *** ## Step 3 — Configure PlayerZero 1. In PlayerZero, open **Settings → SSO Configuration → Add SSO Configuration**. 2. Fill in: `Fetch SSO config from well-known endpoint` with your `Issuer URL` and append `/.well-known/openid-configuration`. * Issuer URL can be found under the Security dropdown --> API 3. Click **Fetch from Well-Known** 4. Verify your organization's domain and other autofilled settings. 5. Enter your `Client ID` and `Client Secret Value`. 6. Add the `openid profile email offline_access` scopes. 7. Toggle on `Use PKCE (Proof Key for Code Exchange)`. *** ## Step 4 — Test the Connection 1. In PlayerZero **SSO Configuration**, click **Test Connection**. 2. Complete the Okta sign-in in the popup. 3. On success, click **Save Configuration**. *** ## Next Steps — Rollout & User Impact Once SSO is **saved and enabled**, PlayerZero will **invalidate existing sessions**: * **All users will be logged out** of PlayerZero. * When users log back in through SSO, they will be able to access all previous work. No data will be lost in the transition.