Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
Okta - AskJ1 Community
<main> <article class="userContent"> <h2 data-id="okta-jupiterone-integration-benefits">Okta + JupiterOne Integration Benefits</h2> <ul><li><p>Visualize Okta users, groups, devices, applications, and services in the<br> JupiterOne graph.</p></li> <li><p>Map Okta users to employees in your JupiterOne account.</p></li> <li><p>See Okta rules which are automatically adding users to groups. Write queries<br> to determine which users were added via rules.</p></li> <li><p>Monitor changes to Okta users and access management data using JupiterOne<br> alerts.</p></li> <li><p>Create an employee entity that is used to map users across your organization<br> to an employee via a matching email property.</p></li> </ul><h2 data-id="how-it-works">How it Works</h2> <ul><li><p>JupiterOne periodically fetches Okta users, groups, user rules, and access<br> management data to update the graph.</p></li> <li><p>Write JupiterOne queries to review and monitor updates to the graph.</p></li> <li>Configure alerts to take action when the JupiterOne graph changes.</li> </ul><h2 data-id="requirements">Requirements</h2> <ul><li><p>JupiterOne requires the organization URL and an API key to authenticate with<br> Okta. You need permission to create an Admin user in Okta that will be used to<br><a rel="nofollow" href="https://developer.okta.com/docs/api/getting_started/getting_a_token">create the API key</a>.</p></li> <li><p>You must have permission in JupiterOne to install new integrations.</p></li> <li>JupiterOne pulls in information regarding whether or not Okta Support has<br> access to a given account. This query currently requires the supplied token to<br> have Super Administrator privileges, but will be omitted without failing the<br> rest of the data ingestion if Read Only Administrator or Organization<br> Administrator are provided instead.</li> </ul><h2 data-id="support">Support</h2> <p>If you need help with this integration, please contact<br><a rel="nofollow" href="https://support.jupiterone.io">JupiterOne Support</a>.</p> <h2 data-id="integration-walkthrough">Integration Walkthrough</h2> <h3 data-id="in-okta">In Okta</h3> <ol><li>Log in to Okta at <a href="https://yoursubdomain.okta.com" rel="nofollow">https://yoursubdomain.okta.com</a>, using an account with Admin<br> privileges. It is important to note that the token inherits the privileges of<br> the user that creates the token, "API token are generated with the<br> permissions of the user that created the token. If a user’s permissions<br> changes, then so does that of the token. Okta recommends generating API<br> tokens from a service account with permissions that do not change."</li> <li>Go to Admin mode by pressing the Admin button in the top right corner. You<br> should now be at <a href="https://yoursubdomain-admin.okta.com" rel="nofollow">https://yoursubdomain-admin.okta.com</a>.</li> <li>On the left-side menu, select Security, and then API.</li> <li>On the screen which appears, select Tokens. You should now be at<br><a href="https://yoursubdomain-admin.okta.com/admin/access/api/tokens" rel="nofollow">https://yoursubdomain-admin.okta.com/admin/access/api/tokens</a>.</li> <li>Press the Create Token button and name the token.</li> <li>Copy the token value which appears to a safe location, because it will not be<br> available after closing this screen. Note that, per the Okta website, "API<br> tokens are valid for 30 days and automatically renew every time they are used<br> with an API request. When a token has been inactive for more than 30 days it<br> is revoked and cannot be used again. Tokens are also only valid if the user<br> who created the token is also active."</li> </ol><p>NOTE: JupiterOne pulls in information regarding whether or not Okta Support has<br> access to a given account. This query currently requires the supplied token to<br> have Super Administrator privileges, but will be skipped without failing the<br> rest of the data ingestion if Read Only Administrator or Organization<br> Administrator are provided instead.</p> <p>Additionally, fetching role information requires the supplied token to have<br> Super Administrator privileges. If Read Only Administrator or Organization<br> Administrator are provided instead, the step will fail, but all other ingestion<br> steps will remain unaffected.</p> <h3 data-id="in-jupiterone">In JupiterOne</h3> <ol><li>From the top navigation of the J1 Search homepage, select <strong>Integrations</strong>.</li> <li>Scroll to the <strong>Okta</strong> integration tile and click it.</li> <li>Click the <strong>Add Configuration</strong> button and configure the following settings:</li> </ol><ul><li><p>Enter the <strong>Account Name</strong> by which you'd like to identify this Okta account<br> in JupiterOne. Ingested entities will have this value stored in<br><code class="code codeInline" spellcheck="false" tabindex="0">tag.AccountName</code> when <strong>Tag with Account Name</strong> is checked.</p></li> <li><p>Enter a <strong>Description</strong> that will further assist your team when identifying<br> the integration instance.</p></li> <li><p>Select a <strong>Polling Interval</strong> that you feel is sufficient for your monitoring<br> needs. You may leave this as <code class="code codeInline" spellcheck="false" tabindex="0">DISABLED</code> and manually execute the integration.</p></li> <li><p>Enter the <strong>Organization URL</strong> unique to your Okta organization.</p></li> <li>Enter the <strong>API Key</strong> used to authenticate with Okta.</li> </ul><ol start="4"><li>Click <strong>Create Configuration</strong> once all values are provided.</li> </ol><h2 data-id="how-to-uninstall">How to Uninstall</h2> <ol><li>From the top navigation of the J1 Search homepage, select <strong>Integrations</strong>.</li> <li>Scroll to the <strong>Okta</strong> integration tile and click it.</li> <li>Identify and click the <strong>integration to delete</strong>.</li> <li>Click the <strong>trash can</strong> icon.</li> <li>Click the <strong>Remove</strong> button to delete the integration.</li> </ol><h1 data-id="tips">Tips</h1> <p>All Okta users are automatically mapped to a <code class="code codeInline" spellcheck="false" tabindex="0">Person</code> entity as an employee. If<br> you have service accounts or generic users in Okta, set their <code class="code codeInline" spellcheck="false" tabindex="0">userType</code><br> attribute to <code class="code codeInline" spellcheck="false" tabindex="0">generic</code> or <code class="code codeInline" spellcheck="false" tabindex="0">service</code> or <code class="code codeInline" spellcheck="false" tabindex="0">bot</code> in Okta user profile to skip this<br> mapping.</p> <p>This allows you to find non-interactive users with a query like</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Find User that !is Person </pre> <p>For the following relationship:</p> <p>| <code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code> | <strong>CREATED</strong> | <code class="code codeInline" spellcheck="false" tabindex="0">okta_application</code> |</p> <p>we are using information found in Okta's System Logs. As a result, we are<br> limited to the last 90 days available at time of execution. This limits how far<br> back the integration can view this particular data, however this relationship is<br> set up so that it will not delete any existing relationships when the creation<br> event is no longer available in System Logs.</p> <h2 data-id="okta-api-rate-limits">Okta API Rate Limits</h2> <p><a rel="nofollow" href="https://developer.okta.com/docs/reference/rate-limits/">Okta API rate limits</a> are sophisticated, depending on a number of factors<br> including the particular endpoint, organization-wide limits, and subscription<br> level. Responses include a few headers to guide a system into conformance, and<br> will deliver <code class="code codeInline" spellcheck="false" tabindex="0">429</code> responses that indicate a backoff delay when the rate limits<br> are exceeded. The integration is implemented to respect these <code class="code codeInline" spellcheck="false" tabindex="0">429</code> response<br> directives by leveraging the API client provided by Okta.</p> <p>The Okta integration currently ingests users, groups, applications, and MFA<br> devices. The number of calls works out to be:</p> <ul><li><code class="code codeInline" spellcheck="false" tabindex="0">((numUsers / 200) * listUsers) + (numUsers * (listFactors(user) + listGroups(user)))</code></li> <li><code class="code codeInline" spellcheck="false" tabindex="0">listApplications + (numApplications * (listApplicationGroupAssignments(app) + listApplicationUsers(app)))</code></li> </ul><p><br></p> <h2 data-id="data-model">Data Model</h2> <h3 data-id="entities">Entities</h3> <p>The following entities are created:</p> <table><thead><tr><th>Resources</th> <th>Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Entity <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> </tr></thead><tbody><tr><td>Okta Account</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_account</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Account</code></td> </tr><tr><td>Okta App UserGroup</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_app_user_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">UserGroup</code></td> </tr><tr><td>Okta Application</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_application</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Application</code></td> </tr><tr><td>Okta Factor Device</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">mfa_device</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Key</code>, <code class="code codeInline" spellcheck="false" tabindex="0">AccessKey</code></td> </tr><tr><td>Okta Role</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_role</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">AccessRole</code></td> </tr><tr><td>Okta Rule</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_rule</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Configuration</code></td> </tr><tr><td>Okta Service</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">Service</code>, <code class="code codeInline" spellcheck="false" tabindex="0">Control</code></td> </tr><tr><td>Okta User</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">User</code></td> </tr><tr><td>Okta UserGroup</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">UserGroup</code></td> </tr></tbody></table><h3 data-id="relationships">Relationships</h3> <p>The following relationships are created:</p> <table><thead><tr><th>Source Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> <th>Relationship <code class="code codeInline" spellcheck="false" tabindex="0">_class</code></th> <th>Target Entity <code class="code codeInline" spellcheck="false" tabindex="0">_type</code></th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_application</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_rule</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_service</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_account</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group, okta_app_user_group</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_application</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group</code></td> <td><strong>HAS</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_rule</code></td> <td><strong>MANAGES</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_application</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_iam_role</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">mfa_device</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_role</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user</code></td> <td><strong>CREATED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_application</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_iam_role</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">okta_user_group</code></td> <td><strong>ASSIGNED</strong></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">okta_role</code></td> </tr></tbody></table><p><br></p> <p>!!! note</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">The `Service` entities can later be connected to security policy procedures as control providers. This mapping establishes evidence that your organization security policies, procedures and controls are fully implemented, monitored, and managed._ </pre> </article> </main>