Skip to content

Okta Custom Domain


This article will largely be a copy/paste from the Okta Developer documentation on how to create a custom domain with Cloudflare. The only modifications will be made to reflect my configuration.


This will only work for a subdomain.**

Create an origin certificate

To use a custom domain on Okta, use the following steps to create an origin CA certificate:

  1. Select the SSL/TLS app, and then click Origin Server.
  2. Click Create Certificate to open the Origin Certificate Installation dialog box.
  3. Select Let Cloudflare generate a private key and a CSR.
  4. Change Certificate Validity to 3 year (Okta rejects certificates with a 15-year expiration), and then click Next.
  5. Copy the Origin Certificate to a tls.cert file on your hard drive, and then copy the Private key to private.key.

Okta Configuration

  1. In Okta, go to Customization > Domain Name > Edit > Get Started.
  2. Enter the subdomain name and click Next. You are prompted to verify domain ownership.
  3. In Cloudflare, add the specified TXT record using the DNS > + Add record option.
  4. In Okta, select Verify > Next.
  5. In the Certificate box, copy/paste the contents of tls.cert.
  6. Paste the contents of private.key in the Private key box. Click Next.
  7. You are prompted to add a CNAME record
  8. Add this to your Cloudflare DNS and then click Finish.
  9. Wait until resolves in your browser before you continue.

Configure a custom domain for your Authorization Server

The OpenID Connect specification requires a ./well-known/openid-configuration endpoint with metadata about your app's endpoints. You should be able to see yours at:

You might notice that it has your Okta dev-* domain, rather than your custom domain name.

You need to update your Authorization Server to use your custom domain to fix this:

  1. Sign in to your Okta account and go to API > Authorization Servers.
  2. Select the default Custom Authorization Server, and then click Edit.
  3. Change the Issuer to use Custom URL.
  4. Try ./well-known/openid-configuration again. It should now display your custom domain.