Okta Custom Domain⚓
This article will largely be a copy/paste from the Okta Developer documentation on how to create a custom domain with Cloudflare. The only modifications will be made to reflect my configuration.
This will only work for a subdomain.**
Create an origin certificate⚓
To use a custom domain on Okta, use the following steps to create an origin CA certificate:
- Select the SSL/TLS app, and then click Origin Server.
- Click Create Certificate to open the Origin Certificate Installation dialog box.
- Select Let Cloudflare generate a private key and a CSR.
- Change Certificate Validity to 3 year (Okta rejects certificates with a 15-year expiration), and then click Next.
- Copy the Origin Certificate to a
tls.certfile on your hard drive, and then copy the Private key to
- In Okta, go to Customization > Domain Name > Edit > Get Started.
- Enter the subdomain name
subdomain.levine.organd click Next. You are prompted to verify domain ownership.
- In Cloudflare, add the specified
TXTrecord using the DNS > + Add record option.
- In Okta, select Verify > Next.
- In the Certificate box, copy/paste the contents of
- Paste the contents of
private.keyin the Private key box. Click Next.
- You are prompted to add a CNAME record
- Add this to your Cloudflare DNS and then click Finish.
- Wait until https://subdomain.levine.org resolves in your browser before you continue.
Configure a custom domain for your Authorization Server⚓
The OpenID Connect specification requires a
./well-known/openid-configuration endpoint with metadata about your app's endpoints. You should be able to see yours at:
You might notice that it has your Okta
dev-* domain, rather than your custom domain name.
You need to update your Authorization Server to use your custom domain to fix this:
- Sign in to your Okta account and go to API > Authorization Servers.
- Select the default Custom Authorization Server, and then click Edit.
- Change the Issuer to use Custom URL.
./well-known/openid-configurationagain. It should now display your custom domain.