# Login options (SSO)

## Federating identity for Limio app users with Okta (OIDC)

Limio supports identity federation for app users, allowing you to authenticate internal users (e.g. marketers, administrators, customer support agents) into the **Limio Commerce Platform** using your existing identity provider (IdP), such as Okta.

{% hint style="warning" %}
You are reading the SSO docs to login into the Limio application. If you are looking at how to SSO your customers or end-users into the Limio Shop and Self-Service, go to [Set up Authentication for Customers](/product/authentication/sso-your-authentication.md).
{% endhint %}

Identity federation is a mechanism that links Limio’s internal authentication system to your enterprise Identity Provider. This allows your internal users to securely log in without needing to create separate Limio credentials. Authentication is managed through your IdP, providing a secure, seamless experience that aligns with your existing IT policies and SSO strategy.

Limio supports all major Identity Providers that use OAuth 2.0 and OpenID Connect (OIDC), including Okta, Auth0, Microsoft Entra ID (formerly Azure AD), AWS Cognito, and more.llows Limio to verify user identity and retrieve basic user information (such as name and email).

In this guide, we’ll walk you through how to configure Okta as your IdP for internal Limio user authentication using OAuth and OIDC protocols.

### Step 1: Create a new app integration in Okta

1. Sign in to the **Okta Developer Console**.
2. Go to **Applications > Applications**.
3. Click **Create App Integration**.
4. Choose the following:
   * **Sign-in method:** OIDC - OpenID Connect
   * **Application type:** Web Application
5. Click **Next**.

### Step 2: Configure your Okta app

On the **New Web App Integration** screen:

| Setting               | Value                                                                                                                                                                                                       |
| --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| App name              | Limio App (or any name you recognise)                                                                                                                                                                       |
| Grant type            | Ensure **Authorization Code** is selected                                                                                                                                                                   |
| Sign-in redirect URIs | <p><code><https://your-cognito-domain.auth.region.amazoncognito.com/oauth2/idpresponse></code><br>Example: <code><https://your-app-limio.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse></code></p> |
| Login redirect URIs   | Same as above                                                                                                                                                                                               |
| Controlled access     | Choose how you want to assign access (e.g. groups or individuals)                                                                                                                                           |

Click **Save** to complete setup.

### Step 3: Share credentials with Limio

After the app is created, go to the **General** or **Sign On** tab and collect the following:

* **Client ID** – Generated by Okta
* **Client Secret** – Generated by Okta
* **Issuer URL** – Found under OpenID Connect ID Token (e.g. `https://yourdomain.okta.com/oauth2/default`)

Please share these three values securely with Limio by raising a case within this help desk.

### Step 4: Testing the authentication

Limio will confirm once configuration is complete and share with your a login URL. The login URL will typically look like:

`https://your-cognito-domain.auth.region.amazoncognito.com/login?client_id=XXXX&response_type=code&scope=email+openid+phone&redirect_uri=https%3A%2F%2Fyour-cloudfront-url`

Upon visiting this URL, users will be redirected to Okta to authenticate, then returned to Limio.

### Example values

| Field        | Example                                                                         |
| ------------ | ------------------------------------------------------------------------------- |
| Redirect URI | `https://your-app-limio.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse` |
| Login URL    | `https://your-app-limio.auth.eu-central-1.amazoncognito.com/login?...`          |
| Issuer URL   | `https://yourcompany.okta.com/oauth2/default`                                   |

### Notes

* Ensure your redirect URIs exactly match those configured in Okta.
* Scopes should include at minimum: `openid email profile`.
* Assign users or groups to the Okta app integration to enable access.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.limio.com/product/settings/security/login-options-sso.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.