Okta
Connect your Okta instance to use Opal to manage and review access.
Opal's integration with Okta lets you manage access to your Okta groups, applications, users, and admin roles.
Our integration supports the following, and more:
- Users can request time-bounded access to your Okta groups, apps, and admin roles
- Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to Okta groups, apps, and admin roles
- Admins can add resources from other Opal integrations to an Okta group so an Okta group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
- All access changes are tracked in a permanent audit log that can notify a Slack channel or be exported to your favorite tools.
Connecting your Okta instance to Opal is as easy as generating an API token in Okta, entering it in Opal, and starting an import. For more details, please read on.
Getting Started
To get started, go to the Catalog page, click + App at the top right. Then, click on the Okta Directory tile.
You will see a form to be completed. Opal requires the below credentials in order to manage access to your Okta instance.
Step 1 - Configure an API token for Opal
Opal uses an Okta API token to connect to your Okta instance.
We suggest that you create a separate Okta user that creates and owns the API token. This lets you customize the permission scopes available to Opal and ensure that these scopes don't change. Additionally, Okta will log any access changes that Opal pushes to Okta under the separate account's name.
To create an account, follow these steps for adding a new user on Okta.
Next, grant the appropriate permissions to your new account based on what you'd like Opal to manage. To do this, navigate to Security -> Administrators, and add the desired Okta Admin Roles from the following table:
Required Okta admin roles | What Opal can manage |
---|---|
Super Admin | Okta groups, apps, users, and admin roles |
Organization Admin, Application Admin, Group Admin | Okta groups, apps, and users |
Group Membership Admin, Read-Only Admin | Okta groups and users |
Finally, generate an API token as the new account:
- Log in to the new account on Okta.
- Navigate to Security -> API.
- Click on the Tokens tab.
- Click Create Token on the top left.
- Record the generated token.
Step 2 - Upload your Okta credentials
Back in the Opal New App form, fill in details about your Okta organization:
- Organization hostname: enter the URL hostname of your Okta organization (e.g. "mydomain.okta.com")
- API token: enter the API token you just created
If this step is successful, you've completed setting up the Okta App!
Automatic import (Okta groups only)
You can configure your Okta groups to be auto-imported into Opal each time the Okta app is synced. Sync happens throughout the day, approximately once an hour. Sync can also be manually triggered by an admin by clicking the Sync button in the top-right of the app.
- In Okta, create a custom group profile attribute
opal
- Navigate to Directory > Profile Editor, then select the desired group profile and click Add attribute.
- Fill out the form as follows, and click Save:
- Set the
opal
attribute totrue
for all Okta groups you want to auto-import. - Enable auto-import in Opal
- Click into your newly-created Okta app by going to Apps on the left sidebar.
- Click the Edit button
- Next to Import Settings > Import setting. Toggle the setting to Auto-import tagged.
Updated 4 months ago