Okta is a popular cloud directory and SSO solution for enterprises. Okta stores identity, group, and application information for your organization. ConductorOne connects with your Okta cloud instance to sync identities and entitlements.
✅ General availability. The Okta integration is available to all ConductorOne users.
- Sync identities from Okta to ConductorOne
- Promote identities from application users to ConductorOne users
- Entitlements Supported:
- Org Roles
- Application Assignments
Depending on the permissions of the Okta API Token, ConductorOne has different functionality that it can provide. To learn more, see Creating an Okta API token below.
Connecting to your Okta Cloud Directory requires you to have:
- Super Administrator role in ConductorOne
- Read Only or Super User Admin role in Okta
Create an Okta API token
You can skip these instructions and proceed to Integrate your Okta instance if you already have an API token generated with Super Admin, Read Only Admin or a combination of Read Only/App Admin/Group Admin privileges. To learn more about Okta roles, visit https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm
(Optional) Step 1: Create a Service Account for the API Token
If desired, you can create a Service Account user in Okta that has the permissions for the API Token.
- Navigate to Directory » People
- Enter the necessary user details to create a user. You may wish to use identifiers that make it easily recognizable as a service account e.g. First Name: ReadOnly, Last Name: ServiceUser
- Set the Password for the account and store it securely in a vault
- Navigate to Security » Administrator
- Email: Enter the email [used above] for the Service Account to select the user
- Select the administrator roles to grant: Read Only Admin, Super Administrator, or combination of Read Only +Application Admin + Group Admin.
- Click Add Administrator [Save]
Step 2: Log into Okta
Log into Okta with the account with which you will generate the API Token. The account must have Read Only Administrator, Super Administrator, or a combination of Read Only/App Admin/Group Admin privileges. The permissions on the API Token effects what features and functionality are available from ConductorOne.
Step 3: Create the API Token
In the Okta console, follow the below steps:
- Navigate to Security » API
- Click Tokens
- Click Create Token
- Name your API Token e.g. ConductorOne
- Copy the API Token that is generated for the Okta Integrations module
Capabilities of API Token Permissions
Depending on the permissions that the API Token has, ConductorOne will be able to perform differing functionality. The matrix of these capabilities is below:
|Product||Capabilities||Read Only Admin||Super Administrator||Read Only + Application Admin + Group Admin|
|Access Reviews||Group Memberships||Yes||Yes||Yes|
|Access Reviews||Application Assignments||Yes||Yes||Yes|
|Access Reviews||Okta Roles||-||Yes|
Integrate your Okta instance
Use these instructions to connect your Okta environment to ConductorOne with your API token.
Note that, when creating an API Token, Okta assigns the permissions of the currently logged-in user to the created API Token. If you wish to use a Read Only Admin scoped API token, for example, you will need to log in to Okta as a user with the Read Only Admin role assigned.
- In ConductorOne, navigate to Integrations
- Click the Okta Integration
- Input the following:
- Domain: the domain will be the URL for the account e.g. acmeco.okta.com
- API Token: the API Token
ConductorOne requires an API Token with Read Only Admin OR Super Admin scoped permissions.
- Click Next to complete the workflow
Check your Import Status
- Once connected, a blue checkmark will appear under Okta on the Integrations Page
- Review the status of your Data Import from Okta by clicking » the Okta tile » then Manage
- In the top right corner of the module, click » View Logs » when complete the message will read: “Completed Entitlement Bindings Import” (the import time will depend on the size of your import).