Okta Groups Integration

This guide will show you how to setup an integration between Indent and Okta. Once complete, you'll be able to grant access and create policies based on your existing Okta Groups.

Components

note

This page assumes you completed the Indent Quickstart. (5 min setup)

• Okta Account
• AWS S3
• AWS Lambda
• GitHub Actions

Configuration

This guide uses GitHub Actions and Terraform to deploy an Indent + Okta integration. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.

1. Cloning the repo

• Click on the Use This Template button to clone the repo
• In your new repo go to Settings → Secrets → Actions
• Leave this tab open for adding secrets from the next steps

2. Configuring the S3 bucket

• Go to AWS S3 and select an existing bucket or create a new one
  • Most of the default settings are good, but some recommended values are:
    • Name — easily identifiable name for the bucket, such as indent-deploy-state-123
    • Region — where you plan to deploy the Lambda, like us-west-2
    • Bucket versioning — if you want to have revisions of past deployments, otherwise pick disabled
    • Default encryption — enable for server-side encryption for deployment files
  • This integration currently assumes your region is us-west-2, and you want S3 encryption turned on. If you choose other settings, update your main.tf values accordingly.
• In a new tab open main.tf from your GitHub repo, and change the empty value for backend to the name of your bucket. It looks like: bucket = ""

3. Configuring AWS credentials

• Go to AWS IAM → Add Users and create a new user for deploys, such as indent-terraform-deployer
• Configure the service account's access:
  • Credential type — select Access key - Programmatic access
  • Permissions — click Attach existing policies directly and select AdministratorAccess
  • Follow the prompts until the account is created
• Add the resulting values as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to GitHub Secrets

4. Connecting to Okta

• Sign in to your Okta organization as an admin
• Click the Admin button located in the upper right
  • Open the upper right drop down menu by clicking your name
  • Copy the URL displayed there to your GitHub Secrets as OKTA_DOMAIN
• Visit Security → API → Tokens on your Okta dashboard
  • Click the Create Token button, and copy the value to your GitHub Secrets as OKTA_TOKEN

The API token is great for an initial Okta + Indent setup. For a production deployment, it's recommended that you create a service app for a more robust integration with Okta.

5. Deploying

• On your Indent dashboard go to Integrations → Catalog → Okta OR follow this link
  • Copy the webhook secret, and in a new tab add it to your GitHub Secrets as INDENT_WEBHOOK_SECRET
  • Leave this Okta integrations page open for the next step
• From your repo navigate to GitHub Actions → The latest job → deploy.webhook, and follow the prompts to run the workflow
  • Click the new deploy.webhook, and copy the URL printed in the Terraform Output section
  • On your Indent + Okta integrations page, paste and save the URL you just copied

Using Indent + Okta Groups

Congrats! Your Okta integration is ready. You can test that everything is set correctly by navigating to your Integrations page, and clicking Pull from Integrations. On a successful pull, you will see new Okta Groups appear in your Resources list.

Now it's time to use Indent for requesting membership to an Okta group.

1. Try visiting the request page on the Indent dashboard, or created a request in Slack
   • If you have the Slack integration setup, you can type /access or click the lightning bolt to submit a request
2. On your Petitions page you should be able to see your request as part of a petition. Try clicking the petition to view more details.
   • From the petition details page, click the Review Petition button and follow the prompts

Once approved, you should be able to visit your Okta dashboard, and see yourself as a member of the Okta group you requested.

Summary

You added an Indent + Okta Groups integration. You're now able to approve secure, temporary access to Okta Groups.

Try adding an Indent + Tailscale, for secure on-demand production access.

Questions

Where do I view the code I'm deploying?

There are direct code examples in the **[Indent APIs GitHub](https://github.com/indentapis/template-aws-lambda-okta)**. Take a look at the code that runs in these webhooks:

Where can I find a list of all of the secrets?

Name	Description
INDENT_WEBHOOK_SECRET	Get this from the Indent Webhook you created while setting up your space
OKTA_DOMAIN	Your Okta Domain. This is your Okta URL like example.okta.com
OKTA_CLIENT_ID	Your Service App's Client ID. Get this from the Okta Admin Dashboard or from the Okta API Response value you got when settting up your app
OKTA_PRIVATE_KEY	The private RSA key you used to create your Service App
OKTA_SLACK_APP_ID	Your Okta Slack App ID. Go to Okta Admin Console → Applications → Select "Slack" and copy the value from the URL, e.g. 0oabcdefghijklmnop from example-admin.okta.com/admin/apps/slack/0oabcdefghijklmnop/
AWS_REGION	The AWS Region where you want to deploy the webhooks
AWS_ACCESS_KEY_ID	Your Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEY	Your Programmatic AWS Secret Access Key
AWS_SESSION_TOKEN	Optional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires

How do I redeploy the webhook?

The repo you created from a template auto-deploys to AWS when you push or merge PRs to the `main` branch. You can manually redeploy the webhooks by re-running the [latest GitHub Action job](https://docs.github.com/en/actions/managing-workflow-runs/re-running-workflows-and-jobs).

How do I ask for help?

If you have questions or need help with your integration, try chatting with [Indent Support](https://support.indent.com).