Okta Data Integration

2025.04.29

Overview

The Cisco Identity Intelligence security platform reads a variety of user account data and event data to build a full picture of the identity security posture of your Okta tenant, as well as on-going identity threats against your organization.

Okta OAuth2 Data Integration

Identity Intelligence has created an OAuth2 SPI service application in the Okta network for the purpose of the data ingestion.

This bar below is the link to the application in the Okta network 👇

LogoCisco Identity Intelligence - Read-Write Management API Service | Okta

To implement this application, do the following:

  1. Confirm that your Okta organization is using Okta Identity Engine (OIE), and not Okta Classic. Upgrade if needed. If you're unsure which solution you're using, check the footer on any page of the Okta Admin Console. The version number is appended with E for OIE orgs and C for Classic Engine orgs.

  2. Click Add Integration from the link in the bar above ☝️ or search for the API Integration within the Okta Admin Console (If you have multiple tenants, ensure you're signed into the correct Okta org!) and click Next

  3. Click Install & Authorize

  4. Copy the client secret to a secure location, such as a key vault, if desired

  5. Click Done

  6. New Okta integrations (For EXISTING Okta integrations, jump to step 7 below)

    1. Within your CII tenant, go to the Integrations page and click Add Integration. Select the Okta integration.

    2. Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret in the respective fields and click the Save button

  7. Existing Okta integrations (For NEW Okta integrations, jump to step 8 below)

    1. After completing Steps 1-5 above - within your CII tenant, go to the Integrations page and click Edit on your existing Okta integration

    2. Click Convert to OAuth2 button

    3. Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret

  8. Under the Advanced Tab, ensure the integration is set to "Managed" to enable the relevant data types. Read our documentation about Managed Integrations to learn about the benefits

After configuration is completed in both systems, you may see a yellow banner on the Identity Intelligence API Service App page in the Okta Admin Console that states, "Cisco Identity Intelligence - Read - Write Management API Service is not configured until you complete the setup instructions". You can disregard this message. The integration is fully configured

Test Connectivity

  1. On the Integrations page, click the three dots menu on the right side of the new Okta integration tile. Click Test Connectivity.

Configure Okta Event Streaming

If you have the Log Streaming module as part of your current Okta subscription follow the steps below to configure Log Streaming. Log Streaming is not required to configure the Okta Data Integration, but it is recommended if you have it.

  1. Once successfully verified, click the 3-dot menu again and select Edit settings for the Okta integration. Go to the Event Streaming tab.

  2. Use the information provided to set up Okta log streaming via an AWS Eventbridge. Instructions can be found here.

  3. After registering the log stream and clicking Save, use the 3-dot menu to click Collect Now to begin initial data collection.

NOTE - Due to Okta API rate limiting, the initial data collection, including historical log data, may take 24 hrs or longer. Your Identity Intelligence technical contact will assist with any questions in this process.

Okta Read-only OAuth 2.0 Client Application (BETA)

This section provides a step-by-step guide for configuring a read-only OAuth 2.0 API service integration with Okta. By following this guide, you will enable secure access to Okta APIs with the least privilege principle, ensuring that the integration can only retrieve (read) data without the ability to modify it. This is particularly useful for use cases such as reporting, monitoring, or auditing, where data access is required but data manipulation is not permitted.

OAuth 2.0 is a widely adopted authorization framework that provides secure and scalable access delegation. In this context, Okta's implementation of OAuth 2.0 allows you to grant specific API permissions to applications while maintaining control over sensitive resources.

Key Features of This Integration (Beta)

  • Read-Only Access: Limit the scope of API access to read-only operations, ensuring enhanced security.

  • Scoped Permissions: Use OAuth 2.0 scopes to define the exact level of access the integration is permitted.

  • Service Account Integration: Create a service account that interacts programmatically with Okta APIs.

  • Secure Authentication: Leverage client credentials for authentication to ensure secure communication.

Who Should Use This Guide?

This guide is intended for:

  • Developers building applications that need to query Okta data.

  • IT administrators configuring service accounts for reporting or monitoring.

  • Security teams implementing least-privilege access for API integrations.

Prerequisites

Before you begin, ensure you have the following:

  1. Administrative Access to Okta: You must have the necessary permissions to create and manage API service integrations within your Okta instance.

  2. Okta Developer Account or Production Environment: A valid Okta environment where the integration will be configured.

  3. Understanding of OAuth 2.0: Familiarity with OAuth 2.0 concepts such as scopes, tokens, and client credentials.

What You'll Learn

By the end of this section, you will:

  • Set up an OAuth 2.0 application in Okta.

  • Configure client credentials for secure API authentication.

  • Define and apply the appropriate read-only scopes for the integration.

  • Test the integration to ensure it retrieves data as expected.

Let’s get started with the configuration process!

Okta Integration: creation of the OIDC client in Okta with Public/Private Keys authentication for read-only integration

Step 1: Log into Okta Admin Console

  1. Open your Okta Admin Console (e.g., https://your-org.okta.com/).

  2. Log in using your admin credentials.

Step 2: Create an API Services Application

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Click Create new App Integration.

  3. Choose API Services and click Next.

  4. Enter a name for your App Integration and click Save.

General

  1. Under Client Credentials, click Client Authentication and then Edit.

  2. Select Public key / Private key as the authentication method.

  3. Check the box to Save keys in Okta.

  4. Click Add Key, then Generate new key.

  5. Choose Private Key in PEM format (not JSON), and make sure to copy the private key and KID (you won’t be able to see the private key again once you close this window).

  6. Click Done, then Save.

  7. Under General Settings, unselect Proof of possession, then Save

Step 3: Configure Permissions

  1. Go to the Okta API Scopes tab.

  2. Grant the necessary permissions for the scopes required by CII.

Step 4: Configure Admin Role

1. On the Admin roles tab, add the Org Administrator role to this application. NOTE - the application is still constrained by the granted API scopes. However, per Okta, a corresponding role must be granted that allows the selected scopes, such as okta.schemas.read See the article linked in this note for more details.

Step 5: Configure Okta Integration in CII

  1. Check the box for public/private key authentication

  2. Use the following details to configure the Okta integration in CII:

    1. Display name

    2. Okta domain (URL)

    3. Client ID

    4. KID

    5. Private Key PEM file

  3. Click Connect and the API connection will be tested automatically.

  4. We highly recommend implementing Configure Okta Event Streaming

PreviousOkta Log Streaming AWS EventBridge IntegrationNextOkta Workflows

Last updated