Skip to content

SSO Okta Security Permissions

Minimum Security

  • Enforce signed assertions.

  • Use TLS 1.2+ on metadata and ACS endpoints.

  • Limit who can edit app configuration and certificate rotation in Okta.

  • Keep administrative access and certificate rotation permissions tightly scoped to minimize risk.

Group Mapping and RBAC

  • Use groups for role assignment only (do not use groups for other application logic).

  • Maintain a small admin group with tightly controlled membership.

  • Provide mapping JSON to SailPoint Entro for role/group mappings.

  • Ensure the mapping JSON includes the exact group identifiers SailPoint Entro expects (no additional fields).

Cert Rotation

  1. Upload replacement certificate

    Upload the new certificate into the Okta app configuration before swapping it to avoid downtime.

  2. Validate with test user

    Validate the new certificate by signing in with a test user and confirming assertions are accepted.

  3. Coordinate rotation window

    Coordinate the certificate swap window with SailPoint Entro to ensure both sides switch at the agreed time.

SCIM / Provisioning Notes (If Used)

  • For SCIM, provide the SCIM base URL and SCIM key from SailPoint Entro.

  • Ensure the SCIM key has minimal provisioning scopes required for the integration.

  • Only grant provisioning scopes that are strictly necessary (Principle of Least Privilege).

Logging and Audit

  • Check Okta System Logs for SAML transactions and related events.

  • SailPoint Entro logs must capture assertion_id and email for correlation and troubleshooting.

  • Use assertion_id to correlate SAML assertions between Okta and SailPoint Entro.

  • Include the user's email in logs for user-level auditing.

  • Review System Logs around certificate rotation windows to detect failures.