OKTA

Integrate an OKTA account to sync your users and groups.

Apono automatically sync your organizational users and groups when integrating with an organizational identity provider.

Overview

  • On-Demand Permissions- Managing organizational users’ on demand access permissions to your cloud services or data repositories at granular level.
  • Extended SSO- Extend organizational authentication to infrastructure, applications and data repositories where you don’t have SSO.
  • Approval Workflows- Creating approval or trigger-based Access Flows allowing organizational user groups to receive the permissions they need.
  • Review User Access Permissions- View each organizational users access permissions across the integrated applications and data sources.

Step By Step Integration

Apono's Okta integration provides an easy way to sync your Okta users and groups into Apono, so you can easily define policies on existing users and groups

This integration creates an OAuth application inside your Okta organization with 2 OAuth scopes, that allow Apono to read users & groups

Prerequisites

Steps

Create API Token from the Okta Admin UI

  1. Log into your Okta organization with an admin user
  2. Go to Admin console (on the upper-right)
  3. On the left menu choose Security -> API
  4. Tokens -> Create Token

Get your organization id and base okta URL

  1. In the upper right corner click the user dropdown, under the username the domain will appear. should be similar to example.okta.com or example.oktapreview.com
  2. Your organization id is the first name, i.e. example, base URL is the rest, i.e. okta.com

Run terraform integration

  1. Clone the integration terraform repo Okta integration terraform repo
  2. cd into it
  3. Run terraform init & terraform apply, this will ask for the api token, org id and base url
  4. Terraform will output 2 variables, app client id and domain name, save them for next step

Create Okta integration

  1. Log into Apono
  2. Go to IDP integrations page, Settings -> IDPs
  3. Click Connect Okta
  4. Provide the app client id and domain name from previous step

You should notice the new Okta integration in few seconds

Delete Okta API token

Since we don't need the API token anymore delete it from your Okta organization so you don't have standing credentials

Possible issues

  1. User doesn't have the right privileges - creating an OAuth application and granting it scopes requires super admin privileges, thus you should either be one yourself, or ask your organization admin to create a token for you until you complete the integration