Skip to main content

Okta Groups + Indent

This guide will show you how to setup and integration between Indent and Okta. Once complete, you'll be able to apply policy based on your current Okta Groups.



This page assumes you completed the Indent Quickstart. (5 min setup)


This guide uses GitHub Actions and Terraform to deploy an Indent + Okta integration. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.

1. Cloning the repo#

  • Click on the Use This Template button to clone the repo
  • In the new repo go to Settings and then Secrets > Actions
  • Leave this tab open for the secrets you grab in the next steps

2. Configuring the S3 bucket#

  • Go to AWS S3 and check that you are pointed at the correct region, like us-west-2
  • Select an existing bucket or create a new one.
  • Select the settings given your environment:
    • Name โ€” easily identifiable name for the bucket, such as indent-deploy-state-123
    • Region โ€” where you plan to deploy the Lambda, like us-west-2
    • Bucket versioning โ€” if you want to have revisions of past deployments, otherwise pick disabled
    • Default encryption โ€” enable for server-side encryption for deployment files

3. Configuring AWS credentials#

  • Go to AWS IAM โ†’ New User and create a new user for deploys, such as indent-terraform-deployer
  • Configure the service account's access:
    • Credential type โ€” select Access key - Programmatic access
    • Permissions โ€” go to Attach existing policies directly and select AdministratorAccess
  • Add the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as GitHub Secrets

4. Connecting to Okta#

  • Sign in to your Okta organization as an admin
  • Click the Admin located in the upper right
  • Open the drop down menu in the upper right, and copy the URL to your GitHub Secrets as OKTA_DOMAIN
  • Expand Security on the left hand nav, choose API, and then the Token tab
  • Click the Create Token button, and copy it to your GitHub Secrets as OKTA_TOKEN

By default Okta grants tokens the same permissions as the account creating them.

5. Connecting to Indent#

  • If you're following an installation workflow, you should be presented with a page containing a Webhook Secret
  • Add this as INDENT_WEBHOOK_SECRET as a GitHub Secret

6. Deploy#

  • Enter the bucket you created in in the backend configuration
  • This will automatically kick off a deploy, or you can manually trigger from GitHub Actions

Using Indent + Okta Groups#

Congrats! Your integration is ready. You can test that everything is set correctly by navigating to your Integrations page, and clicking Pull from Integrations. On a successful pull for Okta Groups, you will see new Resources appear in your list.


You added an Indent + Okta Groups integration. You're now able to add policies, and customize rules based on your existing Okta Groups. Users can now request access, and you can see how your policies and the user's Okta Group combine into a clean new workflow.

The repo you created from a template auto-deploys to AWS when you push or merge PRs to the main branch. You can manually redeploy the webhooks by re-running the latest GitHub Action job.

Now that your Okta Groups are setup, try adding your first policy.


Where do I view the code I'm deploying?#

There are direct code examples in the Indent APIs GitHub. Take a look at the code that runs in these webhooks:

Where can I find a list of all of the secrets?#

You will find a full list of secrets used by this integration below. To view, click the View Secrets List link.

View Secrets List
INDENT_WEBHOOK_SECRETGet this from the Indent Webhook you created while setting up your space
OKTA_DOMAINYour Okta Domain. This is your Okta URL like
OKTA_CLIENT_IDYour Service App's Client ID. Get this from the Okta Admin Dashboard or from the Okta API Response value you got when settting up your app
OKTA_PRIVATE_KEYThe private RSA key you used to create your Service App
OKTA_SLACK_APP_IDYour Okta Slack App ID. Go to Okta Admin Console โ†’ Applications โ†’ Select "Slack" and copy the value from the URL, e.g. 0oabcdefghijklmnop from
AWS_REGIONThe AWS Region where you want to deploy the webhooks
AWS_ACCESS_KEY_IDYour Programmatic AWS Access Key ID
AWS_SECRET_ACCESS_KEYYour Programmatic AWS Secret Access Key
AWS_SESSION_TOKENOptional: Your AWS Session Token.
Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires

How do I ask for help?#

If you have questions or need help with your integration, try chatting with Indent Support.