Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
    • Get Started Dashboard
    • Overview Dashboard
    • MFA Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🛠️Triaging Alerts and Remediation Actions
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🗃️Applications
  • 💻Devices
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • AWS User-Based Access [Deprecated]
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jamf
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Snowflake
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Posture Management Insights
        • Access from Denied Territories
        • Allow/Block Email Logins
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancies
        • Identity Intelligence Client Secret Expiring Soon
        • Inactive Account Probing
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • No Strong MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Personal VPN Usage
        • Provider User Type Missing
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused Application for a User
        • Upcoming App Key Expiration
        • User Authorized to Bypass MFA
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Stuck in Non-functional State
        • Users Sharing Authenticators
        • Weak MFA Was Used To Successfully Sign In
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Authenticator Registration Anomalies
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Google Drive File with Excessive Sharing Permissions
        • Impossible Travel
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • Microsoft Entra ID Admin Activity Anomaly
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Registered Location Mismatch
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign In Threat Detected
        • Sign-in from Recently Created IdP
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • User Lock Out Risk Detected
        • User Trust Level Alert
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
        • Weak MFA Manually Activated and Utilized
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Tenant Access Logs
    • Systems Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🏎️Can Identity Intelligence analyze behavior and fail checks more frequently?
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
  • Best Practices
    • 🛣️What’s Next? How to use Identity Intelligence effectively
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Okta OAuth2 Data Integration
  • Test Connectivity
  • Configure Okta Event Streaming
  • Okta Read-only OAuth 2.0 Client Application (BETA)
  1. Configuring Integrations

Okta Data Integration

2025.04.29

PreviousOkta Log Streaming AWS EventBridge IntegrationNextOkta Workflows

Last updated 11 days ago

Overview

The Cisco Identity Intelligence security platform reads a variety of user account data and event data to build a full picture of the identity security posture of your Okta tenant, as well as on-going identity threats against your organization.

Okta OAuth2 Data Integration

Identity Intelligence has created an OAuth2 SPI service application in the Okta network for the purpose of the data ingestion.

This bar below is the link to the application in the Okta network

To implement this application, do the following:

  1. Click Install & Authorize

  2. Copy the client secret to a secure location, such as a key vault, if desired

  3. Click Done

  4. New Okta integrations (For EXISTING Okta integrations, jump to step 7 below)

    1. Within your CII tenant, go to the Integrations page and click Add Integration. Select the Okta integration.

    2. Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret in the respective fields and click the Save button

  5. Existing Okta integrations (For NEW Okta integrations, jump to step 8 below)

    1. After completing Steps 1-5 above - within your CII tenant, go to the Integrations page and click Edit on your existing Okta integration

    2. Click Convert to OAuth2 button

    3. Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret

  6. Under the Advanced Tab, enable the User Schema and Roles to Users data types and click the Save button

After configuration is completed in both systems, you may see a yellow banner on the Identity Intelligence API Service App page in the Okta Admin Console that states, "Cisco Identity Intelligence - Read - Write Management API Service is not configured until you complete the setup instructions". You can disregard this message. The integration is fully configured

Test Connectivity

  1. On the Integrations page, click the three dots menu on the right side of the new Okta integration tile. Click Test Connectivity.

Configure Okta Event Streaming

If you have the Log Streaming module as part of your current Okta subscription follow the steps below to configure Log Streaming. Log Streaming is not required to configure the Okta Data Integration, but it is recommended if you have it.

  1. Once successfully verified, click the 3-dot menu again and select Edit settings for the Okta integration. Go to the Event Streaming tab.

  2. After registering the log stream and clicking Save, use the 3-dot menu to click Collect Now to begin initial data collection.

NOTE - Due to Okta API rate limiting, the initial data collection, including historical log data, may take 24 hrs or longer. Your Identity Intelligence technical contact will assist with any questions in this process.

Okta Read-only OAuth 2.0 Client Application (BETA)

This section provides a step-by-step guide for configuring a read-only OAuth 2.0 API service integration with Okta. By following this guide, you will enable secure access to Okta APIs with the least privilege principle, ensuring that the integration can only retrieve (read) data without the ability to modify it. This is particularly useful for use cases such as reporting, monitoring, or auditing, where data access is required but data manipulation is not permitted.

OAuth 2.0 is a widely adopted authorization framework that provides secure and scalable access delegation. In this context, Okta's implementation of OAuth 2.0 allows you to grant specific API permissions to applications while maintaining control over sensitive resources.

Key Features of This Integration (Beta)

  • Read-Only Access: Limit the scope of API access to read-only operations, ensuring enhanced security.

  • Scoped Permissions: Use OAuth 2.0 scopes to define the exact level of access the integration is permitted.

  • Service Account Integration: Create a service account that interacts programmatically with Okta APIs.

  • Secure Authentication: Leverage client credentials for authentication to ensure secure communication.

Who Should Use This Guide?

This guide is intended for:

  • Developers building applications that need to query Okta data.

  • IT administrators configuring service accounts for reporting or monitoring.

  • Security teams implementing least-privilege access for API integrations.

Prerequisites

Before you begin, ensure you have the following:

  1. Administrative Access to Okta: You must have the necessary permissions to create and manage API service integrations within your Okta instance.

  2. Okta Developer Account or Production Environment: A valid Okta environment where the integration will be configured.

  3. Understanding of OAuth 2.0: Familiarity with OAuth 2.0 concepts such as scopes, tokens, and client credentials.

What You'll Learn

By the end of this section, you will:

  • Set up an OAuth 2.0 application in Okta.

  • Configure client credentials for secure API authentication.

  • Define and apply the appropriate read-only scopes for the integration.

  • Test the integration to ensure it retrieves data as expected.

Let’s get started with the configuration process!

Okta Integration: creation of the OIDC client in Okta with Public/Private Keys authentication for read-only integration

Step 1: Log into Okta Admin Console

  1. Log in using your admin credentials.

Step 2: Create an API Services Application

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Click Create new App Integration.

  3. Choose API Services and click Next.

  4. Enter a name for your App Integration and click Save.

General

  1. Under Client Credentials, click Client Authentication and then Edit.

  2. Select Public key / Private key as the authentication method.

  3. Check the box to Save keys in Okta.

  4. Click Add Key, then Generate new key.

  5. Choose Private Key in PEM format (not JSON), and make sure to copy the private key and KID (you won’t be able to see the private key again once you close this window).

  6. Click Done, then Save.

  7. Under General Settings, unselect Proof of possession, then Save

Step 3: Configure Permissions

  1. Go to the Okta API Scopes tab.

  2. Grant the necessary permissions for the scopes required by CII.

Step 4: Configure Admin Role

Step 5: Configure Okta Integration in CII

  1. Check the box for public/private key authentication

  2. Use the following details to configure the Okta integration in CII:

    1. Display name

    2. Okta domain (URL)

    3. Client ID

    4. KID

    5. Private Key PEM file

  3. Click Connect and the API connection will be tested automatically.

  4. We highly recommend implementing Configure Okta Event Streaming

Confirm that your Okta organization is using Okta Identity Engine (OIE), and not Okta Classic. . If you're unsure which solution you're using, check the footer on any page of the Okta Admin Console. The version number is appended with E for OIE orgs and C for Classic Engine orgs.

Click Add Integration from the link in the bar above or search for the API Integration within the Okta Admin Console (If you have multiple tenants, ensure you're signed into the correct Okta org!) and click Next

Use the information provided to set up Okta log streaming via an AWS Eventbridge. .

Open your Okta Admin Console (e.g., ).

1. On the Admin roles tab, add the Org Administrator role to this application. NOTE - the application is still constrained by the granted API scopes. However, , a corresponding role must be granted that allows the selected scopes, such as okta.schemas.read See the article linked in this note for more details.

🧩
☝️
Upgrade if needed
Instructions can be found here
https://your-org.okta.com/
per Okta
👇
LogoCisco Identity Intelligence - Read-Write Management API Service | Okta