Okta SSO setup #
Connect Okta to eCardWidget over OpenID Connect. This covers login (OIDC); for automatic team-member provisioning see SCIM provisioning.
Prerequisites: Enterprise plan, and you'll verify your email domain via DNS during setup. A free Okta Integrator/Developer tenant (
developer.okta.com/signup) is enough to test the full flow, including SCIM.
1. Create the OIDC app in Okta #
- Admin Console → Applications → Create App Integration.
- Sign-in method: OIDC – OpenID Connect. Application type: Web Application. Next.
- App name:
eCardWidget. - Sign-in redirect URIs:
(Add one for each environment you'll sign in from.)https://app.ecardwidget.com/v2/api/sso/callback - Sign-out redirect URIs:
https://app.ecardwidget.com/. - Assignments: assign the people who should have access.
- Save, then copy the Client ID and Client Secret.
Your OIDC discovery URL is:
https://<YOUR-OKTA-TENANT>.okta.com/.well-known/openid-configuration
2. Connect Okta in ECW #
- Sign in as the account owner → Settings → SSO & Directory Sync → Set up SSO.
- Provider: choose Okta → Continue.
- Fill in:
- Provider name:
Okta - Email domain: the domain your Okta users' emails use (e.g.
yourcompany.com) - OIDC discovery URL: from above
- OIDC client ID / client secret: from step 1
- Provider name:
- Click Save & Create SSO. ECW fetches and caches your Okta endpoints (authorize, token, JWKS) automatically — no other URLs to enter.
Enabling SSO may prompt for an admin OTP (emailed to the owner). Enter it to proceed.
3. Verify your email domain #
-
Click Verify Domain to generate a token.
-
Publish it as a DNS record:
Record name Type Value _ecw-domain-verify.yourcompany.comTXTecw-domain-verify=<token> -
Wait 5–15 min, then Check Now. Domain should show Verified. (SSO login is inactive until this succeeds.)
4. Test the connection and sign in #
- Click Test Connection — you should see each check (discovery reachable, JWKS keys, endpoints) pass.
- In a fresh incognito window, go to
https://app.ecardwidget.com/main/login, enter a test user's email on the verified domain, and choose Continue with SSO. You should be redirected to Okta and land back in the ECW dashboard.
5. (Optional) Enable SCIM provisioning #
Okta can automatically create/update/deactivate ECW team members. In ECW, open the SCIM tab → Enable SCIM → Save & Generate SCIM Token (copy it — shown once). Then in Okta:
- Provisioning → Integration → SCIM connector base URL: use the SCIM Base URL ECW shows —
Do not addhttps://app.ecardwidget.com/v2/api/scim/v2/Users— Okta appends it. (Pasting.../Usershere is the classic cause of "Invalid user ID.") - Authentication Mode: HTTP Header / OAuth Bearer Token → paste the ECW SCIM token.
- Test API Credentials → expect "verified successfully."
- Provisioning → To App: enable Create Users, Update User Attributes, Deactivate Users. Leave Sync Password OFF (ECW team members have no login).
Full details and attribute mapping: SCIM provisioning.
6. (Optional) Require SSO #
Once login works, toggle Require SSO for sign-in to disable password login for your domain. This asks for a fresh admin OTP and warns you before applying.
Troubleshooting (Okta) #
| Symptom | Fix |
|---|---|
sso_error=invalid_audience |
Okta app audience must be the client_id (default). Check Sign On settings. |
sso_error=invalid_signature |
JWKS clock-skew/rotation. ECW caches Okta's JWKS ~15 min; wait or click Test Connection (cache-busting). |
sso_error=replay_detected |
A token was replayed (e.g. browser Back after login). Open a new tab. |
sso_error=domain_mismatch |
The token's email isn't on your registered domain, or has no email. Confirm the user's Okta email is on yourcompany.com. |
| SCIM "Invalid user ID" | You pasted the base URL with /Users. Remove the suffix. |
More: Troubleshooting.