From 4cfae28545d3e82c13cd82e6d5307dee842b371a Mon Sep 17 00:00:00 2001
From: michaelmmc <mmcgrory92@gmail.com>
Date: Tue, 7 Oct 2025 16:43:19 -0700
Subject: [PATCH 1/5] Update Okta OIDC provider setup documentation with ONI
 app catalog steps

Expanded the setup instructions for Okta as an OIDC provider, including steps for both ONI App Catalog. This is required for publishing of the official ONI app in Okta. Re-labled the previous instructions as custom oidc application.
---
 .../identity/idp-integration/okta.mdx         | 45 ++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
index 5bc8dd4d9021697..8bee64e2d62ea3f 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
@@ -10,7 +10,50 @@ Okta provides cloud software that helps companies manage and secure user authent
 
 Additionally, you can configure Okta to use risk information from Zero Trust [user risk scores](/cloudflare-one/insights/risk-score/) to create SSO-level policies. For more information, refer to [Send risk score to Okta](/cloudflare-one/insights/risk-score/#send-risk-score-to-okta).
 
-## Set up Okta as an OIDC provider
+## Set up Okta as an OIDC provider (ONI App Catalog)
+
+1. Log in to your Okta admin dashboard.
+
+2. Navigate to Applications > Applications.
+
+3. Click Browse App Catalog.
+
+4. Search for "Cloudflare One" and select the official Cloudflare application (OIDC).
+
+5. Click Add.
+
+6. Add an application label and Team domain:
+
+   ```txt
+   <your-team-name>.cloudflareaccess.com
+   ```
+	You can find your team name in Zero Trust under **Settings** > **Custom Pages**.
+
+
+7. In the **Sign On** tab, copy the **Client ID** and **Client secret**.
+
+8. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+
+9. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider.
+
+10. Fill in the following information:
+    - **Name**: Name your identity provider.
+    - **App ID**: Enter your Okta client ID.
+    - **Client secret**: Enter your Okta client secret.
+    - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`.
+
+11. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
+
+12. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
+    1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
+    2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
+    3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
+
+13. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
+
+14. Select **Save**.
+
+## Set up Okta as an OIDC provider (Custom OIDC Application)
 
 1. On your Okta admin dashboard, go to **Applications** > **Applications**.
 

From 3133f1cdf12e73294072a3d8fc9914d59e8d7104 Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Thu, 9 Oct 2025 17:06:30 -0500
Subject: [PATCH 2/5] Update okta.mdx

---
 .../docs/cloudflare-one/identity/idp-integration/okta.mdx       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
index 8bee64e2d62ea3f..5ea5452fc035625 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
@@ -10,7 +10,7 @@ Okta provides cloud software that helps companies manage and secure user authent
 
 Additionally, you can configure Okta to use risk information from Zero Trust [user risk scores](/cloudflare-one/insights/risk-score/) to create SSO-level policies. For more information, refer to [Send risk score to Okta](/cloudflare-one/insights/risk-score/#send-risk-score-to-okta).
 
-## Set up Okta as an OIDC provider (ONI App Catalog)
+## Set up Okta as an OIDC provider (Okta App Catalog)
 
 1. Log in to your Okta admin dashboard.
 

From 63a26e8b89caa22fb156b9b3a1032f1c79499e38 Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Thu, 9 Oct 2025 17:11:11 -0500
Subject: [PATCH 3/5] Update okta.mdx

---
 .../identity/idp-integration/okta.mdx         | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
index 5ea5452fc035625..3bb3e47a554b60b 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
@@ -10,7 +10,7 @@ Okta provides cloud software that helps companies manage and secure user authent
 
 Additionally, you can configure Okta to use risk information from Zero Trust [user risk scores](/cloudflare-one/insights/risk-score/) to create SSO-level policies. For more information, refer to [Send risk score to Okta](/cloudflare-one/insights/risk-score/#send-risk-score-to-okta).
 
-## Set up Okta as an OIDC provider (Okta App Catalog)
+## Set up Okta as an OIDC provider (Okta Application Catalog)
 
 1. Log in to your Okta admin dashboard.
 
@@ -32,26 +32,32 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us
 
 7. In the **Sign On** tab, copy the **Client ID** and **Client secret**.
 
-8. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+8. Scroll down to the **OpenID ConnectID Token** and select **Edit**.
+
+   ![Configuring the Groups claim filter in Okta](~/assets/images/cloudflare-one/identity/okta/okta-2.png)
+
+9. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`.
+
+10. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
 
-9. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider.
+11. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider.
 
-10. Fill in the following information:
+12. Fill in the following information:
     - **Name**: Name your identity provider.
     - **App ID**: Enter your Okta client ID.
     - **Client secret**: Enter your Okta client secret.
     - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`.
 
-11. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
+13. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
 
-12. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
+14. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
     1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
     2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
     3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
 
-13. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
+15. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
 
-14. Select **Save**.
+16. Select **Save**.
 
 ## Set up Okta as an OIDC provider (Custom OIDC Application)
 

From 9a9e79d7edeb358d1fc983618822255ac6bbdf64 Mon Sep 17 00:00:00 2001
From: michaelmmc <mmcgrory92@gmail.com>
Date: Thu, 9 Oct 2025 16:08:15 -0700
Subject: [PATCH 4/5] Added required fields for Okta integration documentation

Added prerequisites and supported features sections for Okta integration.
---
 .../cloudflare-one/identity/idp-integration/okta.mdx   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
index 3bb3e47a554b60b..c5e5164c4d09cb1 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
@@ -10,6 +10,16 @@ Okta provides cloud software that helps companies manage and secure user authent
 
 Additionally, you can configure Okta to use risk information from Zero Trust [user risk scores](/cloudflare-one/insights/risk-score/) to create SSO-level policies. For more information, refer to [Send risk score to Okta](/cloudflare-one/insights/risk-score/#send-risk-score-to-okta).
 
+## Prerequisites
+
+1. You must be a super administrator and be able to access the Cloudflare API.
+
+2. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to Create a Cloudflare Zero Trust organization.
+
+## Supported Features
+
+* SP-initiated SSO (Single Sign-On)
+
 ## Set up Okta as an OIDC provider (Okta Application Catalog)
 
 1. Log in to your Okta admin dashboard.

From 7858cc61dc7d67a3fe66a328193ee2c38d21e645 Mon Sep 17 00:00:00 2001
From: kennyj42 <73258453+kennyj42@users.noreply.github.com>
Date: Fri, 10 Oct 2025 13:36:19 -0500
Subject: [PATCH 5/5] Update okta.mdx

---
 .../docs/cloudflare-one/identity/idp-integration/okta.mdx       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
index c5e5164c4d09cb1..22bc0e9e5e33076 100644
--- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
+++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
@@ -12,7 +12,7 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us
 
 ## Prerequisites
 
-1. You must be a super administrator and be able to access the Cloudflare API.
+1. You must have Zero Trust write or administrator access.
 
 2. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to Create a Cloudflare Zero Trust organization.