Connecting Okta and SailPoint CIEM
Once you have configured your Okta account, you will use the Okta identity and CIEM Okta cloud governance connectors to display the total effective access users have to your cloud systems and resources.
|Okta identity governance connector||Allows you to manage your Okta users and groups in IdentityNow.
If your organization has licensed SailPoint CIEM, it will also gather data about the AWS access granted to users through their Okta management groups.
|CIEM Okta cloud governance connector||Works with your Okta identity governance connector to collect cloud resource data and display the total access an identity has to your cloud systems.|
After you've connected and aggregated your accounts and entitlements, you will mark the entitlements related to cloud access. This will allow you to view the cloud access granted through entitlements and include those entitlements in certification campaigns.
Connecting Okta Identity Governance
Follow the SailPoint Okta connector guide to connect your Okta identity governance source, or edit an existing one.
You must also use the CIEM Okta cloud governance connector to display all access users have to your cloud resources.
Connecting Okta Cloud Governance
The CIEM Okta source pulls daily data about the cloud resources your Okta IaaS users can access.
To create your CIEM Okta source:
Go to Admin > Connections > Create New.
Find and select the CIEM Okta source type.
Enter a source name.
Enter a description for your source.
In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
(Optional) Select a governance group for source management.
Select Connection Settings.
Enter the URL where your organization's Okta instance is hosted in the Okta URL field. This must match the Okta URL in your identity governance Okta connector.
- Enter your Okta API token in the Application Token field. If you are using an API Token to authenticate your Okta identity governance source, they must match.
- Enter the Application ID of your configured Okta instance.
- Select Save.
- Select Review and Test.
Review the configuration details and select Test Connection. A successful test is required for CIEM to gather data for this source.
If the test connection fails, you can use the Search query
name:“Test_connection Source Failed”for more information.
Setting Source Scope
By default, CIEM reads and automatically discovers changes to your cloud infrastructure, which are displayed in the Cloud Scopes section of your CIEM source configuration. You can choose to exclude scopes to prevent CIEM from including data for those accounts.
To change the scope of your included source data:
- In the CIEM Okta source, select Cloud Scopes under Aggregation and Provisioning.
- Use the checkboxes to change which accounts are included. Removing a scope disables Auto-Include Scopes.
- Select Save.
CIEM will now only read and include data from your selected scopes. When Auto-Include Scopes is disabled, new and deleted accounts in your cloud system will be detected, but they will not be automatically included in your CIEM data until you select them individually or reenable Auto-Include Scopes.
- You can search for scopes as well as filter by selected and unselected scopes.
- The Last Refreshed time is when changes to your source inventory were last detected by CIEM. This is separate from aggregation.
Marking Okta Cloud-Enabled Entitlement Types
When entitlements are pulled from your Okta cloud environment, you must mark the Group entitlement types as Cloud Enabled in the Okta source configuration. This will allow certification campaign reviewers to view the access users have to your Okta cloud infrastructure.
- Go to Admin > Connections > Sources.
- Select the Okta identity governance connector you enabled to manage cloud resources.
- Select the Import Data tab and choose Entitlement Types.
Edit the group entitlement type and select the Cloud Enabled checkbox.
You can now view an identity's cloud access granted through entitlements. You can include cloud-based entitlement types to certification campaigns to allow certifiers to view the effective access to your Okta resources.
Viewing Effective Access to Okta Resources
After marking your entitlement types, you can include cloud-enabled entitlements in certification campaigns to allow your certifiers to view cloud access details like the last level of access and type of action taken on the resource.