Okta

Visualize Okta users, groups, devices, applications, and services, map users to employees, and monitor changes through queries and alerts.

Installation guide

Installation

For this integration, you will need to create an API Token on Okta from an Okta account with admin permissions. Ensure that you are in admin-mode when creating the token by selecting the Admin button in the top right prior to creating the API Token.

note

Depending on the Okta account's admin role level, fetching role information requires the supplied token to have Super Administrator privileges. If Read Only Administrator or Organization Administrator are provided instead, the step will fail, but all other ingestion steps will remain unaffected.

Per the Okta documentation: API tokens are valid for 30 days and automatically renew every time they are used with an API request. When a token has been inactive for more than 30 days it is revoked and cannot be used again. Tokens are also only valid if the user who created the token is also active.

info

For additional information regarding Okta API tokens, see their documentation for more information.

Configuration in JupiterOne

To install the Okta integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Okta. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

• The Account Name used to identify the Okta account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when the AccountName toggle is enabled.

• Description to assist in identifying the integration instance, if desired.

• Polling Interval that you feel is sufficient for your monitoring needs. You may leave this as DISABLED and manually execute the integration.

• Enter the Organization URL unique to your Okta organization and your Okta API Key.

Click Create once all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Okta data model

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Okta Account	okta_account	Account
Okta App UserGroup	okta_app_user_group	UserGroup
Okta Application	okta_application	Application
Okta Device	okta_device	Device
Okta Factor Device	mfa_device	Key, AccessKey
Okta Role	okta_role	AccessRole
Okta Rule	okta_rule	Configuration
Okta Service	okta_service	Service, Control
Okta User	okta_user	User
Okta UserGroup	okta_user_group	UserGroup

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
okta_account	HAS	okta_app_user_group
okta_account	HAS	okta_application
okta_account	HAS	okta_device
okta_account	HAS	okta_rule
okta_account	HAS	okta_service
okta_account	HAS	okta_user
okta_account	HAS	okta_user_group
okta_app_user_group	HAS	okta_user
okta_rule	MANAGES	okta_user_group
okta_user	ASSIGNED	aws_iam_role
okta_user	ASSIGNED	mfa_device
okta_user	ASSIGNED	okta_application
okta_user	CREATED	okta_application
okta_user	HAS	okta_device
okta_user	ASSIGNED	okta_role
okta_user_group	ASSIGNED	aws_iam_role
okta_user_group	ASSIGNED	okta_role
okta_user_group	HAS	okta_user
okta_user_group, okta_app_user_group	ASSIGNED	okta_application

Okta types

Okta Account

okta_account inherits from Account

Property	Type	Description	Specifications
accountId *	string
supportEnabled *	boolean
supportExpiresOn	number

---

Okta Service

okta_service inherits from Service, Control

Property	Type	Description	Specifications
controlDomain *	string		const: identity-access
category *	array of strings

---

Okta User

okta_user inherits from User

Property	Type	Description	Specifications
created	number
activated	number	Please use activatedOn instead	deprecated: true
activatedOn	number
statusChanged	number	Please use statusChangedOn instead	deprecated: true
statusChangedOn	number
lastLogin	number	Please use lastLoginOn instead	deprecated: true
lastLoginOn	number
lastUpdated	number	Please use lastUpdatedOn instead	deprecated: true
lastUpdatedOn	number	Please use updatedOn instead	deprecated: true
passwordChanged	number	Please use passwordChangedOn instead	deprecated: true
passwordChangedOn	number
memberOfGroupId *	undefined
hiredOn	number
terminatedOn	number
countryCode	string
verifiedEmails	array of strings		Format: email
unverifiedEmails	array of strings		Format: email

---

Okta User Group

okta_user_group inherits from UserGroup

Property	Type	Description	Specifications
created	number
lastUpdated	number	Please use updatedOn instead	deprecated: true
lastUpdatedOn	number	Please use updatedOn instead	deprecated: true
lastMembershipUpdated	number	Please use lastMembershipUpdatedOn instead	deprecated: true
lastMembershipUpdatedOn	number
objectClass	array of strings
type	string		APP_GROUP, BUILT_IN, OKTA_GROUP

---

Okta App User Group

okta_app_user_group inherits from UserGroup

Property	Type	Description	Specifications
created	number
lastUpdated	number	Please use updatedOn instead	deprecated: true
lastUpdatedOn	number	Please use updatedOn instead	deprecated: true
lastMembershipUpdated	number	Please use lastMembershipUpdatedOn instead	deprecated: true
lastMembershipUpdatedOn	number
objectClass	array of strings
type	string		APP_GROUP, BUILT_IN, OKTA_GROUP

---

Mfa Device

mfa_device inherits from Key, AccessKey

Property	Type	Description	Specifications
factorType	string		call, email, hotp, push, question, sms, token, token:hardware, token:hotp, token:software:totp, u2f, web, webauthn
provider	string		CUSTOM, DUO, FIDO, GOOGLE, OKTA, RSA, SYMANTEC, YUBICO
vendorName	string
device	string
status	string		active, inactive, pending_activation, disabled, enrolled, expired, not_setup
created	number	Please use createdOn instead	deprecated: true
lastUpdated	number	Please use updatedOn instead	deprecated: true
lastVerifiedOn	number
active	boolean
authenticatorName	string
platform	string
deviceType	string
credentialId	string
profileName	string

---

Okta Application

okta_application inherits from Application

Property	Type	Description	Specifications
shortName	string	Examples: aws, gcp
label	string
lastUpdated	number	Please use updatedOn instead	deprecated: true
created	number	Please use createdOn instead	deprecated: true
features	array of strings
signOnMode	string		AUTO_LOGIN, BASIC_AUTH, BOOKMARK, BROWSER_PLUGIN, OPENID_CONNECT, SAML_1_1, SAML_2_0, SECURE_PASSWORD_STORE, WS_FEDERATION
appVendorName	string	Human readable, capitalized vendor name Examples: Atlassian, Snyk
appAccountType	string | array
isMultiInstanceApp	boolean	True if one of: aws, githubcloud, gcp, google, office365
isSAMLApp	boolean	True if the application is a SAML application
imageUrl	string
loginUrl	string
signOnAttribute	array of strings

---

Okta Rule

okta_rule inherits from Configuration

Property	Type	Description	Specifications
ruleType	string	Examples: group_rule, policy_rule
status	string		active, inactive, invalid
created	number	Please use createdOn instead	deprecated: true
lastUpdated	number	Please use updatedOn instead	deprecated: true
lastUpdatedOn	number	Please use updatedOn instead	deprecated: true
conditions	string	JSON stringified object of conditions
actions	string	JSON stringified object of actions

---

Okta Role

okta_role inherits from AccessRole

Property	Type	Description	Specifications
roleType	string		API_ACCESS_MANAGEMENT_ADMIN, APP_ADMIN, GROUP_MEMBERSHIP_ADMIN, HELP_DESK_ADMIN, MOBILE_ADMIN, ORG_ADMIN, READ_ONLY_ADMIN, REPORT_ADMIN, SUPER_ADMIN, USER_ADMIN
status	string		active, inactive
active	boolean
lastUpdatedOn	number	Please use updatedOn instead	deprecated: true

---

Okta Device

okta_device inherits from Device

Property	Type	Description	Specifications
deviceStatus	string		active, created, deactivated, suspended
registered	boolean	Please use isRegistered instead	deprecated: true
isRegistered	boolean
platform	string

---