Okta Groups + Indent
This guide will show you how to setup an integration between Indent and Okta. Once complete, you'll be able to grant access and create policies based on your existing Okta Groups.
Components
This page assumes you completed the Indent Quickstart. (5 min setup)
Configuration
This guide uses GitHub Actions and Terraform to deploy an Indent + Okta integration. S3 will be used to store Terraform state, and AWS Lambda will run the webhook.
1. Cloning the repo
- Click on the Use This Template button to clone the repo
- In your new repo go to Settings → Secrets → Actions
- Leave this tab open for adding secrets from the next steps
2. Configuring the S3 bucket
- Go to AWS S3 and select an existing bucket or create a new one
- Most of the default settings are good, but some recommended values are:
- Name — easily identifiable name for the bucket, such as
indent-deploy-state-123
- Region — where you plan to deploy the Lambda, like
us-west-2
- Bucket versioning — if you want to have revisions of past deployments, otherwise pick
disabled
- Default encryption —
enable
for server-side encryption for deployment files
- Name — easily identifiable name for the bucket, such as
- This integration currently assumes your region is
us-west-2
, and you want S3 encryption turned on. If you choose other settings, update yourmain.tf
values accordingly.
- Most of the default settings are good, but some recommended values are:
- In a new tab open
main.tf
from your GitHub repo, and change the empty value forbackend
to the name of your bucketnoteIn
main.tf
, only update the empty bucket value in the Terraform block.
3. Configuring AWS credentials
- Go to AWS IAM → Add Users and create a new user for deploys, such as
indent-terraform-deployer
- Configure the service account's access:
- Credential type — select Access key - Programmatic access
- Permissions — click Attach existing policies directly and select
AdministratorAccess
- Follow the prompts until the account is created
- Add the resulting values as
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
to GitHub Secrets
4. Connecting to Okta
- Sign in to your Okta organization as an admin
- Click the Admin button located in the upper right
- Open the upper right drop down menu by clicking your name
- Copy the URL displayed there to your GitHub Secrets as
OKTA_DOMAIN
- Visit Security → API → Tokens on your Okta dashboard
- Click the Create Token button, and copy the value to your GitHub Secrets as
OKTA_TOKEN
- Click the Create Token button, and copy the value to your GitHub Secrets as
The API token is great for an initial Okta + Indent setup. For a production deployment, it's recommended that you create a service app for a more robust integration with Okta.
5. Deploying
- On your Indent dashboard go to Integrations → Catalog → Okta OR follow this link
- Copy the webhook secret, and in a new tab add it to your GitHub Secrets as
INDENT_WEBHOOK_SECRET
- Leave this Okta integrations page open for the next step
- Copy the webhook secret, and in a new tab add it to your GitHub Secrets as
- From your repo navigate to GitHub Actions → The latest job → deploy.webhook, and follow the prompts to run the workflow
- Click the new deploy.webhook, and copy the URL printed in the Terraform Output section
- On your Indent + Okta integrations page, paste and save the URL you just copied
Using Indent + Okta Groups
Congrats! Your Okta integration is ready. You can test that everything is set correctly by navigating to your Integrations page, and clicking Pull from Integrations. On a successful pull, you will see new Okta Groups appear in your Resources list.
Now it's time to use Indent for requesting membership to an Okta group.
- Try visiting the request page on the Indent dashboard, or created a request in Slack
- If you have the Slack integration setup, you can type
/access
or click the lightning bolt to submit a request
- If you have the Slack integration setup, you can type
- On your Petitions page you should be able to see your request as part of a petition. Try clicking the petition to view more details.
- From the petition details page, click the Review Petition button and follow the prompts
Once approved, you should be able to visit your Okta dashboard, and see yourself as a member of the Okta group you requested.
Summary
You added an Indent + Okta Groups integration. You're now able to approve secure, temporary access to Okta Groups.
Try adding an Indent + Tailscale, for secure on-demand production access.
Questions
Where do I view the code I'm deploying?
Where can I find a list of all of the secrets?
Name | Description |
---|---|
INDENT_WEBHOOK_SECRET | Get this from the Indent Webhook you created while setting up your space |
OKTA_DOMAIN | Your Okta Domain. This is your Okta URL like example.okta.com |
OKTA_CLIENT_ID | Your Service App's Client ID. Get this from the Okta Admin Dashboard or from the Okta API Response value you got when settting up your app |
OKTA_PRIVATE_KEY | The private RSA key you used to create your Service App |
OKTA_SLACK_APP_ID | Your Okta Slack App ID. Go to Okta Admin Console → Applications → Select "Slack" and copy the value from the URL, e.g. 0oabcdefghijklmnop from example-admin.okta.com/admin/apps/slack/0oabcdefghijklmnop/ |
AWS_REGION | The AWS Region where you want to deploy the webhooks |
AWS_ACCESS_KEY_ID | Your Programmatic AWS Access Key ID |
AWS_SECRET_ACCESS_KEY | Your Programmatic AWS Secret Access Key |
AWS_SESSION_TOKEN | Optional: Your AWS Session Token. Note: If you use an AWS Session ID you will need to update it for each deployment once the session expires |