Okta Data Integration



The Oort identity security platform reads a variety of user account data and event data to build a full picture of the identity security posture of your Okta tenant, as well as on-going identity threats against your organization.


The goal of this document is to serve as a guide to set up Oort with a data integration to your Okta tenant.

Okta Data Integration

Understanding Oort API permissions

There are two groups of API types of permissions sets that can be used with your Oort tenant and Okta

  • Read-only - there are two Okta roles associated with read-only functionality

    • Read-only Administrator - the majority of read-only data functionality is contained within this built-in role

    • Organization Administrator - this is role is required to read User Schema data for purposes of the Missing Value in Mandatory Field check. Note that this role is ONLY used for data ingestion and analysis, as well as normal read-only activity.

  • Read/write - this involves the addition of the Help Desk role and the creation of a specific role in Okta with the necessary read/write permissions in order to take advantage of the defined list of Oort Remediation Actions.

Remediation actions can only be taken by the Oort administrator or help desk roles in Oort and are limited to the list in the above article.

Permission requirements for setting up Oort integration with Okta

To add the necessary configuration in Okta, you need to be one of the following:

  • Super admin

Read-only Okta Setup Steps

  1. Ideally, "Service Account" should either be in the name or in the User Type attribute of the profile.

  2. Login to the Okta admin console with that service account.

  3. Generate an API token as described by the Okta documentation here.

  4. Copy the token value for use in the Oort console. If you use a credential or secret vault, you may want to store the token value security there.

Remediation Actions & Read-write Okta Setup Steps

In order to support the Remediation Actions between Oort and Okta, the following additional roles must be configured for the Oort service account (admin account) in addition to one or both of the two roles above:

  • Help Desk role (required for push notification)

  • Custom role (required for actions like Quarantine user and change User Type)

For an overview of Okta custom roles, see this article.

  1. Note - this section of instructions assumes that you already have an Oort service account created in Okta. If you do not, create one.

  2. Assign the Oort service account to the Help Desk Administrator roles. If not already done, and desired for User schema read-only analysis, add Org Administrator, as well. (shown above)

  3. In the Admin Console, go to Security -> Administrators.

  4. Create the Custom Role. Go to the Roles tab. The Roles tab displays a list of previously created standard and custom admin roles.

  5. Click Create new role.

  6. In the Role name field, enter the name of the role. Choose a name that indicated the role is for use with Oort.

    1. Optional. In the Role description field, enter a short description of the role.

  7. Click Save role. You can see the role that you created listed on the Roles tab.

  8. You will need a service account assigned to this role in your Okta tenant. Complete the assignment to the Oort Service account with the correct Resource Set.

Generate the API Token

  1. Login to the Okta admin console with this specific account.

  2. Generate an API token as described by the Okta documentation here.

  3. Copy the token value for use in the Oort console. If you use a credential or secret vault, you may want to store the token value security there.

Oort Configuration

  1. Login to the Oort console

  2. Click Integrations tab -> Add Integration -> Okta.

  3. In the New Okta integration page, enter the following -

    1. A display name for the integration, such as Okta-[customer name]

    2. Instance URL - the is the primary FQDN of your Okta tenant, such as https://[customername].okta.com

    3. Okta API token generated in the previous steps

  4. Click the Advanced tab. If your Oort tenant is on the new Okta Identity Enginer (OIE) version, then check the 4 additional boxes for Devices, Policy Rules, Authenticators, and Authenticators to Users. If your Okta tenant is on Classic version, do not check these 4 boxes.

  1. Check the box for User Schema if you have assigned the Org Admin role to the service account. NOTE - the Okta Read-only Admin role does NOT include the ability to read the User Schema for potential issues or mismatches, so do not check that data type if the service account does not have the Organization Administrator role outlined above in Understanding Oort API permissions. Also, the Org Admin role does not contain the ability to read Okta application objects, so the Read-only Admin role is required for that.

  2. Click Save.

  3. On the Integrations page, click the three dots menu on the right side of the new Okta integration tile. Click Test Connectivity.

  4. Once successfully verified, click the 3-dot menu again and select Edit settings for the Okta integration. Go to the Event Streaming tab.

  5. Use the information provided to set up Okta log streaming via an AWS Eventbridge. Instructions can be found here.

  6. After registering the log stream and clicking Save, use the 3-dot menu to click Collect Now to begin initial data collection.

NOTE - Due to Okta API rate limiting, the initial data collection, including historical log data, may take 24 hrs or longer. Your Oort technical contact will assist with any questions in this process.

Last updated