Managing identity with Okta

This page describes how to integrate Okta with Indent. Identity providers serve as the authentication database of Indent. They can come with essential security features like single sign-on, two-factor authentication, lifecycle management or access gateways to secure the everyday chore of logging into apps.

Installation

1. Sign into the Indent space.
2. Follow the instructions for the Okta Groups webhook integration.
3. Finish onboarding your team onto Indent.

Configuring Okta

Creating an Okta service account

1. Go to your Okta tenant, e.g.​ example.okta.com​ — replace example with your sub-domain.
2. Create a new Okta User called "​Indent Access Manager" u​sing the email address.
3. In Okta Admin, go to Security → Administrators → Add Administrator.

Group-based admin permission

1. Create a new Okta Group and give it a memorable name like "​Indent Access Manager Group."
2. Add the service account user you created in the previous step.
3. In Okta Admin, go to Security → Administrators → Add Administrator Group, then select the group you created.

Required permissions

• In order to pull updates about users and groups, the Indent service account needs the "Read Only Administrator" role.
• In order to making changes to user membership in groups, the Indent service account needs the "Group Administrator" role. This can be restricted to specific groups through the "Can administer specific groups only" option. If one of the administered groups grants an admin role such as "Application Administrator", the service account will need those roles as well.

Authenticating with Okta

Indent's Okta integration supports authentication using an Admin API Token and an Okta Service App to work with the Okta API.

Option 1: Account with API token

You can create an Okta Admin API token to use with the Okta + Indent webhook integration.

For production deployments, we recommend creating a service account to keep the Okta System Log accurate about what is actually make the changes.

Prerequisites

• Okta Account
• Okta Domain

1. Go to your Okta domain, e.g. example.okta.com and log in as an Administrator.
2. Navigate to Security → API and click "Create Token"
3. Save your token securely, you won't be able to view it again after the creation step.

Option 2: Service App with API scopes

You can create a dedicated Okta Service App to communicate with the Okta API. Each time an integration is triggered to apply changes or pull updates, it will use the app's private key to sign a new bearer token to use with the Okta API.

Prerequisites

• Okta Account
• Okta Domain
• Okta Admin API token (only for setup)
• curl or another method to programatically make HTTP requests like Postman

Create the Service App

1. Create a public/private encryption key pair. The key has specific requirements: at least 2048 bits of entropy and use RSA256 encryption.
   • Once you generate the key pair, you will need to create the JWK. You can use the modulus n and key identifier kid from the JWK in the next step. You can use any of these libraries to generate the JWK:
     • Node.js njwt library
     • Python PyJWT library
     • Ruby json-jwt library
   • Here's an example of doing that in Ruby: (requires json-jwt gem)

require 'openssl'
require 'json/jwt'
rsa_private = OpenSSL::PKey::RSA.generate 2048
File.write('./private.pem', rsa_private.to_pem)
puts rsa_private.public_key.to_jwk

2. Create the service app by sending a POST request to your Okta Domain's /oauth2/v1/clients endpoint
   • Include these elements in the body
     • client_name — name of your service app
     • grant_types $— client_credentials
     • token_endpoint_auth_method — private_key_jwt
     • application_type — service
     • jwks — Include your JSON Web Key
   • Note down the value for client_credentials in the Okta API's response and save the credential for use with Indent

curl --location --request POST 'https://${yourOktaDomain}/oauth2/v1/clients' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS ${api_token}' \
--data-raw ' {
  "client_name": "Indent Service App",
  "response_types": ["token"],
  "grant_types": ["client_credentials"],
  "token_endpoint_auth_method": "private_key_jwt",
  "application_type": "service",
  "jwks": {
    "keys": [
      {
        "kty": "RSA",
        "e": "AQAB",
        "use": "sig",
        "kid": "<REPLACE>",
        "alg": "RS256",
        "n": "<REPLACE>"
      }
    ]
  }
}
'

Grant Service App Scopes

1. Go to your Okta tenant, e.g. example-admin.okta.com — replace example with your sub-domain
2. Click Applications in the sidebar.
3. You should see your newly created Service App in the list of Applications. Click on it.
4. Click Okta API Scopes to see all the available scopes.
5. Grant your newly created app the following scopes:
   • okta.groups.manage — Indent uses this to automatically perform change management on your Okta Groups
   • okta.users.manage — Indent uses this to automatically update user profile attributes

Use the Service App with Indent

Once you've created your Service App you can use your new credentials with Indent instead of an Okta Admin API token.

Use your RSA Key and Okta Service App Client Credential with these webhooks during setup:

• Okta Groups
• Okta Profile Attribute

Instead of passing an OKTA_TOKEN environment variable to your webhook, you can now pass in OKTA_CLIENT_ID and OKTA_PRIVATE_KEY from the earlier steps.