Okta

This article includes information on adding Okta as an integration to sync objects to Oblique. To use Okta as an identity provider to authenticate to Oblique, see Single sign-on.

When you connect an Okta tenant to Oblique, Oblique will automatically sync users, user attributes, and Okta groups from Okta to Oblique.

Oblique initially adds all resources in “Pull” mode, meaning that Oblique treats Okta as the source of truth and pulls information on these resources to Oblique. When you change the management mode of a resource, Oblique will automatically sync changes with Okta. For example, if you change a resource from “Pull” to “Push,” Oblique becomes the source of truth and pushes changes to Okta.

As you make changes in Okta, Oblique adds any new users and groups to Oblique, and archives any deleted users and groups in Oblique.

Tip

You can add multiple Okta tenants to Oblique, such as both a main and a dev tenant. These function as separate integrations and are distinguished by their tenant base URI and Okta organization ID.

Supported options

Oblique integrates with Okta:

• As a source for users and user attributes
• As a source and destination for resources (Okta groups and Okta apps)

Resources

• Okta groups
• Okta apps

Add Okta integration

You must be an Admin to add an integration.

To add an Okta integration, you need to have an Okta API token.

To generate an Okta API token, in Okta’s Admin Console, navigate to Security > API, or go directly to https://$your-okta-domain.okta.com/admin/access/api/tokens:

1. Select the Tokens tab.
2. Select Create Token.
3. Under What do you want your token to be named?, enter a name for the token.
4. Under API calls made with this token must originate from, select “Any IP”.
5. Select Create token.
6. Reauthenticate to Okta.
7. Copy the token value that is provided. It will not be shown again. When done, select OK, got it.

Read more about creating an API token in Okta’s documentation ↗.

1. Navigate to the Integrations page.
2. Select Add integration.
3. Select Okta.
4. Enter the Okta domain base URI, such as https://example.okta.com, and API key, which starts with 00.
5. Select Create integration.

Oblique will immediately start syncing users, user attributes, and Okta groups from Okta to Oblique.

Add Okta integration in read-only mode

Oblique does not require write permissions to import users and groups from Okta, and will not modify your Okta environment until explicitly enabled to do so.

Optionally, to add an Okta integration to Oblique in read-only mode, you will need to create and use an API token for an Okta user with the desired limited set of permissions, such as the Okta Read-only Administrator role ↗.

Note

You cannot limit the scope of an Okta API token to specific actions or to a lesser roles than the user who generated it. The Okta API token will have the same permissions as the user who generated it.

To create a read-only Okta API token, you must:

• Create a new user in Okta
• Assign the user the appropriate role
• Authenticate as that user
• Generate an API token

Create a new user in Okta

In Okta’s Admin Console, navigate to Directory > People:

1. Select Add user.
2. Fill in the information to create a new user account. This does not need to be a real person, and could be a service account or email alias.
3. Optionally, if this is an account you will log into, like a service account, then under Password, select Set by Admin and enter a password. Keep this safe.
4. Select Save.

Read more about manually creating a user in Okta’s documentation ↗.

Grant the new user a read-only admin role

In Okta’s Admin Console, navigate to Security > Administrators:

1. Select the Admins tab.
2. Select Add administrator.
3. Under Select admin, search for and select the user you added.
4. In the Complete the assignment section, under Role, search for and select “Read-only Administrator”, or the desired role.
5. Select Save Changes.

Read more about assigning admin roles in Okta’s documentation ↗.

Authenticate as the new user

1. If needed, log out of Okta’s Admin console. Select your username in the upper right of the Admin console, then select Sign out.
2. From your Okta tenant’s Admin console login screen, log in with the new user’s username and password.

Generate an API token for the new user

In Okta’s Admin Console, navigate to Security > API:

1. Select the Tokens tab.
2. Select Create token.
3. Under What do you want your token to be named?, enter a name for the token.
4. Under API calls made with this token must originate from, select “Any IP”.
5. Select Create token.
6. Reauthenticate to Okta.
7. Copy the token value that is provided. It will not be shown again. When done, select OK, got it.

Read more about creating API tokens in Okta’s documentation ↗.

You now have an Okta API token with the permissions of the Okta Read-only Administrator role.

Manage Okta groups

Manage existing Okta groups

Oblique can manage Okta groups and act as the source of truth for group membership. You configure this setting at the resource level.

Caution

Oblique can’t manage Okta groups for some source types ↗. Native Okta groups (group source type BUILT_IN), like the “Everyone” Okta group, and application groups (group source type APP_GROUP) must be managed in Okta.

This setting starts on by default and you can’t turn it off.

Edit an Okta group's management mode Learn more about changing an Okta group's management mode.

Create new Okta groups

Oblique can create Okta groups and act as the source of truth for group membership by creating new Okta groups for new team groups in Oblique. You configure this setting at the resource level.

This setting starts off by default.

You must be an Admin to enable resource creation.

To create new Okta groups for new team groups, you first need to enable this setting for the integration:

1. Navigate to the Integrations page.
2. Select the desired Okta integration.
3. Select Settings.
4. Toggle Create resources for new teams to On.

When you create a new team group in Oblique, Oblique will create a new Okta group with the same name in “Push” mode.

Create an Okta group for a new team group Learn more about creating a resource tied to an Oblique group.

Caution

Oblique can’t create an Okta group for an existing team group in Oblique. Oblique can’t create an Okta group for a new attribute-based group.

Manage Okta apps

Manage existing Okta apps

Oblique can manage Okta apps and act as the source of truth for app assignments. You configure this setting at the resource level.

Edit an Okta app's management mode Learn more about changing an Okta app's management mode.

This setting starts on by default and you can’t turn it off.

Sync Okta integration

You don’t need to do anything to sync the Okta integration. Oblique will automatically and continuously sync changes with Okta according to the sync frequency.

Remove Okta integration

You must be an Admin to remove an integration.

To remove an Okta integration, from the integration’s detail page:

1. Navigate to the Setings tab.
2. At the very bottom of the page, select Delete integration.
3. In the confirmation dialog, select Confirm.

This will immediately stop all syncing and remove all resources from the integration.