- 25 Nov 2024
- 14 Minutes to read
- Print
- DarkLight
- PDF
Okta
- Updated on 25 Nov 2024
- 14 Minutes to read
- Print
- DarkLight
- PDF
Okta provides cloud software that helps companies manage their employees' passwords, by providing a “single sign-on” experience.
Attributes | Cybersecurity Asset Management | SaaS Management |
---|---|---|
Service Account Required? | Yes | Yes |
Service Account Permissions | Role: API Access Administrator | Role: API Access Administrator |
API Key Required? | Yes | Yes |
API Key Permissions | *Inherited from Service Account | *Inherited from Service Account |
Required Adapter Fields | Okta URL, Authentication Okta API Key (API Key authentication), Okta Client ID (OAuth2 authentication), Okta JWK Private/Public Keys (OAuth2 authentication), | Okta URL, Authentication Okta API Key (API Key authentication), Okta Client ID (OAuth2 authentication), Okta JWK Private/Public Keys (OAuth2 authentication), (Username ,Admin Password, and 2FA Secret Key are required for fetching application settings) |
Assets Fetched | Users and devices | SaaS data |
About the Adapter
Use cases the adapter solves
The Okta adapter can fetch information regarding enrolled users and their registered applications and permissions. This can be used for access auditing or other related controls.
Related Enforcement Actions:
Types of Assets Fetched
This adapter fetches the following types of assets:
Devices
Users
Application Extensions
Roles
Groups
Application Settings
User Extensions
Activities
SaaS Applications - (To fetch this information you need to configure the User name and Password fields. If 2FA is required for this application, the 2FA key must be provided.)
Accounts/Tenants
Alerts/Incidents
Permissions
These assets can enable you to perform many important tasks, such as cost optimization, and identifying aging accounts, overprovisioned users, and identify-related misconfigurations.
Permissions
Read Only Admin permissions are required to use this adapter.
An Organization must have Okta OIE (Okta Identity Engine) and FastPass enabled in Okta in order to fetch devices with the Okta adapter. See Enable Okta FastPass.
The "Fetch Admin Roles" parameter requires configuring credentials to have Super Admin access to view the other admin roles. For more information, see Standard Administrator Roles and Permissions.
Note
‘Super Admin' permissions are required by Okta to access and fetch some data. Some minor fetch errors can be expected if the permissions are not available.
Okta Enforcement Actions require that the value supplied in Okta API Key must have write or admin permissions.
Optimize an Existing Adapter Configuration to Fetch SaaS Data
If the adapter has already been setup and you want to configure it to fetch SaaS data, you will need to complete the following steps:
Note
Some of the initial configurations on the Okta need to be performed by a user with administrator level privileges.
The following Advanced Settings, Scopes, and Cloud APIs are required for fetching SaaS data with this adapter.
SaaS Asset | Connection Parameters | Advanced Config | Permissions (Token) | Permissions (OAuth2) |
---|---|---|---|---|
Application Extensions | No specific parameter required | Fetch Apps | No specific permission required | okta.apps.read |
Roles | No specific parameter required | Fetch admin roles | Admin access | okta.roles.read |
Groups | No specific parameter required | Fetch groups | No specific permission required | okta.groups.read |
Application Settings | Admin Username, Admin Password, 2FA Key (if required for this application) | Fetch Application Settings | No specific permission required | No specific permission required |
User Extensions | No specific parameter required | Fetch Apps | No specific permission required | okta.apps.read |
SaaS Applications | No specific parameter required | Fetch Apps | No specific permission required | okta.apps.read |
Activities | No specific parameter required | Fetch audit activities (Behavior Analytics) | No specific permission required | okta.logs.read |
Accounts | No specific parameter required | No specific setting required | No specific permission required | No specific permission required |
Setting Up the Integration
To successfully connect this adapter, you need to complete the following steps:
Step 1: Create a User Account
An admin on your system who has Super Administrator permissions needs to create the user account for the Axonius User. Note that the Axonius user itself does not require Admin permissions.
Log into Okta (an admin with the above permissions) .
Click Add person.
Fill in the fields with the values that you want.
Copy the value that you entered for the User Name field.
Back in Axonius, paste the value in the Admin Username field.
In Okta, for the Password field select Set by admin and enter a password.
Copy the password.
Back in Axonius, paste the value in the Admin Password field.
In the Okta URL field, enter the hostname or IP address of the Okta server. This field format is '[instance].okta.com'.
In Okta, Clear the User must change password on first login checkbox.
Click Save.
Assign roles to the user:
Navigate to Security > Administrators, and select the Roles tab.
Locate the ' Read-only Administrator ' role, click Edit, and select View or edit assignments.
Click Add assignment, and select the newly created User account.
Click Add assignment again, and select the Read-only Administrator role.
e. Repeat steps a-d, for the following roles:
To use the Fetch Admin Roles in Asset Management: Super Admin access to view the other admin roles.
For SaaS Management: Report Administrator and API Access Management Administrator.
Note:
While to access SaaS data you need to grant roles and/or permissions that include write capabilities, the adapter only actually reads data from the application.
Step 2: Authentication
You can Authenticate the Okta adapter connection either using an API Key or OAuth2.
Authenticate with an API Key
In Axonius, from the Authentication drop-down, select API Key.
Login to the Okta Admin Console with the newly created user account.
From admin panel, navigate to Security > API.
In the Tokens tab, click Create Token.
On the pop-up, type a new name for the token and click Create Token.
Click to copy the token value.
Back in Axonius, paste the copied token into the Okta API Key field.
Authenticate with OAuth2
In Axonius, from the Authentication drop-down, select OAuth2.
In Okta, navigate to Applications > Applications.
Click Create App Integration and configure your OAuth2 Application. For more information see Create a service app integration.
Generate the Client ID:
Open the new application.
In the Client Credentials section, for Client Authentication, ensure that the Public key/Private key option is selected.
Click to copy the Client ID.
Back in Axonius, paste the copied value in the Okta Client ID field.
Generate the Okta JWK Public Key:
Back in Okta, open the OAuth2 application that you previously created.
In the Public Keys section, for Configuration, ensure that the Save keys in Okta option is selected.
Click Add.
In the Add a Public Key window, click Generate new Key.
Copy the generated content, paste it into a text file, and save the file on your device.
Back in Axonius, in the Okta JWK Private/Public Keys field, click Upload File and select the text file you just saved.
Step 3: Configure a Group in Okta
To use Filters users by group name, you need to create a group in Okta.
To create a group in Okta:
Login to the Okta Admin Console with a user account that has a Super Administrator or API Access Management Admin role.
Navigate to Directory > Groups.
Click Add Group.
Specify a group name and an optional description.
Click Save.
In the group, select the Rules tab and choose Add Rule.
On that rule add the user email, contains, and add the domain.
On the rules list, from Actions, select Activate to activate the rule. The group must include users with that domain. This group can now be used as a filter to fetch users for Axonius. Use this group name in the Group name to filter users setting.
Step 4: Enable Multi-Factor Authentication (SaaS Management)
You can enable Multi-Factor Authentication (MFA) for the user you just created. If you prefer to exclude the user from the MFA policy, see the How to Exclude the User From MFA for instructions. This section is only relevant for accounts using Axonius SaaS Management.
Add the Admin user to the group:
Locate and open the newly created group.
In the People tab, click Assign people.
Locate the newly created user account and. click the corresponding + to assign the user to the group.
Click Done.
Add a rule for MFA:
In the Admin Console, navigate to Security > Authentication.
In the Sign On tab, click Add New Okta Sign-on Policy.
Specify a policy name (e.g. axonius-sm-mfa-policy) and an optional description.
In the Assign to Groups field, add the group you just created.
Click Create Policy and Add Rule.
Use the default configuration, and make sure that the Multifactor authentication (MFA) is Required.
Click Create Rule.
Add Google Authenticator:
In the Admin Console, navigate to Security > Multifactor.
In the Factor Types tab, click Google Authenticator.
Click Inactive in the upper right and then select Activate.
Enroll Google Authenticator in a multifactor policy:
In the Admin Console, navigate to Security > Multifactor.
On the Factor Enrollment tab, click Add Multifactor Policy.
In the Add Policy window specify a policy name.
In the Assign to Groups field, enter the group you created earlier.
From the Google Authenticator drop-down list, select Required.
Click Create Policy.
In the Add Rule window, ensure sure that 'Enroll in multi-factor' is set to the first time a user is challenged for MFA.
Click Create Rule.
Select the newly created policy, click Inactive, and select Activate.
Set up MFA for the user account:
Login to Okta with the account you created.
In the 'Set Up Multifactor Authentication' window, select the Google Authenticator option and click Configure Factor.
Select your device type and then click Next.
Step 5: Set up Google Authenticator
Install Google Authenticator on your phone or add a chrome extension.
Select your device type and then click Next. A QR code is displayed.
Click Can't scan QR Code?.
Copy the displayed secret key.
Back in Axonius, paste the copied secret key in the 2FA Secret Key field.
Back in the Okta MFA Configuration panel, click Scan QR Code to display the QR Code again.
Open the Google Authenticator on your device and click +.
Scan the QR code. Google Authenticator displays a verification code.
In Okta, click Next and enter the verification code.
Click Verify.
Note
This verification is a one-time process.
Step 6: Connect Adapter
We recommend logging into Okta with the user you created to ensure that the user was properly configured.
Back in Axonius, in the Okta Adapter setup window, click the Active Connection slider to set it to ON.
Click Save, before you select Save and Fetch to verify the status of the adapter.
Optional: How to Exclude the User From MFA
If you prefer not to enable MFA for the user you created in Okta, follow the instructions below for excluding the user from MFA.
Login to the Okta Admin Console with a user account that has a Super Administrator or API Access Management Admin role.
In the Admin Console, navigate to Directory > Groups.
Locate and open the group you created earlier.
In the People tab, click Assign people.
Locate the newly created user account and click the corresponding + to assign the user to the group.
Click Done.
In the Admin Console, navigate to Security > Authentication.
In the Sign On tab, click Add New Okta Sign-on Policy.
Specify a policy name (for example, 'axonius-sm-mfa-policy') and an optional description.
In the Assign to Groups field, add the group you just created.
Click Create Policy and Add Rule.
Use the default configuration, and make sure that the Multifactor authentication (MFA) is Not Required.
Click Create Rule.
Parameters
The parameters that you need to fill out will differ based on the capabilities in your Axonius platform. 'General' pertains to users with Cybersecurity Asset Management and/or SaaS Management capabilities.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
General
Okta URL (required)- The hostname or IP address of the Okta server. This field format is '[instance].okta.com'.
Authentication - Select whether to authenticate this adapter connection with an API Key or OAuth2.
Okta API Key - The generated API key provided by Okta that allows Axonius to fetch data from the Okta API. This is required when API Key is selected in the Authentication drop-down. For details, see Create an API Token.
Okta Client ID - Client ID of the service app. This is required when OAuth2 is selected in the Authentication drop-down.
Okta JWK Private/Public Keys - The JSON web key which was generated and assigned in the OAuth 2.0 service app integration in the Admin Console of Okta. This is required when OAuth2 is selected in the Authentication drop-down.
Throttling rate percentage - Specify the threshold percentage of the Okta API rate limit when connecting to the value supplied in Okta URL. Axonius will stop the data fetch when the API rate limit reaches the supplied value.
Number of parallel requests (required, default: 75) - Specify the maximum parallel requests that will be created when connecting to the value supplied in Okta URL.
API rate limit threshold percentage (required) - The API rate limit threshold percentage field shows the amount of API requests left before reaching the maximum limit set by the Okta API, represented as a percentage. By default this is set to 10%.
User Filter Params - You can use the Okta Expression language to filter a subset of users (for example, users who belong to specific departments) to be retrieved by the Okta adapter and displayed in Axonius.
Filter Users by Group Name - Enter a group name to only fetch users from the specific group. Refer to Configuring a Group in Okta for details.
HTTPS Proxy - Connect the adapter to a proxy instead of directly connecting it to the domain.
Cybersecurity Asset Management
Add users inside the devices - Select this option to fetch user information to populate in the relevant device-specific fields.
SaaS Management
Admin URL - The hostname or IP address of the Okta admin server. This field format is '[instance]-admin.okta.com'.
Admin Username - The value you enter in the User Name field in Okta for the new user you created to allow Axonius to fetch SaaS Management data.
Admin Password - The password you set for the new user in Okta.
2FA Secret Key - The secret generated in Okta for setting up 2-factor authentication for the Okta user created for collecting SaaS Management data.
SSO provider - If your organization uses Okta for SSO, you can set this select this check box (selected by default). For more information, see Connecting your SSO Solution Provider Adapter.
Department Field - This is the mapping of the department value for the Okta authentication object. Check if your organization's 'department' value is different from the default value ('department').
Advanced Settings
Note:
Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to Advanced Configuration for Adapters.
For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.
General
Fetch apps - Select this option to also fetch information about applications.
Exclude Inactive Apps - Select this option to only fetch apps with a status of ‘Active’. The ‘Fetch apps’ setting must be selected.
Fetch apps with no users - Select this option to also fetch information about applications with no users.
Fetch groups - Select this option to fetch group details.
Fetch users authentication factors - Select this option to also fetch users authentication factors.
Fetch users - Select this option to also fetch information about users.
Fetch user logs (required, default: True) - Select this option to fetch information about user's log events, that include details such as: IP address, browser, OS type.
Fetch logs from the last X days - Enter a number of days back from which to fetch logs.
Time in seconds to sleep between each request (optional) - Specify sleeping time in seconds between each API request Axonius sends to Okta.
Fetch deprovisioned users - Select this option to fetch users tat are deprovisioned.
Display recovery question in View Advanced - Select this option to save the users' recovery questions in the Axonius database. When you enable this parameter, the recovery question is displayed in plain-text in the View Advanced data for the Okta Adapter.
User results limit (required, default: 100) - Specify the number of results per page when Axonius makes the API call. The maximum value is 200.
Device with users fetch pagination limit - Sets the limit of results per page when fetching devices with detailed users information. This configuration should not be changed unless instructed by technical support or engineering.
Disable Devices Fetch - Select this option to disable fetching device details from Okta.
Group type - Select the type of group to fetch from Okta. For more information, see Okta group source types.
Only fetch user records - Select this option to only fetch user records from Okta.
Fetch all logs history each cycle - Select this option to also fetch logs in each discovery cycle, otherwise it will only fetch the new logs since the last fetch cycle.
Raw data fields exclusions (comma separated list) - Specify a comma-separated list of data fields to exclude from the fetch.
Note
Nested data fields should be separated by forward slashes. For example, if you want to exclude a field email inside the Profile complex field then specify
profile/email
.
Cybersecurity Asset Management
Email domain include list (optional) - Specify a comma-separated list of email domains to only fetch users whose email domain is in the specified list.
Fetch Security Logs (optional) - Select this option to fetch security logs based on security.request.blocked and security.threat.detected events.
SaaS Management
Fetch Bookmark apps - Select this option to also fetch information about Bookmark apps.
Fetch application permissions (applications grants): Enrich applications with grant and scope info. The configured Okta credentials must have the okta.appGrants.read permission in order to fetch this data. For customers that configured an API key/token, they must ensure that the account for which the token was created has a role with “View applications and their details” permission.
Enrich Groups with Applications (SaaS Management) -
Enrich user data on a synchronous manner (for example: groups) - Select this option to enrich data synchronously. (Use for organizations with large amounts of users/groups/apps/roles).
List of known domains (optional) - Specify a comma-separated list of domains used to identify external users in Okta.
Fetch audit activities (Behavior Analytics) - Select this option to also fetch audit logs from Okta.
Fetch admin roles - Select this option to fetch additional information on admin roles, otherwise Axonius will fetch users with admin roles, without additional information about those roles.
Fetch Application Settings - Select this option to fetch general Okta admin settings, such as authentication policy settings or notification settings. (To fetch this information you need to configure the User name and Password fields. If 2FA is required for this application, the 2FA key must be provided.)
SaaS Management Best Practices
In order to fetch SaaS Management data set the following:
Fetch Apps.
Fetch Bookmarks apps.
Enrich groups with applications
Fetch Users logs
Fetch logs from the last X days - enter ‘7’