ConductorOne docs

Set up an Okta v2 connector

ConductorOne provides identity governance and just-in-time provisioning for Okta. Integrate your Okta instance with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

This is an updated and improved version of the Okta connector! If you’re setting up Okta with ConductorOne for the first time, you’re in the right place.

Capabilities

Resource	Sync	Provision
Accounts	✅
Groups	✅	✅
Application assignments	✅	✅
Standard and custom admin roles	✅

Syncing standard and custom admin roles requires a super admin token.

Gather Okta credentials

Configuring the connector requires you to pass in credentials generated in Okta. Gather these credentials before you move on.

API token permissions and ConductorOne capabilities

ConductorOne’s capabilities depend on the permissions of the API token used to set up the connector:

ConductorOne capability	Custom read-only token	Read-only + app admin + group admin token	Super admin token
Review group membership	✅	✅	✅
Provision group membership		✅	✅
Review application assignment	✅	✅	✅
Provision application assignment		✅	✅
Review admin roles			✅

Instead of generating a new API token, you can use an existing API token generated with Super Admin or a combination of Read Only/App Admin/Group Admin privileges. To learn more about Okta roles, visit https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm

(Optional) Create a custom read-only admin role

To give the ConductorOne integration limited read-only admin permissions, you’ll need to create a custom Okta admin role and resource set and assign them to the admin you’ll use to generate the API key.

In Okta, log in to the Admin Dashboards and navigate to Security > Administrators > Roles.
Click Create new role.
Give the new role a name and description, such as “ConductorOne integration read-only admin”.
Give the role the View roles, resources, and admin assignments permission (this is found in the Identity and access management permissions section).
Click Save role.
Next, navigate to Security > Administrators > Resources.
Click Create new resource set.
Give the new resource set a name and description, such as “Read-only admin for C1 integration”.
Click Add resources.
Find the Identity and access management resource type and select View roles, resources, and admin assignments.
Click Save selection, then click Create. The resource set is now shown on the Resources tab.
Now we’ll assign the resource set to an admin. (If you need to do so, make a service account following the instructions below, then return to finish this process.) Click Edit on the new resource set and select View or edit assignments.
In the Complete the assignment section of the page, select the role and resource set you just created.
Click Save changes.

Now you can skip ahead to the instructions to create an API token.

(Optional) Create a service account for the API token

If desired, you can create a service account user in Okta that has the permissions for the API token.

Navigate to Directory > People and click Add person.
Enter the necessary user details to create a user. You might want to use identifiers that make it easily recognizable as a service account, such as First Name: ReadOnly, Last Name: ServiceUser.
Set the Password for the account and carefully save it somewhere secure.
Click Save.
At this point, if you’ve created a custom read-only role, stop here and return to the instructions above. If you’re using a standard Okta admin role, continue on.

Navigate to Security > Administrator and click Add administrator.
Enter the email address for your newly created Service Account to select the user.
Select the administrator roles to grant: Super Administrator or a combination of Read Only + Application Admin + Group Admin.
Click Add Administrator.

Create an API token

When creating an API token, Okta assigns the permissions of the currently logged-in user to the token. If, for example, you wish to use a Read Only Admin-scoped API token, you must log in to Okta as a user with the Read Only Admin role assigned.

Log into Okta with the account you’ll use to generate the API token. The account must have Super Administrator, the custom read-only role you created above, or a combination of Read Only/App Admin/Group Admin privileges. The permissions on the API token affects what features and functionality are available from ConductorOne. Before you begin, review the chart in API permissions and ConductorOne capabilities to make sure you’re creating a token with the right permissions for your needs.
In the Okta console, navigate to Security > API and click Tokens.
Click Create Token.
Give your token a name, such as ConductorOne, and click Create Token.
Copy and save the new API token.

That’s it! Next, move on to the connector configuration instructions.

Configure the Okta connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Okta credentials generated by following the instructions above

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for Okta v2 and click Add.
Choose how to set up the new Okta connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Enter your Okta domain (the URL of your Okta instance is <YOUR DOMAIN>.okta.com) into the Okta domain field.
Paste your API token into the API token field.
Optional. If desired, click the checkbox to Sync custom roles.
Optional. If desired, click the checkbox to Skip secondary emails when syncing user information.
Optional. If desired, click the checkbox to Sync secrets (API tokens) and display them on the Inventory page.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Okta connector is now pulling access data into ConductorOne.

Follow these instructions to use the Okta connector, hosted and run in your own environment.

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Set up a new Okta connector

In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new Okta connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Okta connector deployment:

Secrets configuration

# baton-okta-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-okta-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # Okta credentials
  BATON_API_TOKEN: <Okta API token>
  BATON_DOMAIN: <Your Okta domain>

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-okta.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-okta
  labels:
    app: baton-okta
spec:
  selector:
    matchLabels:
      app: baton-okta
  template:
    metadata:
      labels:
        app: baton-okta
        baton: true
        baton-app: okta
    spec:
      containers:
      - name: baton-okta
        image: ghcr.io/conductorone/baton-okta:latest
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-okta-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Okta connector to. Okta data should be found on the Entitlements and Accounts tabs.

That’s it! Your Okta connector is now pulling access data into ConductorOne.

What’s next?

If Okta is your company’s identity provider (meaning that it is used to SSO into other software), the connector sync will automatically create applications in ConductorOne for all of your SCIMed software. Before you move on, review the Create applications page for important information about how to set up connectors for the SCIMed apps.