Articles on: Schools & enterprise plans

Set up Okta single sign-on (OIDC) for SimplyPrint

Set up Okta single sign-on (OIDC) for SimplyPrint


This guide walks you through connecting Okta to SimplyPrint using OpenID Connect (OIDC), so your members sign in to SimplyPrint with their Okta accounts. You'll create an OIDC web app in Okta, copy three values across, and run a test sign-in to confirm everything works.


Single sign-on is included in the Enterprise plan and the School plan. Print Farm accounts that subscribed before 2026-05-15 keep SSO as well.


What you need before starting

  • Admin access to your Okta organization (the Okta Admin Console).
  • An account admin in SimplyPrint with the user registration settings permission.
  • Your account on a plan that includes SSO (see the note above).


Your account runs one SSO method at a time, either OIDC or SAML. Turning on OIDC deactivates SAML if you had it set up, but your SAML configuration is kept in case you switch back. Prefer SAML? See the single sign-on (SSO) hub.


Open the OIDC configuration in SimplyPrint

First, open SimplyPrint so you have the redirect URI ready to paste into Okta.


  1. Go to Settings -> Organization and open User registration & SSO.
  2. Tick OpenID Connect (OIDC) single sign-on.
  3. Click Configure OIDC single sign-on.
  4. In the configuration window, select the Okta tab at the top.


Under What you need from us you'll see a read-only Redirect URI. Click Copy. Keep this window open, you'll paste this value into Okta in the next section, then come back to finish.


Copy the exact Redirect URI shown in your own window. It is your SimplyPrint site address followed by /oauth/callback. Use the value from the modal rather than typing it by hand.


Create an OIDC web app in Okta

In the Okta Admin Console:


  1. Go to Applications -> Applications, then click Create App Integration.
  2. For Sign-in method, select OIDC - OpenID Connect.
  3. For Application type, select Web Application, then click Next.
  4. Give the app a name, for example "SimplyPrint".
  5. Under Sign-in redirect URIs, paste the Redirect URI you copied from SimplyPrint.
  6. Under Assignments, choose who can use the app (a group, or everyone), then click Save.


After saving, open the app's General tab. You'll find the Client ID and Client secret there. The client secret is shown only here, so copy it carefully.


Find your Okta issuer URL

SimplyPrint needs your Okta issuer to discover the rest of the connection automatically.


For most setups, the issuer is your Okta org URL, for example:


https://your-org.okta.com


Replace your-org with your real Okta subdomain. This is the simplest option and works for standard sign-in.


Okta also supports custom authorization servers, whose issuer looks like https://your-org.okta.com/oauth2/your-server-id . Only use that form if your Okta admin has deliberately set up a custom authorization server for this app. If you're unsure, start with the plain org URL above.


Enter your Okta details in SimplyPrint

Back in the SimplyPrint OIDC window, under What we need from you:


  1. In Issuer URL, paste your Okta issuer (for example https://your-org.okta.com).
  2. Click Check. SimplyPrint fetches Okta's discovery document and shows the resolved endpoints. A green "Discovery document looks good" message means the issuer is correct.
  3. Paste your Client ID.
  4. Paste your Client secret. (Once a secret is saved it shows as "Unchanged" - leave it blank on later edits to keep it, or enter a new one to replace it.)
  5. Leave Scopes as openid profile email unless you need more.


SimplyPrint discovers Okta's endpoints automatically from the issuer, so you normally only provide the issuer, client ID, and client secret. The authorization, token, and other endpoints fill in for you.


Click Save when you're done.


Map Okta groups to user groups (optional)

The Okta preset already maps the standard claims for you: email to email, given name to first name, and family name to last name. It also defaults the groups claim to SimplyPrint user groups, so members can be sorted into the right group automatically on sign-in.


To use group mapping, Okta needs to send a groups claim in the ID token, and SimplyPrint needs to ask for it:


In Okta:

  1. Open your app, go to the Sign On tab, and edit the OpenID Connect ID Token section.
  2. Set the Groups claim type to Filter.
  3. Keep the claim name groups, choose Matches regex, and enter .* to include all of a user's groups (or use a narrower filter to send only specific groups).
  4. Save.


In SimplyPrint:

  1. In the OIDC window, add groups to the Scopes field, so it reads openid profile email groups.
  2. Under Claim mappings, make sure user groups is mapped to the groups claim. Click Apply defaults for Okta to fill this in if it's missing.


For how groups map to SimplyPrint user groups (and how this is used for teachers and classes in schools), see the related group mapping guide - the group-to-user-group idea is the same for OIDC.


Test the connection

Before rolling this out to your members, use the built-in test.


  1. Save your settings first.
  2. Click Test sign-in in the OIDC window. This opens a new tab and runs the real Okta sign-in flow.
  3. SimplyPrint shows you the claims Okta returned, without logging anyone in or creating an account.


Check that the email, name, and (if you set them up) groups claims arrived as expected. This is the recommended way to verify the connection before going live.


How sign-in and new accounts work

Once OIDC is active, members can sign in through Okta. Existing SimplyPrint users can link their account, and new members can be created automatically on first sign-in.


A new account is created automatically only when the email address is trustworthy: Okta marked it as verified, or the email's domain is one your account has verified, or an admin turned off Require verified email in the Advanced section. Okta normally sends verified emails, so the default settings work for most organizations. If you ever see new members blocked from being created, verify your email domains - see verifying your email domains.


When members sign out of SimplyPrint, they're also signed out at Okta, because Okta advertises a logout endpoint.


For more on linking and signing in:


Troubleshooting

If sign-in fails, the OIDC window has two tools built in:

  • The Check button validates your issuer and shows Okta's endpoints. Start here if the connection won't save or test.
  • The debug panel shows the last claims received (email addresses are masked) and the last error reported for your provider. This is the fastest way to see why a sign-in was rejected.


Common things to check:

  • The Redirect URI registered in Okta exactly matches the one shown in SimplyPrint, including https and no trailing slash differences.
  • The issuer is your real Okta org URL, and Check returns a green result.
  • The Client ID and Client secret are from the same Okta app, with no extra spaces.
  • If group mapping isn't working, confirm the groups scope is in the Scopes field and that Okta is sending the groups claim in the ID token (see the optional section above).


For a deeper checklist that applies to every provider, see the OIDC troubleshooting guide.



Updated on: 13/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!