SSO Okta Security Permissions
Minimum Security
-
Enforce signed assertions.
-
Use TLS 1.2+ on metadata and ACS endpoints.
-
Limit who can edit app configuration and certificate rotation in Okta.
-
Keep administrative access and certificate rotation permissions tightly scoped to minimize risk.
Group Mapping and RBAC
-
Use groups for role assignment only (do not use groups for other application logic).
-
Maintain a small admin group with tightly controlled membership.
-
Provide mapping JSON to SailPoint Entro for role/group mappings.
-
Ensure the mapping JSON includes the exact group identifiers SailPoint Entro expects (no additional fields).
Cert Rotation
-
Upload replacement certificate
Upload the new certificate into the Okta app configuration before swapping it to avoid downtime.
-
Validate with test user
Validate the new certificate by signing in with a test user and confirming assertions are accepted.
-
Coordinate rotation window
Coordinate the certificate swap window with SailPoint Entro to ensure both sides switch at the agreed time.
SCIM / Provisioning Notes (If Used)
-
For SCIM, provide the SCIM base URL and SCIM key from SailPoint Entro.
-
Ensure the SCIM key has minimal provisioning scopes required for the integration.
-
Only grant provisioning scopes that are strictly necessary (Principle of Least Privilege).
Logging and Audit
-
Check Okta System Logs for SAML transactions and related events.
-
SailPoint Entro logs must capture assertion_id and email for correlation and troubleshooting.
-
Use assertion_id to correlate SAML assertions between Okta and SailPoint Entro.
-
Include the user's email in logs for user-level auditing.
-
Review System Logs around certificate rotation windows to detect failures.