How can we help?

Okta Integration

Noga Tubi
Noga Tubi
  • Updated
Set up your Okta Cloud integration and get the insights in Torii's dashboard

 

 

Overview

Torii integrates with Okta and syncs:

  • Users list - All Okta users
  • User status - Staged, Provisioned, Active, Suspended
  • License - View who is licensed and who is not
  • Usage -
    • Torii presents the login usage for Okta users
    • Maps and presents 3rd party apps login
      • Users list per-app login - Note ❗ If users have access to a 3rd party App but did not log in. Torii does not count them as part of the usage
      • The usage per app after login
  • Events
  • Multiple accounts - Torii supports and syncs multiple accounts
  • Actions - With Torii, you can create Okta "workflow" actions like creating/activating/Deleting Okta users

Connect Okta to Torii

Okta integration consists of the following steps:

Step 1 - Create an API token

Step 2 - Get & connect Okta organization URL

Okta Scopes 

Torii requires the following scopes in order to read Okta data or if you want to perform different actions directly from Torii on Okta.

Okta minimum scopes required for "Read-Only"

Required Scopes  Can access

okta.users.read

Okta scopes required to perform actions

Required Scopes  Available actions

okta.groups.read, 

okta.groups.manage
  • Add User to Groups
  • Remove User from Groups

okta.apps.manage

  • Assign User to Applications
  • Unassign User from Applications
  • Change User Password
  • Change User Profile
  • Create User
  • Activate User
  • Deactivate User
  • Delete User
  • Suspend User
  • Unsuspend User
  • Unlock User
  • Expire User Password
  • Reset User MFA
  • Reset User Password

Okta permissions required to sync events in real time

The Okta account must be connected using a Super admin API token.

See Okta documentation for more details

 

Step 1 - Create an API token

  1. Go to the Okta website and log in as an Administrator
  2. Follow the step-by-step instructions to create an API key
  3. Copy and save the key

Step 2 - Get, copy & connect Okta organization URL

  1. Go to the Integrations page
  2. Connect to Okta
    mceclip0.png
  3. Select the permission, "Read," or "Read and Take action."
    Note that "Read and Take" action permission is required to use Torii's Okta actions
  4. Copy your organization URL from Okta to the Torii Okta Organization URL field
  5. Paste the API Token 
  6. Click Connect
    mceclip0.png
  7. The "Test Connection" window will display, generating the connection test.
    Click Connect to continue
    mceclip1.png
  8. Once the integration is connected and synced, it will display a green checkbox
    mceclip2.png

Usage

Once connected, Torii will retrieve and present the usage from the last 30 days and forward.

 

Events

Torii continuously monitors Okta events and updates data in Torii in real-time accordingly. The Okta events that Torii monitors are:

  • User was deleted
  • User was deactivated (and their status was changed to deprovisioned)

 

If you set Okta as the user lifecycle source of truth, the Offboarding To-Do list in Torii will be continuously updated based on the events above.

You can also leverage Torii's App Event workflow trigger to trigger automation based on the above events whenever an event happens in Okta.

💡 Note that Torii will automatically generate an event hook in your Okta admin console, subscribing to the two mentioned events. Any changes made to this subscription within Okta will not be reflected in Torii and could potentially interrupt event monitoring. We kindly request that you refrain from modifying it.
💡 Tori will only be able to monitor events if you have no more than 10 event hook subscriptions.
 
image (5).png

 

Actions With Torii

With Torii, you can create Okta "workflow" actions like creating/activating/Deleting Okta users.

Read more about workflows in the "Automate your SaaS Management" article.

Q&A

  • Q: On the okta applications page, what is “role” referring to?
    A: We do not sync roles for Okta. Role is a standard column that appears in the in-app users' list. For some integrations, we sync roles, and for others, we do not.

 

  • Q: My Okta integration sync has failed with this error message: "The token does not have permission for reading the apps list."  what can I do?
    A: This error might be due to the 'View the app and its details' scope missing in the permission list or the 'Applications' resource type being absent in the resource set obtained from the Okta Apps API. Please update the role permissions to include this scope and resource and the next sync should be successful.

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request