Documentation

Okta IdP

Suggest Edits

Overview

Okta provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services, and devices.

Entitle populates the following resource types in the Okta connections:

  • Groups
  • Users
  • Managers (optional)

Entitle integrates with Okta by a couple of different methods, one of them being an IdP with users and organization directory information as described on this page. You can set up Entra ID as an Identity Provider (IdP), the source of truth for Entitle users, groups, and organizational structure, using the instructions below.

This page will provide you with instructions on how to connect Entitle and Okta as an IdP.

General guidelines

Note: In case you have already integrated Okta as an application with Entitle using this guide, you can go directly to the Set up in Entitle section.

Set up Okta to work with Entitle

If you want to create the token for the Partial functionality option, make sure the token's Admin Role setting is configured as Group Membership Admin and Report Admin roles.

Stage 1: Create a new app integration

  1. On your Okta admin panel on the left side, click on the Applications tab and choose Applications.

  1. Then click on Create App Integration.

  2. In the pop-up screen that appears, select the API Services option and click Next.

  3. In the App integration name field, choose a name for the app and click Save.

  4. Under Client Credentials, click the Copy button next to the Client ID and keep it for later.

  5. Then on the same page, click the Edit button right above the Copy button.

Stage 2: Generate a new key

  1. Under the Client authentication section, choose the Public key/Private key option.

  2. Under Public Keys, do not change the default option in the Configuration section. Then, click the Add Key button below it.

  3. Click Generate new key. You should see your private key displayed on the screen.

  4. Under the Private key section, click Copy to clipboard and click Done.

  5. Click Save and then Save again to acknowledge the notice.

Stage 3: Disabling the Proof of Possession

In the General Settings section below, make sure the Proof of Possession is not checked, and click Save.

Stage 4: Grant permissions

  1. Click the Okta API Scopes tab.

  2. Click Grant and then Grant Access for the following API scopes:

okta.users.read
okta.users.manage
okta.groups.manage
okta.groups.read
  1. If you wish to manage admin roles as well, please add the following scopes:
okta.roles.manage
okta.roles.read
  1. If you wish to manage application assignments as well, please add the following scopes:
okta.apps.read
okta.apps.manage

Stage 5: Grant admin roles

  1. In the Application section, click the Admin Roles tab.
  2. Click on the Edit assignments button on the right-hand side.
  1. Add the Group Membership Administrator assignment, and click on the Save Changes button.
Add adequate assignments based on your chosen scopes

Connecting your IdP in Entitle

All that is left to do is connect your IdP to the Entitle application.

  1. Log into Entitle and navigate to the Org Settings page.

  2. Under the Connect To section, navigate to the Okta option, and click Connect.

  3. In the pop-up window Configure Okta, fill in the required details:

  • Display Name of your choice.
  • JWK - the new private key you created earlier.
  • Client ID - the client ID you copied earlier.
  • Organization URL - your Okta tenant's URL.
    Note: Do not paste your Okta tenant's management URL in this field.
  • In case you wish to add managers’ approval as a part of the approval process of Access Requests or to select managers as the User Access Review reviewers:
    • In the Manager Email Field Name, add the attribute that refers to the manager's email address.
    • Check the Use as direct manager source checkbox.
  • Finally, don’t forget to set the Save on field with your configuration, i.e. your own hosted agent or Entitle’s cloud. Click Save.

Test your IdP connection

  1. After being redirected to the Org Settings page, you should be able to see that the Okta is now Connected.

  2. Within a few minutes, refresh your browser page and go to the Approval workflows screen, then click the New approval workflow button. You should now be able to see all the groups are fetched, and you are done!

Updated 29 days ago