Skip to content

Integrating with Okta

Application Visibility uses Okta API to authenticate end users and administrators logging into the Application Visibility platform and to gather information on applications integrated with Okta and their permissions.

Once integrated with Microsoft Entra ID, Application Visibility can:

  • Allow the browser extension and Application Visibility administrators to authenticate against the IdP.
  • Read the list of SaaS applications that have been installed in your organization, and parse SSO logs to continuously detect SSO’ed accounts.
  • Support listing user accounts, user groups, application, and related user activity in the admin portal.
  • Review the IdP configuration, such as MFA settings and last password rotation dates.

You will first create an app integration in Okta to configure authentication, and then configure a service application.

To configure authentication:

  1. Log into Okta at https://www.okta.com/.
  2. Go to Applications > Applications.
  3. Select Create app integration.
  4. On the Create app integration page complete the following:
    • In the Sign-in method section, select OIDC OpenID Connect.
    • In the Application type section, select Web Application.
  5. Select Next.
  6. On the New Web Application Integration page, complete the following:
    • In the App integration name field, enter Application Visibility authentication.
    • In the Grant type field, select Authorization Code and Implicit (hybrid).
    • In the Sign-in redirect URIs field, enter https://auth2.savvy.security/self-service/methods/oidc/callback.
    • In the Sign-out redirect URIs field, remove the default URI.
    • In the Assignments section, select whether to assign the app integration to everyone in your org, only selected group(s), or to skip assignment until after app creation.
  7. Select Save to save these settings.
  8. Select the Okta API Scopes tab.
  9. Grant the okta.users.read.self scope.
  10. Select the General tab.
  11. Copy the following details from the Okta General tab, into the Application Visibility admin console Settings > General Settings > Identity Provider:
    • Okta domain
    • Client ID
    • Client Secret

To configure the service application:

  1. Log into Okta at https://www.okta.com/ .
  2. Go to Security > Administrators.
  3. Select the Roles tab.
  4. Select Create to create a new role.
  5. On the Create new role page complete the following:
    • In the Role name field, enter SAAM-Role.
    • In the Description filed, provide additional details about the role and the access it grants.
    • In the Select permissions section, search for "view roles", and add the View roles, resources and admin assignments permission.
  6. Select Save to save the role settings.
  7. Select the Resources tab.
  8. Select Create new resource set.
  9. On the Create new resource set page complete the following:
    • In the Resource name field, enter SAAM-Resource.
    • In the Description filed, provide additional details about the resource.
  10. Select Add Resource.
  11. On the Add Resource page, select Identity and Access Management and then select All Identity and Access Management resources.
  12. Select Save to save these settings.
  13. Go to Applications > Applications.
  14. Select Create app integration.
  15. On the Create app integration page complete the following:
    • In the Sign-in method section, select API Services.
    • In the Application type section, select Web Application.
  16. Select Next.
  17. On the New Web Application Integration page complete the following:
    • In the App integration name field, enter Application Visibility services app.
  18. Select the Admin roles tab.
    • On the Complete the assignment page complete the following:
      • In the Role field, select SAAM-Role.
      • In the Resources set field, select SAAM-Resource.
      • In the Role field, select the Read-only Administrator role.
  19. Select Add assignment.
  20. Select the Okta API Scopes tab.
  21. Grant the following scopes:
    • okta.users.read - Read users for policy matching.
    • okta.groups.read - Read groups for policy matching.
    • okta.apps.read - Read oauth/saml applications to create inventory items.
    • okta.logs.read - Read sign in events.
    • okta.policies.read - Read policies in order to understand MFA status per application.
    • okta.domains.read - Fetching any verified domain.
    • okta.roles.read - Determine role per user, primarily to evaluate if a user is an administrator.
    • okta.appGrants.read - Read all app grants.
  22. Select the General tab.
  23. Select Edit to edit the client credentials.
  24. In the Client Credentials section, for Client authentication select Public key / Private key.
  25. In the PUBLIC KEYS section complete the following:
    • In the Configuration field, select Use a URL to fetch keys dynamically.
    • In the URL field, enter the URL from the Application Visibility admin console Settings > General Settings > Identity Provider.
    • Deselect the Proof of possession radio button.
  26. Select Save to save the settings.
  27. Select the General tab.
  28. Copy the following details from the Okta General tab, into the Application Visibility admin console Settings > General Settings > Identity Provider:
    • Client ID
    • Okta domain

Application Visibility admins can now access the Application Visibility portal. For more information refer to Accessing Application Visibility.