Prerequisites
Ensure you have all of the following before you start:
Administrator access to your Okta account.
Administrator access to your NowGo account.
A configured NowGo subdomain.
SCIM already configured between Okta and NowGo.
Target users or groups identified for end-to-end testing.
Guide outcomes
When you complete this guide, you will have:
Connected NowGo to Okta using an OIDC integration
Entered the NowGo callback URI in Okta.
Saved the Okta OIDC credentials and OAuth2 Base URL in NowGo.
Provisioned and assigned users
Assigned target users to the Okta OIDC application
Verified the integration
Aligned OIDC identity claims with corresponding SCIM user values.
Completed an end-to-end SSO test with an assigned user.
‼ Important: A user can successfully authenticate with Okta but still be denied access in NowGo if they do not have the right IAM grants. SCIM provisioning and IAM group grants control authorisation; OIDC SSO controls authentication.
NowGo callback URI for Okta
When configuring Okta for OIDC SSO, provide a redirect URI supplied by NowGo. Okta sends the authentication code to this URI after a user signs in. Find this value displayed on the SSO Subdomain Settings page.
The expected format is
<https://<<your-subdomain>>.onpremonition.com/iam/sign-in/oauth2/continue>
For example, if your chosen subdomain is 'customer', your redirect URI is
<https://customer.onpremonition.com/iam/sign-in/oauth2/continue>
‼ Important: Enter this exact callback URI in your Okta application's sign-in redirect URIs. Using the wrong URI results in sign-in errors.
SSO Subdomain Settings page highlighting the callback URI
Configuring the Okta application
This section describes how to create the SSO app integration in Okta.
In the Okta Admin dashboard, navigate to Applications.
Click Create App Integration.
Okta interface highlighting the Create App Integration button in the Okta interface
In the Create a New Application Integration popup, select OIDC - OpenID Connect for the Sign-in method.
Select Web Application for the Application type.
Click Next (or Create).
In the app configuration page, type a descriptive name like NowGo SSO Integration in the App integration name field.
Check the Authorization Code checkbox under Grant type.
Type your NowGo callback URI in the Sign-in redirect URIs field.
Click Save.
Copying Okta credentials to NowGo
This section describes how to transfer your new Okta app credentials into your NowGo settings.
From the Okta app, copy the Client ID and Client secret.
Okta Client Credentials section
From the General Settings section, copy your Okta domain.
Okta General Settings section
In NowGo, navigate to Settings, select Accounts & Security, and click SSO Credentials.
Type a descriptive name in the Label field (for example, Okta OIDC).
Paste the Okta Client ID in the Client ID field.
Paste the Okta Client secret in the Client secret field.
Type your Okta domain in the OAuth2 Base URL field using this exact format:
<https://<okta-domain>>/oauth2/v1/>
‼ Important: NowGo uses the OAuth2 Base URL to construct requests to Okta's OAuth2 server. The URL entered in NowGo must end with a trailing slash (/).
(Optional) Check the Require reauthentication checkbox to force a credential prompt on each sign-in attempt.
Click Save changes.
NowGo SSO Credentials configuration fields
User assignment and validation
This section describes how to assign users to your Okta OIDC application and verify that Okta sends the correct identity values to NowGo.
Assigning users in Okta
In the Okta Admin Console, navigate to Applications.
Assign the users or groups who will be using SSO to sign into NowGo.
Cross-check that those same users or groups are also included in the Okta SCIM provisioning scope for NowGo.
Verify those same users exist in NowGo through SCIM. Check the Resources -> Drivers page for a driver row matching this user.
Verify those users are members of NowGo IAM groups that grant the required access. Check the Settings -> Accounts and Security -> IAM Groups page.
Verifying OIDC claims in Okta
In the Okta Admin Console, navigate to Security, and then click API.
Select the Authorization Server used by your OIDC application.
Click the Token Preview tab.
Type the name of your NowGo OIDC app in the OAuth/OIDC client field.
Select Authorization Code for the Grant type.
Select a target user assigned to the app in the User field.
Type openid, profile, and email in the Scopes field.
Click Preview Token.
In the id_token tab, confirm the email claim contains the same email address as the user's SCIM primary email.
Confirm the preferred_username claim matches their SCIM userName where possible.
‼ Important: A mismatch between the OIDC preferred_username claim and the SCIM userName value causes downstream issues when you update user details using SCIM.
Verifying the integration
This section describes how to test your completed SSO workflow.
Choose a target user assigned to the Okta OIDC app.
Confirm that user is included in the Okta SCIM provisioning scope for NowGo.
Confirm that user exists in NowGo through SCIM.
Confirm that user belongs to IAM groups that grant the required access.
Log out of NowGo.
On the sign-in page, click Sign On with SSO.
Type your NowGo org subdomain.
Complete the sign-in flow in Okta.
Confirm you return to NowGo and access the expected dashboard or app area.
Expected negative outcomes
These outcomes are expected and indicate authorisation configuration issues rather than OIDC protocol failures. Successful SSO can still lead to limited or no useful product access when IAM grants are missing or incomplete.
User authenticates using Okta but cannot sign in to the NowGo mobile app: The user is created but lacks driver permissions. If the user was added using SCIM, check that they are a member of an IAM group with the Users in group can access app setting enabled.
User authenticates using Okta and signs in to NowGo Dashboard, but sees only an Account Settings page: The user is created but lacks dashboard permissions. If the user was added using SCIM, check that they are a member of an IAM group with the Users in group can access dashboard setting enabled.
This behaviour matches the IAM factsheet: successful SSO can still lead to limited or no useful product access when IAM grants are missing or incomplete.
IAM state caveats
Authorisation outcomes are determined by two separate control types. Because these controls are independent, users can authenticate successfully but still see different access outcomes depending on the combination.
Account-level enablement (manual account status):
Dashboard users: Account is active in Settings -> User accounts.
Driver users: Account enabled in Resourcing -> Drivers.
IAM-group authorisation (SCIM/IAM policy):
Dashboard access: Users in group can access dashboard.
Driver app access: Users in group can access app.
Account toggle | IAM group access toggle | What admins see | Likely user experience | What to check next |
ON | ON | User account is active and IAM group grants access. | Sign in works as expected. | If access fails, check the Troubleshooting reference tables. |
ON | OFF | User account is enabled but access is not managed by IAM groups. | Sign in works as expected. | Modifying IAM groups does not impact these users. Check SCIM groups if needed. |
OFF | ON | IAM groups grant access, but individual users show as disabled. | Sign in works as expected. | This is the expected configuration state for users provisioned using SCIM. |
OFF | OFF | User account is inactive and IAM group does not grant access. | User is treated as deactivated. | Re-enable the account or restore required IAM group grants to restore access. |
Troubleshooting
Use these user-visible phases to diagnose SSO issues:
After clicking sign in, but before reaching Okta.
After signing in with Okta.
Post-redirect outcome.
Mobile app troubleshooting
Phase | What the user sees | Most likely cause | What admin should check |
1 | Invalid Subdomain alert | Unknown subdomain, or org lacks an IAM identity provider. | Confirm the subdomain is correct and SSO credentials exist in NowGo. |
1 | App does not proceed to Okta | Invalid redirect setup generated at sign-in start. | Confirm callback values are configured consistently for the tenant. |
2 | Invalid Login Details alert | App did not receive an authorisation code on redirect. | Verify Okta app assignment and check the redirect URI format. |
2 | Single Sign-on failed alert | Failed code exchange or expired authorisation code. | Retry logging in; verify no proxy layer is modifying query parameters. |
2 | Generic auth failure alert | OAuth2 credential mismatch between NowGo and Okta. | Re-check NowGo SSO values and verify the OAuth2 Base URL ends with a slash. |
3 | Sign in fails with account message | Driver account is not eligible for app access. | Check driver status in NowGo (enabled, not expired). |
3 | Signed in but limited access | Authentication succeeded; authorisation is missing. | Confirm IAM group grants for driver access. |
3 | Redirects to unexpected flow | Callback destination mismatch. | Reconcile all redirect values across subdomain and Okta settings. |
Web app troubleshooting
Phase | What the user sees | Most likely cause | What admin should check |
1 | Invalid subdomain alert | Subdomain contains invalid characters. | Re-enter only the org subdomain value (no protocol or full domain). |
1 | Does not reach Okta sign-in | Unknown subdomain, or org lacks SSO configuration. | Confirm the subdomain exists and SSO credentials are saved in NowGo. |
2 | Returns to sign-in page | Dashboard callback did not include authorisation code. | Verify Okta sign-in redirect URI points to the correct tenant subdomain. |
2 | Connection trouble alert | Network failure during sign-in completion. | Check browser connectivity and confirm NowGo API is reachable. |
2 | Authentication failed alert | OIDC authorisation code flow failed. | Retry logging in; re-check Client ID, Client secret, and OAuth2 Base URL. |
2 | Account deactivated alert | User lacks an active IAM user in NowGo. | Confirm the user exists in NowGo, then re-provision access grants. |
3 | Signed in but limited access | Authentication succeeded; authorisation is missing. | Confirm IAM group grants for dashboard access. |
3 | Redirects to unexpected flow | Callback destination mismatch. | Reconcile NowGo subdomain settings and Okta callback values. |
Final checklist
Before going live, confirm the guide has helped you reach and verify this end state:
Okta app is configured as an OIDC Web Application with Authorization Code grant.
Redirect URI is entered exactly and matches the NowGo callback format.
NowGo SSO credentials are saved with a valid Okta OAuth2 Base URL.
Okta OAuth2 Base URL ends with a trailing slash (/).
Target users or groups are assigned to the Okta OIDC app.
Those same users are included in the Okta SCIM provisioning scope for NowGo.
OIDC email claim contains the user's email address.
OIDC preferred_username claim is mapped to the same value as SCIM userName where possible.
SCIM sync is active and target users exist in NowGo.
IAM group grants are set for all required user personas.
At least one end-to-end test succeeds with a real assigned user.