Okta Data Integration
2025.04.29
Last updated
2025.04.29
Last updated
The Cisco Identity Intelligence security platform reads a variety of user account data and event data to build a full picture of the identity security posture of your Okta tenant, as well as on-going identity threats against your organization.
Identity Intelligence has created an OAuth2 SPI service application in the Okta network for the purpose of the data ingestion.
This bar below is the link to the application in the Okta network
To implement this application, do the following:
Click Install & Authorize
Copy the client secret to a secure location, such as a key vault, if desired
Click Done
New Okta integrations (For EXISTING Okta integrations, jump to step 7 below)
Within your CII tenant, go to the Integrations page and click Add Integration. Select the Okta integration.
Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret in the respective fields and click the Save button
Existing Okta integrations (For NEW Okta integrations, jump to step 8 below)
After completing Steps 1-5 above - within your CII tenant, go to the Integrations page and click Edit on your existing Okta integration
Click Convert to OAuth2 button
Enter the display name, Issuer (your Okta URL), Client ID, and Client Secret
Under the Advanced Tab, enable the User Schema and Roles to Users data types and click the Save button
On the Integrations page, click the three dots menu on the right side of the new Okta integration tile. Click Test Connectivity.
If you have the Log Streaming module as part of your current Okta subscription follow the steps below to configure Log Streaming. Log Streaming is not required to configure the Okta Data Integration, but it is recommended if you have it.
Once successfully verified, click the 3-dot menu again and select Edit settings for the Okta integration. Go to the Event Streaming tab.
After registering the log stream and clicking Save, use the 3-dot menu to click Collect Now to begin initial data collection.
NOTE - Due to Okta API rate limiting, the initial data collection, including historical log data, may take 24 hrs or longer. Your Identity Intelligence technical contact will assist with any questions in this process.
This section provides a step-by-step guide for configuring a read-only OAuth 2.0 API service integration with Okta. By following this guide, you will enable secure access to Okta APIs with the least privilege principle, ensuring that the integration can only retrieve (read) data without the ability to modify it. This is particularly useful for use cases such as reporting, monitoring, or auditing, where data access is required but data manipulation is not permitted.
OAuth 2.0 is a widely adopted authorization framework that provides secure and scalable access delegation. In this context, Okta's implementation of OAuth 2.0 allows you to grant specific API permissions to applications while maintaining control over sensitive resources.
Read-Only Access: Limit the scope of API access to read-only operations, ensuring enhanced security.
Scoped Permissions: Use OAuth 2.0 scopes to define the exact level of access the integration is permitted.
Service Account Integration: Create a service account that interacts programmatically with Okta APIs.
Secure Authentication: Leverage client credentials for authentication to ensure secure communication.
This guide is intended for:
Developers building applications that need to query Okta data.
IT administrators configuring service accounts for reporting or monitoring.
Security teams implementing least-privilege access for API integrations.
Before you begin, ensure you have the following:
Administrative Access to Okta: You must have the necessary permissions to create and manage API service integrations within your Okta instance.
Okta Developer Account or Production Environment: A valid Okta environment where the integration will be configured.
Understanding of OAuth 2.0: Familiarity with OAuth 2.0 concepts such as scopes, tokens, and client credentials.
By the end of this section, you will:
Set up an OAuth 2.0 application in Okta.
Configure client credentials for secure API authentication.
Define and apply the appropriate read-only scopes for the integration.
Test the integration to ensure it retrieves data as expected.
Let’s get started with the configuration process!
Okta Integration: creation of the OIDC client in Okta with Public/Private Keys authentication for read-only integration
Step 1: Log into Okta Admin Console
Log in using your admin credentials.
Step 2: Create an API Services Application
In the Okta Admin Console, go to Applications > Applications.
Click Create new App Integration.
Choose API Services and click Next.
Enter a name for your App Integration and click Save.
General
Under Client Credentials, click Client Authentication and then Edit.
Select Public key / Private key as the authentication method.
Check the box to Save keys in Okta.
Click Add Key, then Generate new key.
Choose Private Key in PEM format (not JSON), and make sure to copy the private key and KID (you won’t be able to see the private key again once you close this window).
Click Done, then Save.
Under General Settings, unselect Proof of possession, then Save
Step 3: Configure Permissions
Go to the Okta API Scopes tab.
Grant the necessary permissions for the scopes required by CII.
Step 4: Configure Admin Role
Step 5: Configure Okta Integration in CII
Check the box for public/private key authentication
Use the following details to configure the Okta integration in CII:
Display name
Okta domain (URL)
Client ID
KID
Private Key PEM file
Click Connect and the API connection will be tested automatically.
We highly recommend implementing Configure Okta Event Streaming
Confirm that your Okta organization is using Okta Identity Engine (OIE), and not Okta Classic. . If you're unsure which solution you're using, check the footer on any page of the Okta Admin Console. The version number is appended with E for OIE orgs and C for Classic Engine orgs.
Click Add Integration from the link in the bar above or search for the API Integration within the Okta Admin Console (If you have multiple tenants, ensure you're signed into the correct Okta org!) and click Next
Use the information provided to set up Okta log streaming via an AWS Eventbridge. .
Open your Okta Admin Console (e.g., ).
1. On the Admin roles tab, add the Org Administrator role to this application.
NOTE - the application is still constrained by the granted API scopes. However, , a corresponding role must be granted that allows the selected scopes, such as okta.schemas.read
See the article linked in this note for more details.