This information comes from notes during the implementation of Okta within an Avalon instance.

TL,DR

Check these two commits

Steps

Add to Gemfile

gem 'omniauth-oktaoauth'

Add Okta provider to User model, use email as username

devise_list <<  { omniauth_providers: [:oktaoauth] } if ENV['OKTA_CLIENT_ID']

def self.find_by_username_or_email(login)
  create(username: email, email: email, password: Devise.friendly_token[0, 20], provider: provider)
end

Setup Okta params in config/initializers/devise.rb

    if provider[:provider] == :oktaoauth
      okta_params = params.delete(:oauth_credentials)
      params[:strategy_class] = params[:strategy_class].constantize if params.has_key?(:strategy_class)
      okta_params << params
      params = okta_params
    end

Add Okta config to auth block in config/settings.yml

  configuration:
  <% if ENV['OKTA_CLIENT_ID'] %>
  - :name: Avalon Okta Oauth
    :provider: :oktaoauth
    :hidden: false
    :params:
      :oauth_credentials: [<%= ENV['OKTA_CLIENT_ID'] %>, <%= ENV['OKTA_CLIENT_SECRET'] %>]
      :scope: 'openid profile email'
      :fields: ['profile','email']
      :client_options:
        site: <%= ENV['OKTA_ISSUER'] %>
        authorize_url: <%= ENV['OKTA_ISSUER'] + "/v1/authorize" %>
        token_url: <%= ENV['OKTA_ISSUER'] + "/v1/token" %>
      :redirect_uri: <%= ENV["OKTA_REDIRECT_URI"] %>
      :auth_server_id: <%= ENV['OKTA_AUTH_SERVER_ID'] %>
      :issuer: <%= ENV['OKTA_ISSUER'] %>
      :strategy_class: 'OmniAuth::Strategies::Oktaoauth'
  <% end %>

Example config

OKTA_ISSUER=https://okta.example.edu/oauth2
OKTA_REDIRECT_URI=https://avalon.example.edu/users/auth/oktaoauth/callback
OKTA_AUTH_SERVER_ID=""

Avoid infinite redirect, add to after_omniauth_failure_path_for method in app/controllers/users/omniauth_callbacks_controller.rb

    when 'oktaoauth'
      msg = I18n.t 'devise.omniauth_callbacks.failure', reason: failure_message
      root_path

Browser not supported