Documentation

Okta access management

Suggest Edits

Overview

Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services, and devices.

Entitle can manage the following resource types in Okta:

  • Group membership – groups
  • Custom roles – custom admin roles
  • Administrative roles – admin roles
  • Applications assignment

This page will provide you with instructions on how to integrate Entitle with Okta.

General guidelines

Adding Entitle on Okta as a Service App/App Integration using the Service App Authentication option, Entitle will interact with Okta using the scoped OAuth 2.0 access token for machine-to-machine authentication. This is the recommended method because it is considered the most secure way to authenticate with Okta.

There are two permission scope options:

  1. Full functionality – To access all the features that Entitle provides, you must have a Super Admin role (the roles are derived from the user who creates the token) while creating the token, as only Super Admins are allowed by Okta to manage other users or groups that have admin privileges.
  2. Partial functionality - it is possible to use Group Membership Admin and Report Admin roles together to enable basic functionality. In this case, you won’t be able to give/revoke access or even read any admin roles. This includes adding users to groups with admin roles. To enable this option, you must set the is_super_admin option to false.

It is also possible to restrict additional scopes by following the instructions below.

Set up Okta to work with Entitle

If you want to create the token for the Partial functionality option, ensure the token's Admin Role setting is configured as Group Membership Admin and Report Admin roles.

Stage 1: Create a new app integration

  1. On your Okta admin panel on the left side, click on the Applications tab and choose Applications.

  1. Then click on Create App Integration.

  2. In the pop-up screen that appears, select the API Services option and click Next.

  3. In the App integration name field, choose a name for the app and click Save.

  4. Under Client Credentials, click the Copy button next to the Client ID and keep it for later.

  5. Then on the same page, click the Edit button right above the Copy button.

Stage 2: Generate a new key

  1. Under the Client authentication section, choose the Public key/Private key option.

  2. Under Public Keys, do not change the default option in the Configuration section. Then, click the Add Key button below it.

  3. Click Generate new key. You should see your private key displayed on the screen.

  4. Under the Private key section, click Copy to clipboard and click Done.

  5. Click Save and then Save again to acknowledge the notice.

Stage 3: Disablingthe Proof of Possession

In the General Settings section below, make sure the Proof of Possession is not checked, and click Save.

Stage 4: Grant permissions

  1. In the Application section, click the Okta API Scopes tab.

  2. Click Grant and then Grant Access for the following API scopes:

okta.users.read
okta.users.manage
okta.groups.manage
okta.groups.read
  1. If you wish to manage admin roles as well, please add the following scopes:
okta.roles.manage
okta.roles.read
  1. If you wish to manage application assignments as well, please add the following scopes:
okta.apps.read
okta.apps.manage

Stage 5: Grant admin roles

  1. In the Application section, click the Admin Roles tab.
  2. Click on the Edit assignments button to the right.
  1. Add the adequate assignment based on the scopes you wish to manage, and click on the Save Changes button at the end:
    1. If you wish to manage Okta roles - please assign the Entitle application to the Super Administrator role.
      1. If chosen - you can skip the rest of the steps for this stage, and continue to the next part - Creating the integration in Entitle
    2. .If you wish to manage Okta applications assignment - please assign the Entitle application to the Application Administrator role.
    3. If you wish to manage Okta groups assignment - please assign the Entitle application with the Group Membership Administrator role.
Add adequate assignments based on your chosen scopes

Add adequate assignments based on your chosen scopes

ℹ️

Group membership role limitations:

Customers may encounter situations where group membership cannot be granted, for example while creating a new bundle, or requesting group membership access in Slack or Teams and not being able to submit the request. This can occur due to the following conditions:

  1. The service account used for the integration lacks super-admin privileges, which are required for group membership management.
  2. The selected Okta group has admin roles, and non-super-admin accounts cannot add users to such groups.

To resolve this, ensure that the service account has super-admin privileges if managing membership for admin-role groups.

Creating the integration in Entitle

All that is left to do is create an integration on the Entitle application.

  1. Log into Entitle and navigate to the Integrations page.
  2. After clicking the Add Integration button, type Okta in the Application field, and then under Connection choose the Service App option.
  3. Don’t forget to set the Save on field with your configuration, i.e. your own hosted agent or Entitle’s cloud.
  1. In the connection JSON, add the following information:
    • Private_key – place the different segments of the previously saved private key between the double quotes of the corresponding segments.
    • Client_id – paste the client ID that you have copied earlier.
    • orgUrl – enter the full domain of your Okta admin panel, including the ‘https://’ (e.g., https://xxxxx.okta.com).
    • In options section - you can enable a couple of different options if you wish:
      • If you want to enable the Partial functionality option, enter the value false in the is_super_admin option under the options section.
      • If you want to restrict Entitle to managing only Admin Roles and Custom Admin Roles (i.e., not group membership), under the Options section, enter the value true in the is_admin_roles_only option.
      • If you want Entitle to use Okta's "group constraints" feature to grant specific roles within a particular group, enter the value true in the include_role_constraints option.
      • If you have an API Access Management role in Okta and want Entitle to manage it, enter the value _true_ in the _api_acess_management_ option.
  2. Configure the required additional fields and click Save.

Example Connection JSON

{
    "Private_key": "OKTA_APP_PRIVATE_KEY",
    "Client_id": "OKTA_APP_CLIENT_ID",
    "orgUrl": "https://OKTA_TENANT_URL",
    "options": {
        "is_super_admin": true,
        "is_admin_roles_only": false,
        "include_apps": false,
        "include_role_constraints": true,
        "api_access_management": true
    }
}

Updated 21 days ago

What’s Next