Skip to main content

Okta Profile Attribute Integration

This guide will show you how to deploy a webhook for Indent to communicate with for granting and revoking access, among other operations, to custom Okta Profile Attributes. This webhook can be run as an AWS Lambda.

There are direct code examples in the indentapis/examples repository. Take a look at the code that will run in these webhooks: terraform-aws-okta-profile-webhook

This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we recommend you check it out - it should take 5 minutes.

Prerequisites

Overview

We're going to create a custom Okta User Profile attribute. Next, we'll manually import Indent Resources for each resource managed with a custom Okta User Profile Attribute, then set up automated change management. Currently, this webhook can only be deployed on AWS.

Step 0: Configure your cloud provider

Before getting started, let's get all the AWS-specific items ready:

Step 1: Create custom Okta Resources

Okta allows adding custom attributes to an Okta user profile. For example, if you need additional attributes to define each user's relationship to an internal system, you can add them to an Okta User Profile and they'll be represented as a new field for every user. Here's how to add a new attribute to your user profiles:

  1. Sign into your Okta Dashboard
  2. In the Admin Console, go to "Directory," and click "Profile Editor."
  3. Click "Okta" in the Filters list.
  4. For Okta User (default), click "Profile."
  5. Click "+Add Attribute"
    • Under "Data type," select "string array"
    • Under "Display name," enter the name of your new attribute
    • Under "Variable name" enter a corresponding name for your attribute. This is the name the Indent Webhook uses to interact with your custom attribute
    • Under "Description," enter a description for your attribute
    • Save once you've completed these fields

Step 2: Deploy the change webhook

Download the example:

curl https://codeload.github.com/indentapis/examples/tar.gz/main | tar -xz --strip=3 examples-main/webhooks/change/terraform-aws-okta-profile-webhook
cd terraform-aws-okta-profile-webhook

Follow the instructions in the README to complete the deployment process then save the new webhook in your Indent Policies.

Step 3: Configure your Indent policies

  1. Open the "Access Request Rules" section and navigate to the rules for your new resource.
  2. Configure the approvers for granting access to your custom Okta Profile Attribute.

Step 4: Make a test request

  1. Go to Request Access.
  2. Select your Profile Attribute from the dropdown and enter a reason for access.
  3. Once access is approved, check your Okta User Profile to confirm the attribute was updated.

Congrats! You've just configured requesting and managing custom Okta Profile Attribute access with Indent.


Import resources manually

  1. Sign into your Indent Space.
  2. Go to your Resources.
  3. Click "New" and create a new Resource:
    • Under Resource Kind, type in the Kind you want to use, e.g. example.v1.Customer
      • Use the same value for every resource you want to manage
    • Enter a name for your Resource
    • Enter a unique identifier for your Resource, this should be the value you use to identify the resource with Okta
    • Add these labels to your Resource:
      • key the Indent webhook uses this label to find your Okta Profile Attribute, e.g. okta/userProfileAttribute/id
        • Use the "Variable name" from Step 1 as the value
      • value the Indent webhook uses this label to update the value in your Okta Profile Attribute, e.g. okta/userProfileAttribute/value
        • If the Resource ID you set is different than the value you want to update for your Okta users, use that value. If this label isn't set, it will default to the ID of the Resource.
  4. Note down these values for use with the deployment steps.

Example Resource

Resource C123456