Configuring OpenID Connect SSO for Restaurant 365 in Okta
Last Updated:
Overview
Restaurant 365 integrates with Okta as an OpenID Connect (OIDC) provider for Single Sign-On (SSO). The integration requires the API Access Management SKU to utilize the default custom authorization server, along with a custom OIDC web application configured with specific grant types and access policies. If the Okta organization lacks the default authorization server or contains an incorrect configuration, Restaurant 365 generates the following error:
SSO settings saved, but we could not connect. Please verify your credentials
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Restaurant 365 (R365)
- Custom OpenID Connect (OIDC) application
- API Access Management
Cause
The Restaurant 365 OIDC integration uses the default authorization server. This requires the Okta organization to possess the API Access Management SKU. The application and default authorization server require specific configurations. If the Okta organization lacks the default authorization server or contains an incorrect configuration, the connection fails.
Solution
How is OpenID Connect Single Sign-On configured for Restaurant 365?
Configure the Single Sign-On connection in Restaurant 365, create the OpenID Connect web application in Okta, configure the default authorization server access policies, and test the connection.
- In Restaurant 365, begin creating a Single Sign-On connection for Okta.
- Copy the Sign-in redirect URI for use in a later step. Do not select Connect.
- In the Okta Admin Console, create an OIDC web application.
- Ensure that the Authorization Code and Client Credentials grant types are both enabled.
- Enter the Sign-in redirect URI copied from Restaurant 365 into the corresponding field.
- Navigate to Security > API > Authorization Servers.
- Create an Access Policy for the default authorization server and assign the OIDC application to it.
- Create an Access Rule for the default authorization server.
- Select the Client Credentials and Authorization Code grant types.
- Leave all other settings at their default values.
- Create a scope named
okta.myAccount.appAuthenticator.maintenance.readon the default authorization server if it does not already exist.
- In Restaurant 365, enter the Client ID, Client Secret, and Authority using the values from the OIDC application created in Okta.
- NOTE: The Authority requires the Okta default domain and must include
https://(for example,https://<example>.okta.com). Do not use a custom domain.
- NOTE: The Authority requires the Okta default domain and must include
- Select Connect to test the connection.
Related References
- Connect to Okta | R365
- How to Create an OIDC Web App in the Okta Admin Console | Okta Support Center
- Default custom authorization server | Okta Developer
- Configure an access policy | Okta Developer
- Add okta.myAccount.* Reserved Scopes to a Custom Authorization Server | Okta Support Center
