See how Ramp uses ConductorOne

ConductorOne Docs

Okta connector

Integrations with the applications from which ConductorOne pulls identity data are called connectors.


Okta is a popular cloud directory and SSO solution for enterprises. Okta stores identity, group, and application information for your organization. ConductorOne connects with your Okta cloud instance to sync identities and entitlements.


General availability. The Okta integration is available to all ConductorOne users.


  • Sync identities from Okta to ConductorOne
  • Promote identities from application users to ConductorOne users
  • Entitlements Supported:
    • Groups
    • Org Roles
    • Application Assignments

Depending on the permissions of the Okta API Token, ConductorOne has different functionality that it can provide. To learn more, see Creating an Okta API token below.


Connecting to your Okta Cloud Directory requires you to have:

  • Super Administrator role in ConductorOne
  • Read Only or Super User Admin role in Okta

Create an Okta API token

You can skip these instructions and proceed to Integrate your Okta instance if you already have an API token generated with Super Admin, Read Only Admin or a combination of Read Only/App Admin/Group Admin privileges. To learn more about Okta roles, visit

(Optional) Step 1: Create a Service Account for the API Token

If desired, you can create a Service Account user in Okta that has the permissions for the API Token.

  • Navigate to Directory » People
  • Enter the necessary user details to create a user. You may wish to use identifiers that make it easily recognizable as a service account e.g. First Name: ReadOnly, Last Name: ServiceUser
  • Set the Password for the account and store it securely in a vault
  • Navigate to Security » Administrator
  • Email: Enter the email [used above] for the Service Account to select the user
  • Select the administrator roles to grant: Read Only Admin, Super Administrator, or combination of Read Only +Application Admin + Group Admin.
  • Click Add Administrator [Save]

Step 2: Log into Okta

Log into Okta with the account with which you will generate the API Token. The account must have Read Only Administrator, Super Administrator, or a combination of Read Only/App Admin/Group Admin privileges. The permissions on the API Token effects what features and functionality are available from ConductorOne.

Step 3: Create the API Token

In the Okta console, follow the below steps:

  • Navigate to Security » API
  • Click Tokens
  • Click Create Token
  • Name your API Token e.g. ConductorOne
  • Copy the API Token that is generated for the Okta Integrations module

Capabilities of API Token Permissions

Depending on the permissions that the API Token has, ConductorOne will be able to perform differing functionality. The matrix of these capabilities is below:

Product Capabilities Read Only Admin Super Administrator Read Only + Application Admin + Group Admin
Access Reviews Group Memberships Yes Yes Yes
Provisioning Group Memberships - Yes Yes
Access Reviews Application Assignments Yes Yes Yes
Provisioning Application Assignments - Yes Yes
Access Reviews Okta Roles - Yes
Provisioning Okta Roles - Yes

Integrate your Okta instance

Use these instructions to connect your Okta environment to ConductorOne with your API token.

Note that, when creating an API Token, Okta assigns the permissions of the currently logged-in user to the created API Token. If you wish to use a Read Only Admin scoped API token, for example, you will need to log in to Okta as a user with the Read Only Admin role assigned.

  • In ConductorOne, navigate to Integrations
  • Click the Okta Integration
  • Input the following:
    • Domain: the domain will be the URL for the account e.g.
    • API Token: the API Token

ConductorOne requires an API Token with Read Only Admin OR Super Admin scoped permissions.

  • Click Next to complete the workflow

Check your Import Status

  • Once connected, a blue checkmark will appear under Okta on the Integrations Page
  • Review the status of your Data Import from Okta by clicking » the Okta tile » then Manage
  • In the top right corner of the module, click » View Logs » when complete the message will read: “Completed Entitlement Bindings Import” (the import time will depend on the size of your import).