Skip to content

Configuring Okta as a Provider

Integrating SailPoint Identity Risk with Okta provides:

  • Detailed user information - name, email address, and additional user role data
  • Access logs - such as which resource was accessed
  • Access outcomes - such as was the access allowed or denied, and for what reason

Prerequisites

To get started, you will need the following:

Okta:

  • User with appropriate administrator privilege
  • Display name for the Okta provider
  • Organization URL assigned to the Okta tenant
  • API Token associated with a read-only administrator service account within this tenant

Refer to the Okta Help Center for more information on the Read-only Administrator role and Okta API Tokens.

Create a New Okta Provider in Identity Risk

In Identity Risk:

  1. In Identity Risk select Settings.
  2. Select Configure Providers.
  3. Select Okta.
  4. Enter a unique name for your provider.
  5. Leave the Provider page open, you will return here to complete the configuration.

In Okta:

  1. In Okta Administrator Console, select the user dropdown in the top right corner and copy the fully qualified domain name of your Okta tenant:

  2. In Identity Risk, paste the fully qualified domain name value into the Okta Organizational URL field.

    Note

    The Organization URL should include https:// as prefix and should not be confused with the Admin URL which includes -admin suffix: https://[tenantname].okta.com

  3. In Okta Administrator Console select Directory > People to create a service account.

    An Okta API Token inherits the privilege level of the account from which it is created. For further information, refer to Okta Create an API Token.

    The Read-only Administrator role enables creation of the API token and permissions for integration with Identity Risk.

  4. Select Add person.

  5. In Add Person, enter the following details:

    • User type: can be customized if using the profile editor to define an alternative service account user type.
    • First name - enter the first name for the account.
    • Last name - enter the last name for the account.
    • Username - enter the username for the account.
    • Primary email - enter a primary email address for the account if applicable.
    • Groups (optional) - enter Service Accounts.
    • Activation - select Activate now and select I will set password. Enter a password. Deselect the User must change password on first login checkbox.

  6. Select Save.

  7. Select Security > Administrators.
  8. In Administrators > Overview select + Add administrator.
  9. Select the new service account user from the Admin drop-down.
  10. In Administrator assignment by admin, select the service account added.
  11. Under Complete the assignment, select the Role dropdown and select Select a role.

  12. Select Read-only Administrator.

    Note

    Although Okta does offer a Report Administrator role, which includes permissions to view all reports and the System Log, this role does not support the creation of API tokens necessary for API access as required for this integration.

  13. Select Save Changes.

  14. Select Directory > People and confirm the service account has been successfully created and active.
  15. Sign out and log in to the Okta Administrator Console using the new service account username and password.
  16. In Set up security methods select Set up for Okta Verify as MFA is required for the Okta login policy.
  17. Select your preferred security method and select Continue.
  18. When successfully authenticated, select Security > API.
  19. In API, select Tokens.
  20. Select Create token.

  21. In Create token:

    • Enter a name for your Identity Risk token.
    • Select Any IP for the API calls dropdown list.

  22. Select Create token, the token will be successfully created.

  23. Copy the Token Value.

In Identity Risk:

  1. In Identity Risk, paste the Token value into Okta API Token field.

    Note

    Okta API Tokens can be managed and revoked through the Okta Administrator Console under the Security > API menu. Tokens are valid for 30 days and automatically renew every time they are used. For further information, refer to API Token Management Guide.

  2. Select Create. The Okta provider is created, and you are directed to a success screen. You may return to the Configure Providers page to view the status of the provider.

    When the provider is successfully created, data is ingested, processed, and correlated within Identity Risk. Data can then be viewed and explored through the Identity Map and Insights.

Deleting Providers

To remove a Okta provider from Identity Risk:

  1. In Okta Administrator Console delete the Identity Risk token. Once the token has been deleted, it will no longer be accessible to Identity Risk.
  2. In Identity Risk, select Settings > Providers.
  3. In Enabled Integrations, select Show Details next to Okta.
  4. Select Delete.

  5. Select Yes to confirm. The provider is deleted.

    Note

    Ingested historical data is still available, no new data is ingested.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.