# Okta
Okta (opens new window) is a cloud service that organizes workforce and customer identities.
It provides cloud software that helps companies to manage secure user authentication for modern applications and helps developers to build identity controls into applications, web services, and devices.
# API version
The Okta connector uses Okta API v1 (opens new window).
# How to connect to Okta
Workato supports three different types of connections to Okta:
- Authorization code grant authentication (OAuth 2.0)
- Client credentials-based authentication (OAuth 2.0)
- API key-based authentication
Workato recommends using either Authorization code grant authentication (OAuth 2.0) or Client credentials-based authentication (OAuth 2.0) for improved security in your connection. This also allows you to set up granular permissions to control resources that Workato can access in Okta.
# Authorization code grant authentication
Log in to your Workato account and navigate to the project you plan to add your Okta connection to.
Click Create > Connection > select Okta as your connection.
To use authorization code grant authentication, select the Authorization code grant option from the Authentication type drop-down menu and enter the following information:
| Connection field | Description |
|---|---|
| Connection name | Give this connection a unique name that identifies which Okta instance it is connected to. |
| Okta domain | Your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com). |
| Client ID | Provide the client ID generated in Okta by completing the following steps. |
| Client secret | Provide the client secret generated in Okta by completing the following steps. |
| Advanced settings | Select the necessary OAuth 2.0 scopes to request from Okta in this connection. This should match the scopes defined in the Okta API Scopes section of the app integration in Okta. |
# Generating a client ID and secret for authorization code grant authentication
To generate a client ID and secret for authorization code grant authentication:
Sign in to your Okta organization as a user with administrator privileges.
In Okta's Admin Console, navigate to Applications > Applications.
Navigate to Applications > Applications
Select Create App Integration.
Select Create App Integration
Select OIDC - OpenID Connect in the Sign-in method section of the Create a new app integration page.
Create a new app integration
Select Web Application in the Application type section.
Enter a meaningful App integration name on the New Web App Integration page.
New Web App Integration page
Select the following checkboxes in the Client acting on behalf of a user field of the Grant type section:
- Authorization Code
- Refresh Token
Enter the Workato callback URI in the Sign-in redirect URIs section according to your data center:
- US Data Center:
https://www.workato.com/oauth/callback - EU Data Center:
https://app.eu.workato.com/oauth/callback - JP Data Center:
https://app.jp.workato.com/oauth/callback - SG Data Center:
https://app.sg.workato.com/oauth/callback - AU Data Center:
https://app.au.workato.com/oauth/callback
Sign-in redirect URIs
Select an Assignment option according to your preference and then select Save. Okta creates the app integration.
Copy the Client ID and Client Secret in the new app integration's General tab so you can enter these credentials in Workato's Okta connection settings.
Copy the Client ID and Client Secret
Navigate to the Okta API Scopes tab and assign the necessary scopes to the integration. The connection requires the following scopes at a minimum:
okta.logs.readokta.schemas.read
Assign Okta API scopes
# Client credentials-based authentication
Log in to your Workato account and navigate to the project you plan to add your Okta connection to.
Click Create > Connection > select Okta as your connection.
To use client credentials-based authentication, select the Client credentials option from the Authentication type drop-down menu and enter the following information:
| Connection field | Description |
|---|---|
| Connection name | Give this connection a unique name that identifies which Okta instance it is connected to. |
| Okta domain | Your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com). |
| Client ID | Provide the client ID generated in Okta by completing the following steps. |
| Private Key | Provide the private key generated in PEM format in Okta by completing the following steps. |
| Advanced settings | Select the necessary OAuth 2.0 scopes to request from Okta in this connection. This should match the scopes defined in the Okta API Scopes section of the app integration in Okta. |
# Generating a client ID and secret for client credentials-based authentication
To generate a client ID and secret for client credentials-based authentication:
Sign in to your Okta organization as a user with administrator privileges.
In Okta's Admin Console, navigate to Applications > Applications.
Navigate to Applications > Applications
Select Create App Integration.
Select Create App Integration
Select API Services in the Sign-in method section of the Create a new app integration page.
Select API Services
Enter a meaningful App integration name on the New API Services App Integration page and then select Save.
App integration name
Copy the Client ID in the new app integration's General tab.
Copy Client ID
Select Edit and then select Public key / Private key in the Client authentication field.
Select Add key in the PUBLIC KEYS section.
Select Generate new key in the Add a public key section to generate a new key pair.
Add a public key
Select PEM in the Private key section and copy the private key so you can enter it in Workato's Okta connection settings. You will not be able to retrieve this private key again.
Copy the private key
Select Done.
Select Save in the new app integration's General tab to store and activate the key. You must save the key before you can use it to connect to Workato.
If you see the message Existing client secrets will no longer be used, select Save.
The key status changes to Active.
Activate the key
Navigate to the Okta API Scopes tab and assign the necessary scopes to the integration. The connection requires the following scopes at a minimum:
okta.logs.readokta.schemas.read
Assign Okta API scopes
# API key-based authentication
The Okta connector uses an API key to authenticate with Okta.
Okta connection setup
| Connection field | Description |
|---|---|
| Connection name | Give this connection a unique name that identifies which Okta instance it is connected to. |
| Okta domain | Your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com). |
| API Key | An API key. You can generate API keys from your Okta instance by navigating to Security > API > Create token. |
API TOKEN PRIVILEGES
Creating API tokens requires administrator privileges. Ensure that you are logged in as an administrator before proceeding. Refer to Okta's documentation (opens new window) for more information.
# Roles and permissions required to connect
Workato recommends that the user and API key used to connect to Workato have Organization Administrator or Super Administrator entitlements. Several triggers and actions require administrator privileges.
# Triggers and actions
The following documentation contains triggers supported on Workato:
The following documentation contains user lifecycle actions supported on Workato:
- Create user
- Activate user
- Update user
- Add user to group
- Remove user from group
- Deactivate user
- Delete user
The following documentation contains resource discovery actions supported on Workato:
Last updated: 10/17/2023, 2:54:29 AM