# Okta Data Integration ## Overview The Cisco Identity Intelligence security platform reads a variety of user account data and event data to build a full picture of the identity security posture of your Okta tenant, as well as on-going identity threats against your organization. ## Okta OAuth2 Data Integration Identity Intelligence has created an OAuth2 SPI service application in the Okta network for the purpose of the data ingestion. This bar below is the link to the application in the Okta network :point\_down:
{% embed url="" %} To implement this application, do the following: 1. Confirm that your Okta organization is using Okta Identity Engine (OIE), and not Okta Classic. [Upgrade if needed](https://help.okta.com/oie/en-us/content/topics/identity-engine/oie-upgrade-eligibility.htm). If you're unsure which solution you're using, check the footer on any page of the Okta Admin Console. The version number is appended with E for OIE orgs and C for Classic Engine orgs. 2. Click **Add Integration** from the link in the bar above :point\_up: or search for the API Integration within the Okta Admin Console (If you have multiple tenants, ensure you're signed into the correct Okta org!) and click **Next** 3. Click **Install & Authorize**

4. Copy the client secret to a secure location, such as a key vault, if desired 5. Click **Done** 6. Within your CII tenant, go to the **Integrations** page and click **Add Integration**. Select the Okta integration. 7. Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret in the respective fields and select the **Save** button

8. Under the **Advanced Tab**, review the answers to the questions in the top section of the page to make sure they are answered correctly. Then ensure the integration is set to "Managed" to enable the relevant data types based on the answers to those questions. Read our documentation about [Managed Integrations ](https://docs.oort.io/integrations/managed-integrations)to learn about the benefits

{% hint style="info" %} After configuration is completed in both systems, you may see a yellow banner on the Identity Intelligence API Service App page in the Okta Admin Console that states, "Cisco Identity Intelligence - Read - Write Management API Service is not configured until you complete the setup instructions". You can disregard this message. The integration is fully configured {% endhint %} ### Test Connectivity 1. On the Integrations page, click the **three dots menu** on the right side of the new Okta integration tile. Click **Test Connectivity**. ### Configure Okta Event Streaming If you have the Log Streaming module as part of your current Okta subscription follow the steps below to configure Log Streaming. **Log Streaming is not required to configure the Okta Data Integration, but it is recommended if you have it.** 1. Once successfully verified, click the 3-dot menu again and select **Edit settings** for the Okta integration. Go to the **Event Streaming** tab. 2. Use the information provided to set up Okta log streaming via an AWS Eventbridge. [Instructions can be found here](https://docs.oort.io/integrations/okta-aws-eventbridge-streaming-integration). 3. After registering the log stream and clicking **Save**, use the 3-dot menu to click **Collect Now** to begin initial data collection. **NOTE** - Due to Okta API rate limiting, the initial data collection, including historical log data, may take 24 hrs or longer. Your Identity Intelligence technical contact will assist with any questions in this process. ## Okta Read-only OAuth 2.0 Client Application (BETA) This section provides a step-by-step guide for configuring a read-only **OAuth 2.0 API service integration** with Okta. By following this guide, you will enable secure access to Okta APIs with the least privilege principle, ensuring that the integration can only retrieve (read) data without the ability to modify it. This is particularly useful for use cases such as reporting, monitoring, or auditing, where data access is required but data manipulation is not permitted. OAuth 2.0 is a widely adopted authorization framework that provides secure and scalable access delegation. In this context, Okta's implementation of OAuth 2.0 allows you to grant specific API permissions to applications while maintaining control over sensitive resources. #### Key Features of This Integration (Beta) * **Read-Only Access**: Limit the scope of API access to read-only operations, ensuring enhanced security. * **Scoped Permissions**: Use OAuth 2.0 scopes to define the exact level of access the integration is permitted. * **Service Account Integration**: Create a service account that interacts programmatically with Okta APIs. * **Secure Authentication**: Leverage client credentials for authentication to ensure secure communication. #### Who Should Use This Guide? This guide is intended for: * Developers building applications that need to query Okta data. * IT administrators configuring service accounts for reporting or monitoring. * Security teams implementing least-privilege access for API integrations. #### Prerequisites Before you begin, ensure you have the following: 1. **IMPORTANT:**** Contact Cisco or Duo Support to have this feature enabled for your CII tenant.** 2. **Administrative Access to Okta**: You must have the necessary permissions to create and manage API service integrations within your Okta instance. 3. **Okta Developer Account or Production Environment**: A valid Okta environment where the integration will be configured. 4. **Understanding of OAuth 2.0**: Familiarity with OAuth 2.0 concepts such as scopes, tokens, and client credentials. #### What You'll Learn By the end of this section, you will: * Set up an OAuth 2.0 application in Okta. * Configure client credentials for secure API authentication. * Define and apply the appropriate read-only scopes for the integration. * Test the integration to ensure it retrieves data as expected. Let’s get started with the configuration process! Okta Integration: creation of the OIDC client in Okta with Public/Private Keys authentication for read-only integration **Step 1: Log into Okta Admin Console** 1. Open your Okta Admin Console (e.g., ). 2. Log in using your admin credentials. **Step 2: Create a custom admin role** 1. Navigate to Security -> Administrators -> Roles tab 2. Click **Create role** 3. Provide a name and description for the role 4. Under Permissions, select Identity and Access Management -> **View roles, resources, and admin assignments** 5. Click Save Role

**Step 3: Create an API Services Application** 1. In the Okta Admin Console, go to Applications > Applications. 2. Click Create new App Integration. 3. Choose **API Services** and click **Next**.

4. Enter a name for your App Integration and click Save. 5. Under Client Credentials, click Client Authentication and then **Edit**. 6. Select **Public key / Private key** as the authentication method. 7. Check the box to Save keys in Okta. 8. Click **Add Key**, then **Generate new key**. 9. Choose Private Key in **PEM format** (not JSON), and make sure to **copy the private key and KID to a secure location** (you won’t be able to see the private key again once you close this window).

10. Click **Done**, then **Save**. 11. Under General Settings, click **Edit**, unselect **Proof of possession**, then **Save**

**Step 4: Configure Permissions** 1. Go to the Okta API Scopes tab. 2. Grant the necessary permissions for the scopes required by CII.\

**Step 5: Configure Admin Roles** 1. On the Admin roles tab, add two roles to this application 1. Super Admin role OR Org Administrator role (See below. Without Org Admin role, CII will **not** be able to collect `API Service Integration` details for the tenant)

2. The custom role created above, with a resource set of `All Identity and Access Management resources`\ \ NOTE - the application is still constrained by the granted API scopes. However, [per Okta](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#use-the-client-credentials-grant-flow), a corresponding role must be granted that allows the selected scopes, such as `okta.schemas.read`\ See the article linked in this note for more details.

**Step 6: Configure Okta Integration in CII** 1. Within CII, naviate to Integrations -> Add Integration -> Okta 2. Check the box for **public/private key authentication** {% hint style="info" %} **NOTE:** If you do not see this option, contact Cisco or Duo support to have this feature enabled for your tenant. {% endhint %} 3. Use the following details to configure the Okta integration in CII: 1. Display name 2. Okta domain (URL) 3. Client ID 4. KID 5. Private Key PEM file

4. Click Connect and the API connection will be tested automatically. 5. We highly recommend implementing [#configure-okta-event-streaming](#configure-okta-event-streaming "mention")