Okta
Description
The Okta connector uses the Okta Management REST API to discover user accounts, groups, and group memberships in an Okta organisation. Authentication uses an Okta SSWS API token — no OAuth flow is required. Pagination follows Okta's Link header (rel="next") pattern.
System Type Classification
| Field | Value |
|---|---|
| System Type | Directory Service |
| Default Scan Priority | 10 (scanned first) |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| Okta Management REST API (HTTPS) | 443 TCP | SSWS token authentication |
What OrbisID Discovers
| Data | Source |
|---|---|
| User accounts | GET /api/v1/users (all statuses) |
| User status | status field (ACTIVE, SUSPENDED, DEPROVISIONED, etc.) |
| Groups | GET /api/v1/groups (all types) |
| Group memberships | GET /api/v1/groups/{id}/users |
| Group type | OKTA_GROUP, APP_GROUP, BUILT_IN — recorded as entitlement type |
Connection Requirements
Okta API Token
Create an API token in the Okta Admin Console under Security → API → Tokens. The token inherits the permissions of the admin user who created it.
The token must be created by an admin with at minimum:
- Read Users permission — to list users and their profiles
- Read Groups permission — to list groups and group memberships
Recommended: Create a dedicated read-only admin account (e.g., orbisid-scanner@company.com) with the minimum required admin role and generate the API token from that account.
Credential Mapping
| OrbisID Field | Okta Value |
|---|---|
credential.password | Okta SSWS API token (the full 00... string) |
system.hostname | Okta domain (e.g., company.okta.com) |
Network Requirements
The OrbisID server (or On-Premise Agent) must have outbound HTTPS access to https://<company>.okta.com on port 443.
Configuration Steps
- Log in to the Okta Admin Console with a read-only admin account
- Navigate to Security → API → Tokens → Create Token
- Give the token a name (e.g.,
OrbisID Scanner) and copy the token value - Create a Credential in OrbisID:
- Username: (leave blank or use the admin email for reference)
- Password: The Okta API token
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., Okta – company.okta.com) |
| Hostname | Your Okta domain (e.g., company.okta.com) |
| OS Type | Okta |
| System Type | Directory Service |
| Credential | The API token credential |
- Click Test Connection to verify the API token
- Click Save
For Okta preview sandbox environments, set the hostname to your preview domain (e.g., company.oktapreview.com).
Okta API tokens expire after 30 days of inactivity. Set a calendar reminder to refresh the token before it expires to avoid scan failures.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
Okta API authentication failed | Invalid or expired API token | Regenerate the API token in the Okta Admin Console |
Okta API access denied (403) | Token lacks required permissions | Verify the admin role has Read Users and Read Groups permissions |
| No users returned | Hostname incorrect | Ensure system.hostname is set to the correct Okta domain (not a URL) |
| Some groups missing members | Rate limiting on group member calls | Large Okta tenants may hit rate limits; OrbisID does not currently implement rate-limit backoff — contact support |