Integrating with Okta will allow Scytale to collect all user access information and their access privileges on Okta. This will help to ensure that only authorized users have access to Okta, which is one of the key criteria when testing logical access.
Manually collecting this type of evidence can take some time, especially when you need to prove to the auditors that the user listings are complete and accurate.
Automating the collection of user listings and access privileges will streamline the sampling process for the audit and also provide more assurance over the accuracy and completeness of the evidence collected.
Prerequisites for Okta Integration
Our integration actually uses API tokens, which function differently depending on the role of the user who generates them.
To collect the list of user administrators from Okta, it is necessary for the user generating the API token to have a Super Administrator role.
Just note that to ensure compliance and security aspects of user access to systems, it's important to collect the list of administrator.
How to Connect Scytale and Okta
In Scytale, go to 'Integrations'.
Search for Okta and select 'Connect'.
Insert your API key. Learn how to create an API key in Okta
Optional: Click on the "switch" button and paste your client ID & Private key (JWK).
Insert your subdomain for Okta (It should look like this): your-company.okta.com
Your subdomain should not include "https://".
Add a connection name - this will be used to differentiate between your connections - and then select 'Connect'.
You have now successfully connected to Okta!
How To Create an API key in Okta
1. Log in to your company Okta application (It should look like this):
https://your-company.okta.com
2. In the admin console, go to Security and click on API
3. Go to the Tokens tab and click on the "Create Token" button and provide the name of your token
4. Copy the token value.
How to create a Client ID & Private Key in Okta
Key generation
Sign in as a Super Administrator
In the Admin Console, go to Applications > Applications, and then click Create App Integration
On the Create a new app integration page, select API Services as the Sign-in method and click Next
Copy Client ID and save it aside
In the Client Credentials section of the General tab, click Edit to change the client authentication method to Public key / Private key
In Public keys section choose Save keys in Okta under “Configuration”. That will allow you to copy your public keys into Okta.
Click Add.
Click on Generate new key to generate a new key pair.
Copy the private key in a JSON format and save it aside
Click on save
Click on Save once again and confirm that the key is active
Go to General Settings, click “Edit” and uncheck Require Demonstrating Proof of Possession (DPoP) header in token requests
Scopes
From the service app page, select the Okta API Scopes tab
Click Grant > Grant Access for the following scopes:
Go to the Granted tab and verify that all required scopes were granted
Assign an admin role to the service app
Go to Security > Administrators and click the Roles tab. Click on create new role
Enter a name
Use the search bar to select the permissions below:
View roles, resources, and admin assignments
Click on save role
Go to Security > Administrators and click on the Resources tab. Click on Create new resource set
Enter a name
Add the resources below by clicking on Add resource
Type Identify and Access Management resources and then click on Create
From the service app page, select the Admin roles tab
Click on Edit assignments
Choose the new role and resource you just created from the dropdown menus
Click on Add assignment and choose Read-only Administrator role from the dropdown menu
Remove other roles that were granted to the app (such as the Super Administrator role)
Click on Save changes