Skip to main content
All CollectionsSalto for Okta
Supported Okta Types
Supported Okta Types
Support avatar
Written by Support
Updated over 2 months ago

Included Types

The Okta adapter fetches and deploys the following element types by default:

  • Applications

    • This includes both Group Push settings and application-group assignments.

  • Groups

    • Deployment is limited to native Okta groups, see about group types for more information.

  • Group Rules

  • Brands

  • Authentication policies

  • Global Session policies (Okta sign-on policy in Classic Engine)

  • Password policies

  • Profile Enrollment policies (only available for OIE)

  • MFA enrollment policies

  • User, Group and Application schemas

  • Profile Mappings

    • By default, Salto does not fetch Profile Mapping properties and their push status. To include these properties, see "Enabling add-ons" section below.

  • Authenticators

  • Behavior Rules

  • Network Zones

  • Account settings

  • SMS Templates

  • Trusted Origins

  • Device Assurance Policies (only available for OIE)

  • Identity Providers

  • IdP policies

  • Authorization Server Policies

  • Authorization Server Scopes

Read-only elements

In addition to the elements listed above, the Okta adapter also supports the following types in a read-only format:

  • Event Hooks

  • Inline Hooks

  • Features

  • Roles

  • Resource Sets

Enabling add-ons

Some configuration elements are not fetched by default by Salto. However, they can be included for existing environments through your environment's Salto Configuration File.

Users

Managing users is can be enabled by updating your Salto Configuration File.

By default, user support is disabled by the following settings -

okta {
  fetch = {
   include = [
     ...
   ]
   exclude = [
     {
       type = "User"
     },
   ]
  }
}

To enable the support, remove User type from the exclude list: 

okta {
  fetch = {
   include = [
     ...
   ]
   exclude = []
  }
}

For better visibility and management capabilities, consider also enabling Group Memberships.

Note
Salto does not fetch or manage any user’s credentials data such as passwords or recovery questions.

Group Memberships

This includes a list of users assigned to each group.
If managing users was not enabled in your environment, assignments will be limited to the user login name, without any additional user data.

To enable group memberships in your environment, edit your Salto Configuration File, and update includeGroupMemberships to true:

okta {
  fetch = {  
    includeGroupMemberships = true

    include = ...

Profile Mapping properties

Includes support in fetch and deploy of the mapping of attributes from the user profile to external service profiles.

To enable profile mapping properties support, edit your Salto Configuration File, and update includeProfileMappingProperties to true:

okta {
  fetch = {
    includeProfileMappingProperties = true    

    include = ...

Excluding elements

You can edit the Salto Configuration File to exclude specific elements that you do not wish to fetch and manage with Salto. You can choose which types to exclude, and also which instances of these types. To do this, use the exclude list under the fetch section of the Salto Configuration File.

For example, this file excludes all roles which have "test" in their role name:

okta {
  fetch = {
    include = [
      {
        type = ".*"
      },
    ]
    exclude = [
      {
        type = "Role"
        criteria = {
          name = ".*test.*"
        }
      }
    ]
  }
}

Did this answer your question?