Skip to main content

Managing identity with Okta

This page describes how to integrate Okta with Indent. Identity providrs serve as the authentication database of Indent. They can come with essential security features like single sign-on, two-factor authentication, lifecycle management or access gateways to secure the everyday chore of logging into apps.

Installation#

  1. Sign into the Indent space.
  2. Follow the instructions for the Okta Groups webhook integration.
  3. Finish onboarding your team onto Indent.

Okta Account Setup#

Creating an Okta service account#

  1. Go to your Okta tenant, e.g.​ example.okta.com​ — replace example with your sub-domain.
  2. Create a new Okta User called ​Indent Access Manager u​sing the email address.
  3. In Okta Admin, go to Security → Administrators → Add Administrator.

Group-based admin permission#

  1. Create a new Okta Group and give it a memorable name like "​Indent Access Manager Group."
  2. Add the service account user you created in the previous step.
  3. In Okta Admin, go to Security → Administrators → Add Administrator Group, then select the group you created.

Required permissions#

  • In order to pull updates about users and groups, the Indent service account needs the "Read Only Administrator" role.
  • In order to making changes to user membership in groups, the Indent service account needs the "Group Administrator" role. This can be restricted to specific groups through the "Can administer specific groups only" option. If one of the administered groups grants an admin role such as "Application Administrator", the service account will need those roles as well.

Authenticating with Okta#

Indent's Okta integration supports Admin API Token access and Service App Token access for use with the Okta API.

Option 1: Account with API token#

You can create an Okta Admin API token to use with Indent webhooks. For production deployments, we recommend creating a service account to keep the Okta System Log accurate about what is actually make the changes.

Prerequisites

  • Okta Account
  • Okta Domain
  1. Go to your Okta domain, e.g. example.okta.com and log in as an Administrator.
  2. Navigate to SecurityAPI and click "Create Token"
  3. Save your token securely, you won't be able to view it again after the creation step.

Option 2: Service App with API scopes#

You can create a dedicated Okta Service App to communicate with the Okta API. Each time an integration is triggered to apply changes or pull updates, it will use the app's private key to sign a new bearer token to use with the Okta API.

Prerequisites

  • Okta Account
  • Okta Domain
  • Okta Admin API token (only for setup)
  • curl or another method to programatically make HTTP requests like Postman

Create the Service App#

  1. Create a public/private encryption key pair. The key has specific requirements: at least 2048 bits of entropy and use RSA256 encryption.
require 'openssl'
require 'json/jwt'
rsa_private = OpenSSL::PKey::RSA.generate 2048
File.write('./private.pem', rsa_private.to_pem)
puts rsa_private.public_key.to_jwk
  1. Create the service app by sending a POST request to your Okta Domain's /oauth2/v1/clients endpoint
    • Include these elements in the body
      • client_name — name of your service app
      • grant_types $— client_credentials
      • token_endpoint_auth_methodprivate_key_jwt
      • application_typeservice
      • jwks — Include your JSON Web Key
    • Note down the value for client_credentials in the Okta API's response and save the credential for use with Indent
curl --location --request POST 'https://${yourOktaDomain}/oauth2/v1/clients' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS ${api_token}' \
--data-raw ' {
"client_name": "Indent Service App",
"response_types": ["token"],
"grant_types": ["client_credentials"],
"token_endpoint_auth_method": "private_key_jwt",
"application_type": "service",
"jwks": {
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "<REPLACE>",
"alg": "RS256",
"n": "<REPLACE>"
}
]
}
}
'

Grant Service App Scopes#

  1. Go to your Okta tenant, e.g. example-admin.okta.com — replace example with your sub-domain
  2. Click Applications in the sidebar.
  3. You should see your newly created Service App in the list of Applications. Click on it.
  4. Click Okta API Scopes to see all the available scopes.
  5. Grant your newly created app the following scopes:
    • okta.groups.manage — Indent uses this to automatically perform change management on your Okta Groups
    • okta.users.manage — Indent uses this to automatically update user profile attributes

Use the Service App with Indent#

Once you've created your Service App you can use your new credentials with Indent instead of an Okta Admin API token.

Use your RSA Key and Okta Service App Client Credential with these webhooks during setup:

Instead of passing an OKTA_TOKEN environment variable to your webhook, you can now pass in OKTA_CLIENT_ID and OKTA_PRIVATE_KEY from the earlier steps.