Managing identity with Okta
This page describes how to integrate Okta with Indent. Identity providers serve as the authentication database of Indent. They can come with essential security features like single sign-on, two-factor authentication, lifecycle management or access gateways to secure the everyday chore of logging into apps.
Installation
- Sign into the Indent space.
- Follow the instructions for the Okta Groups webhook integration.
- Finish onboarding your team onto Indent.
Okta Account Setup
Creating an Okta service account
- Go to your Okta tenant, e.g.
example.okta.com
— replaceexample
with your sub-domain. - Create a new Okta User called Indent Access Manager using the email address.
- In Okta Admin, go to Security → Administrators → Add Administrator.
Group-based admin permission
- Create a new Okta Group and give it a memorable name like "Indent Access Manager Group."
- Add the service account user you created in the previous step.
- In Okta Admin, go to Security → Administrators → Add Administrator Group, then select the group you created.
Required permissions
- In order to pull updates about users and groups, the Indent service account needs the "Read Only Administrator" role.
- In order to making changes to user membership in groups, the Indent service account needs the "Group Administrator" role. This can be restricted to specific groups through the "Can administer specific groups only" option. If one of the administered groups grants an admin role such as "Application Administrator", the service account will need those roles as well.
Authenticating with Okta
Indent's Okta integration supports Admin API Token access and Service App Token access for use with the Okta API.
Option 1: Account with API token
You can create an Okta Admin API token to use with Indent webhooks. For production deployments, we recommend creating a service account to keep the Okta System Log accurate about what is actually make the changes.
Prerequisites
- Okta Account
- Okta Domain
- Go to your Okta domain, e.g.
example.okta.com
and log in as an Administrator. - Navigate to Security → API and click "Create Token"
- Save your token securely, you won't be able to view it again after the creation step.
Option 2: Service App with API scopes
You can create a dedicated Okta Service App to communicate with the Okta API. Each time an integration is triggered to apply changes or pull updates, it will use the app's private key to sign a new bearer token to use with the Okta API.
Prerequisites
- Okta Account
- Okta Domain
- Okta Admin API token (only for setup)
curl
or another method to programatically make HTTP requests like Postman
Create the Service App
- Create a public/private encryption key pair. The key has specific requirements: at least 2048 bits of entropy and use RSA256 encryption.
require 'openssl'
require 'json/jwt'
rsa_private = OpenSSL::PKey::RSA.generate 2048
File.write('./private.pem', rsa_private.to_pem)
puts rsa_private.public_key.to_jwk
- Create the service app by sending a POST request to your Okta Domain's
/oauth2/v1/clients
endpoint- Include these elements in the body
client_name
— name of your service appgrant_types
$—client_credentials
token_endpoint_auth_method
—private_key_jwt
application_type
—service
jwks
— Include your JSON Web Key
- Note down the value for
client_credentials
in the Okta API's response and save the credential for use with Indent
- Include these elements in the body
curl --location --request POST 'https://${yourOktaDomain}/oauth2/v1/clients' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS ${api_token}' \
--data-raw ' {
"client_name": "Indent Service App",
"response_types": ["token"],
"grant_types": ["client_credentials"],
"token_endpoint_auth_method": "private_key_jwt",
"application_type": "service",
"jwks": {
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "<REPLACE>",
"alg": "RS256",
"n": "<REPLACE>"
}
]
}
}
'
Grant Service App Scopes
- Go to your Okta tenant, e.g.
example-admin.okta.com
— replace example with your sub-domain - Click Applications in the sidebar.
- You should see your newly created Service App in the list of Applications. Click on it.
- Click Okta API Scopes to see all the available scopes.
- Grant your newly created app the following scopes:
okta.groups.manage
— Indent uses this to automatically perform change management on your Okta Groupsokta.users.manage
— Indent uses this to automatically update user profile attributes
Use the Service App with Indent
Once you've created your Service App you can use your new credentials with Indent instead of an Okta Admin API token.
Use your RSA Key and Okta Service App Client Credential with these webhooks during setup:
Instead of passing an OKTA_TOKEN
environment variable to your webhook, you can now pass in OKTA_CLIENT_ID
and OKTA_PRIVATE_KEY
from the earlier steps.