Okta
  • 23 May 2024
  • 12 Minutes to read
  • Dark
    Light
  • PDF

Okta

  • Dark
    Light
  • PDF

Article summary

Okta provides cloud software that helps companies manage their employees' passwords, by providing a “single sign-on” experience.

Attributes

Cybersecurity Asset Management

SaaS Management

Service Account Required?

Yes

Yes

Service Account Permissions 

Role: API Access Administrator

Role: API Access Administrator

API Key Required?

Yes

Yes

API Key Permissions

*Inherited from Service Account

*Inherited from Service Account

Required Adapter Fields

Okta URL Authentication Okta API Key (API Key authentication)

Okta Client ID (OAuth2 authentication) Okta JWK Private/Public Keys (OAuth2 authentication)

Okta URL

Authentication Okta API Key (API Key authentication)

Okta Client ID (OAuth2 authentication) Okta JWK Private/Public Keys (OAuth2 authentication) Username Password Admin Password 2FA Secret Key

Assets Fetched

Users and devices

SaaS data

About the Adapter

Use cases the adapter solves 

The Okta adapter can fetch information regarding enrolled users and their registered applications and permissions. This can be used for access auditing or other related controls.

Related Enforcement Actions:

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

  • Users 

  • SaaS Data

These assets can enable you to perform many important tasks, such as cost optimization, and identifying aging accounts, overprovisioned users, and identify-related misconfigurations.  

Permissions

  • Read Only Admin permissions are required to use this adapter.

  • An Organization must have Okta OIE (Okta Identity Engine) and FastPass enabled in Okta in order to fetch devices with the Okta adapter. See Enable Okta FastPass.

  • The "Fetch Admin Roles" parameter requires configuring credentials to have Super Admin access to view the other admin roles. For more information, see Standard Administrator Roles and Permissions.

  • Okta Enforcement Actions require that the value supplied in Okta API Key must have write or admin permissions.

To successfully connect this adapter, you need to complete the following steps:

  1. Create a user account

  2. Authentication

  3. Configure a group in Okta

  4. Enable Multi-Factor Authentication

  5. Connect adapter

Step 1: Create a User Account

An admin on your system who has Super Administrator permissions needs to create the user account for the Axonius User. Note that the Axonius user itself does not require Admin permissions.

  1. Log into Okta (an admin with the above permissions) .

  2. Click Add person.
    AddPerson

  3. Fill in the fields with the values that you want.

  4. Copy the value that you entered for the User Name field.

  5. Back in Axonius, paste the value in the Admin Username field.

  6. In Okta, for the Password field select Set by admin and enter a password.

  7. Copy the password.

  8. Back in Axonius, paste the value in the Admin Password field.

  9. In the Okta URL field, enter the hostname or IP address of the Okta server. This field format is '[instance].okta.com'.

  10. In Okta, Clear the User must change password on first login checkbox.

  11. Click Save.
    SaveUser

  12. Assign roles to the user:

    1. Navigate to Security > Administrators, and select the Roles tab.

    2. Locate the ' Read-only Administrator ' role, click Edit, and select View or edit assignments.
      Roles

    3. Click Add assignment, and select the newly created User account.
      AddAssignment

    4. Click Add assignment again, and select the Read-only Administrator role.

ReadOnlyAdmin

e. Repeat steps a-d, for the following roles:

  • To use the  Fetch Admin Roles in Asset Management: Super Admin access to view the other admin roles.

  • For SaaS Management: Report Administrator and API Access Management Administrator.

    Note: 

    While to access SaaS data you need to grant roles and/or permissions that include write capabilities, the adapter only actually reads data from the application.

Step 2: Authentication

You can Authenticate the Okta adapter connection either using an API Key or OAuth2.

Authentication

Authenticate with an API Key

  1. In Axonius, from the Authentication drop-down, select API Key.

  2. Login to the Okta Admin Console with the newly created user account.

  3. From admin panel, navigate to Security > API.

  4. In the Tokens tab, click Create Token.
    CreateToken

  5. On the pop-up, type a new name for the token and click Create Token.
    NameToken

  6. Click CopyToken to copy the token value.
    TokenValue

  7. Back in Axonius, paste the copied token into the Okta API Key field.

Authenticate with OAuth2

  1. In Axonius, from the Authentication drop-down, select OAuth2.

  2. In Okta, navigate to Applications > Applications.

  3. Click Create App Integration and configure your OAuth2 Application. For more information see Create a service app integration.

  4. Generate the Client ID:

    1. Open the new application.

    2. In the Client Credentials section, for Client Authentication, ensure that the Public key/Private key option is selected.

    3. Click CopyToken to copy the Client ID.

    4. Back in Axonius, paste the copied value in the Okta Client ID field.

  5. Generate the Okta JWK Public Key:

    1. Back in Okta, open the OAuth2 application that you previously created.

    2. In the Public Keys section, for Configuration, ensure that the Save keys in Okta option is selected.

    3. Click Add.

    4. In the Add a Public Key window, click Generate new Key.

    5. Copy the generated content, paste it into a text file, and save the file on your device.

    6. Back in Axonius, in the Okta JWK Private/Public Keys field, click Upload File and select the text file you just saved.

Step 3: Configure a Group in Okta

To use Filters users by group name, you need to create a group in Okta.

To create a group in Okta:

  1. Login to the Okta Admin Console with a user account that has a Super Administrator or API Access Management Admin role.

  2. Navigate to Directory > Groups.

  3. Click Add Group.
    AddGroup

  4. Specify a group name and an optional description.

  5. Click Save.
    GroupName

  6. In the group, select the Rules tab and choose  Add Rule.

  7. On that rule add the user email, contains, and add the domain.

  8. On the rules list, from Actions, select Activate to activate the rule. The group must include users with that domain. This group can now be used as a filter to fetch users for Axonius. Use this group name in the  Group name to filter users setting.

Step 4: Enable Multi-Factor Authentication (SaaS Management)

You can enable Multi-Factor Authentication (MFA) for the user you just created. If you prefer to exclude the user from the MFA policy, see the How to Exclude the User From MFA for instructions. This section is only relevant for accounts using Axonius SaaS Management.

  1. Add the Admin user to the group:

    1. Locate and open the newly created group.

    2. In the People tab, click Assign people.
      AssignPeople

    3. Locate the newly created user account and. click the corresponding + to assign the user to the group.

    4. Click Done.
      SelectUserForGroup

  2. Add a rule for MFA:

    1. In the Admin Console, navigate to Security > Authentication.

    2. In the Sign On tab, click Add New Okta Sign-on Policy.
      AddSignOnPolicy

    3. Specify a policy name (e.g. axonius-sm-mfa-policy) and an optional description.

    4. In the Assign to Groups field, add the group you just created.

    5. Click Create Policy and Add Rule.
      CreatePolicy

    6. Use the default configuration, and make sure that the Multifactor authentication (MFA) is Required.

    7. Click Create Rule.
      MFARequired

  3. Add Google Authenticator:

    1. In the Admin Console, navigate to Security > Multifactor.

    2. In the Factor Types tab, click Google Authenticator.
      GoogleAuthenticator

    3. Click Inactive in the upper right and then select Activate.

  4. Enroll Google Authenticator in a multifactor policy:

    1. In the Admin Console, navigate to Security > Multifactor.

    2. On the Factor Enrollment tab, click Add Multifactor Policy.

    3. In the Add Policy window specify a policy name.

    4. In the Assign to Groups field, enter the group you created earlier.

    5. From the Google Authenticator drop-down list, select Required.

    6. Click Create Policy.
      image.png

    7. In the Add Rule window, ensure sure that 'Enroll in multi-factor' is set to the first time a user is challenged for MFA.
      image.png

    8. Click Create Rule.

    9. Select the newly created policy, click Inactive, and select Activate.

  5. Set up MFA for the user account:

    1. Login to Okta with the account you created.

    2. In the 'Set Up Multifactor Authentication' window, select the Google Authenticator option and click Configure Factor.
      image.png

    3. Select your device type and then click Next.

    4. Install Google Authenticator on your phone or add a chrome extension.

    5. Select your device type and then click Next. A QR code is displayed.

    6. Click Can't scan QR Code?.
      image.png

    7. Copy the displayed secret key.

    8. Back in Axonius, paste the copied secret key in the 2FA Secret Key field.

    9. Back in the Okta MFA Configuration panel, click Scan QR Code to display the QR Code again. 

    10. Open the Google Authenticator on your device and click +.

    11. Scan the QR code. Google Authenticator displays a verification code.

    12. In Okta, click Next and enter the verification code.

    13. Click Verify.

Note

This verification is a one-time process.

Step 5: Connect Adapter

  1. We recommend logging into Okta with the user you created to ensure that the user was properly configured.

  2. Back in Axonius, in the Okta Adapter setup window, click the Active Connection slider to set it to ON.

  3. Click Save and Fetch.

Optional: How to Exclude the User From MFA

If you prefer not to enable MFA for the user you created in Okta, follow the instructions below for excluding the user from MFA.

  1. Login to the Okta Admin Console with a user account that has a Super Administrator or API Access Management Admin role.

  2. In the Admin Console, navigate to Directory > Groups.

  3. Locate and open the group you created earlier.

  4. In the People tab, click Assign people.
    AssignPeople

  5. Locate the newly created user account and click the corresponding + to assign the user to the group.

  6. Click Done.
    SelectUserForGroup

  7. In the Admin Console, navigate to Security > Authentication.

  8. In the Sign On tab, click Add New Okta Sign-on Policy.
    AddSignOnPolicy

  9. Specify a policy name (for example, 'axonius-sm-mfa-policy') and an optional description.

  10. In the Assign to Groups field, add the group you just created.

  11. Click Create Policy and Add Rule.
    CreatePolicy

  12. Use the default configuration, and make sure that the Multifactor authentication (MFA) is Not Required.

  13. Click Create Rule.
    MFAExclude

Parameters

The parameters that you need to fill out will differ based on the capabilities in your Axonius platform. 'General' pertains to users with Cybersecurity Asset Management and/or SaaS Management capabilities.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

NewOktaForm

General

  • Okta URL  (required)- The hostname or IP address of the Okta server. This field format is '[instance].okta.com'.

  • Authentication - Select whether to authenticate this adapter connection with an API Key or OAuth2.

  • Okta API Key - The generated API key provided by Okta that allows Axonius to fetch data from the Okta API. This is required when API Key is selected in the Authentication drop-down. For details, see Create an API Token.

  • Okta Client ID - Client ID of the service app. This is required when OAuth2 is selected in the Authentication drop-down.

  • Okta JWK Private/Public Keys - The JSON web key which was generated and assigned in the OAuth 2.0 service app integration in the Admin Console of Okta. This is required when OAuth2 is selected in the Authentication drop-down.

  • Throttling rate percentage - Specify the threshold percentage of the Okta API rate limit when connecting to the value supplied in Okta URL. Axonius will stop the data fetch when the API rate limit reaches the supplied value.

  • Number of parallel requests (required, default: 75) - Specify the maximum parallel requests that will be created when connecting to the value supplied in Okta URL.

  • API rate limit threshold percentage (required) - The API rate limit threshold percentage field shows the amount of API requests left before reaching the maximum limit set by the Okta API, represented as a percentage. By default this is set to 10%.

  • User Filter Params - You can use the Okta Expression language to filter a subset of users (for example, users who belong to specific departments) to be retrieved by the Okta adapter and displayed in Axonius.

  • Filter Users by Group Name - Enter a group name to only fetch users from the specific group. Refer to Configuring a Group in Okta for details.

  • HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.

Cybersecurity Asset Management

  • Add users inside the devices - Select this option to fetch user information to populate in the relevant device-specific fields.

SaaS Management

  • Admin URL  - The hostname or IP address of the Okta admin server. This field format is '[instance]-admin.okta.com'.

  • Admin Username  - The value you enter in the User Name field in Okta for the new user you created to allow Axonius to fetch SaaS Management data.

  • Admin Password  - The password you set for the new user in Okta.

  • 2FA Secret Key  - The secret generated in Okta for setting up 2-factor authentication for the Okta user created for collecting SaaS Management data.

  • SSO provider - If your organization uses Okta for SSO, you can set this select this check box (selected by default). For more information, see Connecting your SSO Solution Provider Adapter.

  • Department Field - This is the mapping of the department value for the Okta authentication object. Check if your organization's 'department' value is different from the default value ('department').

Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

General

  • Fetch apps  Select this option to also fetch information about applications.

  • Fetch apps with no users  Select this option to also fetch information about applications with no users.

  • Fetch groups - Select this option to fetch group details.

  • Fetch users authentication factors - Select this option to also fetch users authentication factors.

  • Fetch users Select this option to also fetch information about users.

  • Fetch user logs (required, default: True) - Select this option to fetch information about user's log events, that include details such as: IP address, browser, OS type.

  • Fetch logs from the last X days - Enter a number of days back from which to fetch logs.

  • Time in seconds to sleep between each request  (optional) - Specify sleeping time in seconds between each API request Axonius sends to Okta.

  • Fetch deprovisioned users - Select this option to fetch users tat are deprovisioned.

  • Display recovery question in View Advanced - Select this option to save the users' recovery questions in the Axonius database. When you enable this parameter, the recovery question is displayed in plain-text in the View Advanced data for the Okta Adapter.

  • User results limit  (required, default: 100) - Specify the number of results per page when Axonius makes the API call. The maximum value is 200.

  • Device with users fetch pagination limit - Sets the limit of results per page when fetching devices with detailed users information. This configuration should not be changed unless instructed by technical support or engineering.

  • Disable Devices Fetch - Select this option to disable fetching device details from Okta.

  • Group type - Select the type of group to fetch from Okta. For more information, see Okta group source types.

  • Only fetch user records - Select this option to only fetch user records from Okta.

  • Fetch all logs history each cycle -  Select this option to also fetch logs in each discovery cycle, otherwise it will only fetch  the new logs since the last fetch cycle.

  • Raw data fields exclusions (comma separated list) - Specify a comma-separated list of data fields to exclude from the fetch.

    Note

    Nested data fields should be separated by forward slashes. For example, if you want to exclude a field email inside the Profile complex field then specify profile/email.

Cybersecurity Asset Management

  • Email domain include list  (optional) - Specify a comma-separated list of email domains to only fetch users whose email domain is in the specified list.

  • Fetch Security Logs (optional) - Select this option to fetch security logs based on security.request.blocked and security.threat.detected events.

SaaS Management

  • Fetch Bookmark apps  Select this option to also fetch information about Bookmark apps.

  • Enrich Groups with Applications -

  • Enrich user data on a synchronous manner (for example: groups) - Select this option to enrich data synchronously. (Use for organizations with large amounts of users/groups/apps/roles). 

  • List of known domains  (optional) - Specify a comma-separated list of domains used to identify external users in Okta.

  • Fetch audit activities (Behavior Analytics) - Select this option to also fetch audit logs from Okta.

  • Fetch admin roles - Select this option to fetch additional information on admin roles, otherwise Axonius will fetch users with admin roles, without additional information about those roles.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.