Skip to main content
This manual sets up Okta as the identity provider for two TrustGate credentials:
  1. OIDC role-based — for an LLM consumer whose routing is chosen from the token’s groups claim (roles).
  2. OAuth2 for MCP — for an MCP consumer gated by a custom scope.
Everything below uses Okta’s custom authorization server (the /oauth2/{authServerId} path). The default custom auth server ships in every Okta org, including the free Integrator Free Plan org — ideal for a POC. In production Workforce orgs the custom authorization server feature is the API Access Management product.

Prerequisites

  • An Okta org — note your domain, e.g. dev-123456.okta.com.
  • Admin access to Security → API and Applications.
  • A group you can route on (e.g. TrustGate-Engineering) under Directory → Groups.

The values you will collect


1. Authorization server

All steps happen in the Okta Admin Console at https://<your-org>-admin.okta.com (the admin console, not the end-user dashboard). Use the left sidebar to navigate.
1

Open the authorization servers list

In the left sidebar go to Security → API, then open the Authorization Servers tab.
2

Pick or create the server

Use the row named default, or click Add Authorization Server (top right) and fill:
  • Name: trustgate
  • Audience: api://trustgate
  • Description: anything.
Click Save.
3

Record the issuer and audience

Open the server and read the Settings tab. Copy the Issuer URI (https://{okta_domain}/oauth2/{okta_auth_server_id}) and the Audience — you will paste both into the TrustGate credential. The keys endpoint is the issuer plus /v1/keys:

2. Add a custom scope (for MCP)

Stay in Security → API → Authorization Servers → your server; the tabs below are on that server’s detail page.
1

Create the scope

Open the Scopes tab → click Add Scope:
  • Name: mcp.access
  • Display phrase: MCP access
  • Tick Include in public metadata.
Click Create.
2

Add an access policy

Open the Access Policies tab → click Add Policy:
  • Name: trustgate
  • Assign to clients: All clients (or select your app once it exists).
Click Create Policy.
3

Add a rule to the policy

On the policy you just created click Add Rule:
  • Rule name: m2m
  • Grant type: tick Client Credentials (also tick Authorization Code if you want an interactive user flow).
  • Scopes requested: Any scopes (or The following scopesmcp.access).
Click Create Rule.
A brand-new custom authorization server (including default on the free org) has no access policy — without a policy and a rule, Okta will not mint any token.

3. Add a groups claim (for role-based routing)

For OIDC role-based routing, the token must carry the claim you match roles on.
1

Create a group (if you don't have one)

In the left sidebar go to Directory → GroupsAdd Group. Name it TrustGate-Engineering, save, then open it and use Assign people to add users.
2

Add the claim

Back in Security → API → Authorization Servers → your server, open the Claims tab → Add Claim:
  • Name: groups
  • Include in token type: Access TokenAlways (repeat for ID Token if you also send ID tokens)
  • Value type: Groups
  • Filter: Matches regex .* (or Starts with TrustGate- to scope it)
Click Create.
3

Verify

After you mint a token (below), decode it and confirm the groups array carries the user’s group names.

4. OIDC role-based credential (LLM)

This credential is attached to a role_based LLM consumer. The token’s groups claim is matched against each role’s oidc_mapping.
1

Create the auth credential

Filled example:
2

Attach to a role-based consumer

Create an LLM consumer with routing_mode: role_based, then attach this credential and one or more roles. A role’s oidc_mapping matches the groups claim:

5. OAuth2 credential (MCP)

This credential is attached to an MCP consumer. Access is gated by required_scopes.
1

Create the client app

In the left sidebar go to Applications → Applications → click Create App Integration. Choose API Services (this is the client-credentials app type) → Next.
  • App integration name: trustgate-mcp
Click Save, then on the app’s General tab copy the Client ID and the Client secret (under Client Credentials). Make sure the access-policy rule from step 2 permits this client and the mcp.access scope.
2

Create the auth credential

Filled example:

6. Get a test token

Decode the access_token and confirm:
  • iss = https://dev-123456.okta.com/oauth2/default
  • aud = api://default
  • scp = ["mcp.access"]

Troubleshooting

Next: Entra ID.