Skip to main content

Okta Groups + Indent Webhook

This guide will show you how to create a webhook for Indent to communicate with for granting and revoking access, among other operations, to a single Okta tenant. This webhook can be run as an AWS Lambda.

There are direct code examples in the indentapis/examples repository. Take a look at the code that will run in these webhooks:

This page assumes that you or someone on your team has already completed the Quickstart. If you haven't already, we would recommend you check it out - it should take 5 minutes.

Prerequisites

Overview

We're going to pull Okta Groups into Indent (optionally, you can manually import groups) then set up automated change management.

Step 0: Configure your cloud provider#

Before getting started, let's get all the AWS-specific items ready:

Step 1: Deploy the pull update webhook#

  1. Sign in and select your Indent Space.
  2. Go to your Webhooks.
  3. Click "New" and create a new Webhook.
    • For "Kind of Webhook" select "Pull update"
    • For "Supported Kind of Resource" select "Okta Group" or type okta.v1.Group
    • Save the webhook and note down the signing secret for use in the deployment step
  4. Download the example:
curl https://codeload.github.com/indentapis/examples/tar.gz/main | tar -xz --strip=3 examples-main/webhooks/pull/terraform-aws-okta-pull-webhook
cd terraform-aws-okta-pull-webhook

Follow the instructions in the README to complete the deployment process.

Pull updates from Okta Groups#

  1. Enter the HTTP endpoint from your new webhook as the "Webhook URL" field in your new Webhook.
  2. Save the new Webhook.
  3. Go to the Resources page, click the dropdown arrow next to "New", click "Pull Update", select "Okta Groups" in the modal then "Start Pulling Updates".

Now if you search for "okta group" on the Resource page, you should see your groups. Next, we're going to set up changing group membership automatically when access is granted or revoked.

Step 2: Deploy the change webhook#

Download the example:

curl https://codeload.github.com/indentapis/examples/tar.gz/main | tar -xz --strip=3 examples-main/webhooks/change/terraform-aws-okta-webhook
cd terraform-aws-okta-webhook

Follow the instructions in the README to complete the deployment process then save the new webhook in your Indent configuration.

Grant the service account permissions#

The OKTA_TOKEN used in the webhook needs to have Group Admin for the relevant groups. If the imported groups would grant higher level permissions (e.g. Read-Only Admin or Org Admin), this token needs to also have those permissions.

Step 3: Configure your Indent policies#

  1. Open the "Access Request Rules" section and navigate to the rules for your new resource.
  2. Configure the approvers for granting access to your Okta Groups.

Step 4: Make a test request#

  1. Go to Request Access.
  2. Select your Okta Group from the dropdown and enter a reason for access.
  3. Once the access is approved, check the group's page to confirm membership.

Congrats! You’ve just configured requesting and managing Okta Group access with Indent.


Import groups manually#

  1. Sign into your Indent Space.
  2. Go to your Resources.
  3. Click "New" and create a new Resource.
    • Under resource type, type in "okta.v1.Group"
    • Enter the name of your Okta Group.
    • Enter the ID of your Okta Group.
How do I get my group's ID?

  • Visit the Okta Admin page for the group.
  • Look at the last segment in the URL to get the ID.
  • Paste the ID for your group into the Indent Resource creation page.