Shine a light on shadow apps

ConductorOne Docs

Okta integration

ConductorOne provides identity governance and just-in-time provisioning for Okta. Integrate your Okta instance with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Availability

βœ… General availability. The Okta integration is available to all ConductorOne users.

Capabilities

  • Sync user identities from Okta to ConductorOne

  • Promote identities from application users to ConductorOne users

  • Resources supported:

    • Groups
    • Org roles (requires a super admin token)
    • Application assignments
  • Provisioning supported:

    • Group membership
    • Application assignment

Depending on the permissions of the Okta API Token, ConductorOne has different functionality that it can provide. See the next section for more information.

API token permissions and ConductorOne capabilities

ConductorOne’s capabilities depend on the permissions of the API token used in the integration:

ConductorOne capabilityRead-only admin tokenRead-only + app admin + group admin tokenSuper admin token
Review group membershipβœ…βœ…βœ…
Provision group membershipβœ…βœ…
Review application assignmentβœ…βœ…βœ…
Provision application assignmentβœ…βœ…
Review Okta rolesβœ…

Set up the Okta integration

This task requires either the Integration Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, open Admin and click Integrations > Okta.

  2. If this is your first Okta integration, the integration form opens automatically. Otherwise, click Add connector.

  3. Choose whether to add the new Okta connector as a data source to an existing application (and select the app of your choice) or to create a new application.

  4. Set the integration owner for this connector. You can manage the integration yourself, or choose someone else from the list of ConductorOne users. Setting multiple integration owners is allowed.

    A Okta integration owner must have the following permissions:

    • Integration Administrator or Super Administrator role in ConductorOne
    • Read Only Admin or Super Admin role in Okta
  1. Click Create and add details.

Next steps

  • If you are the integration owner, proceed to Integrate your Okta instance for instructions on integrating Okta with ConductorOne.

  • If someone else is the integration owner, ConductorOne will notify them by email that their help is needed to complete the integration.

Integrate your Okta instance

A user with the Integration Administrator or Super Administrator role in ConductorOne and Read Only Admin or Super Admin role in Okta must perform this task.

You can skip Steps 1 and 2 and proceed to Step 3 if you already have an API token generated with Super Admin, Read Only Admin or a combination of Read Only/App Admin/Group Admin privileges. To learn more about Okta roles, visit https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm

(Optional) Step 1: Create a service account for the API token

If desired, you can create a service account user in Okta that has the permissions for the API token.

  1. Navigate to Directory > People and click Add person.

  2. Enter the necessary user details to create a user. You might want to use identifiers that make it easily recognizable as a service account, such as First Name: ReadOnly, Last Name: ServiceUser.

  3. Set the Password for the account and store it securely in a vault.

  4. Navigate to Security > Administrator and click Add administrator.

  5. Enter the email address for your newly created Service Account to select the user.

  6. Select the administrator roles to grant: Read Only Admin, Super Administrator, or a combination of Read Only + Application Admin + Group Admin.

  7. Click Add Administrator.

Step 2: Create an API token

When creating an API token, Okta assigns the permissions of the currently logged-in user to the token. If, for example, you wish to use a Read Only Admin-scoped API token, you must log in to Okta as a user with the Read Only Admin role assigned.

  1. Log into Okta with the account you’ll use to generate the API token. The account must have Read Only Administrator, Super Administrator, or a combination of Read Only/App Admin/Group Admin privileges. The permissions on the API token affects what features and functionality are available from ConductorOne. Before you begin, review the chart in API permissions and ConductorOne capabilities to make sure you’re creating a token with the right permissions for your needs.

  2. In the Okta console, navigate to Security > API and click Tokens.

  3. Click Create Token.

  4. Give your token a name, such as ConductorOne and click Create Token.

  5. Copy and save the new API token.

Step 3: Add your Okta credentials to ConductorOne

  1. In ConductorOne, open Admin and click Integrations > Okta.

  2. In the list of connectors, locate and click on the name of the connector with the Not connected label.

  3. Find the Settings area of the page and click Edit.

  4. Enter your Okta domain (the URL of your Okta instance is <YOUR DOMAIN>.okta.com) into the Okta domain field.

  5. Paste your API token into the API key field.

  6. Click Save.

  7. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Okta instance is now integrated with ConductorOne.

What’s next?

If Okta is your company’s identity provider (meaning that it is used to SSO into other software), the integration sync will automatically create applications in ConductorOne for all of your SCIMed software. Before you move on, review the Create applications page for important information about how to set up integrations with the SCIMed apps.

Configure the Okta integration using Terraform

As an alternative to the integration process described above, you can use Terraform to configure the integration between Okta and ConductorOne.

See the ConductorOne Okta integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.