Salto’s Okta Adapter supports OAuth based authentication.
In order to connect to Okta using OAuth, you need to set up an OIDC application in your Okta tenant.
Certain elements can't be fetched when connecting with OAuth, such as Group Push and certain Settings (See "Types that can't be fetch" for the full list). To fetch these, use API Token authentication.
Salto's OIN application
Setup
Add Salto's OIDC App - In your Okta tenant, go to the application tab, browse the OIN catalog and search for "Salto Okta Adapter OAuth".
Assign Users or Groups - Assign users and / or groups to the created application.
💡 Important Ensure that the user selected for the initial OAuth login has a super administrator role.Connect to Salto - when connecting a new application, select Okta and choose "OAuth". Copy the Client ID and Client Secret for the OIDC app you created in the previous steps, and connect.
Creating a custom OIDC OAuth integration
To limit Salto to read-only access, or to adjust any scope, you can create your own OIDC custom application. To do so, please follow this guide: https://help.salto.io/en/articles/8721163-connecting-okta-adapter-using-oauth
Scopes used by Salto
okta.orgs.manage
okta.apps.manage
okta.authenticators.manage
okta.authorizationServers.manage
okta.behaviors.manage
okta.brands.manage
okta.deviceAssurance.manage
okta.domains.manage
okta.eventHooks.manage
okta.features.read
okta.groups.manage
okta.idps.manage
okta.inlineHooks.manage
okta.networkZones.manage
okta.policies.manage
okta.profileMappings.manage
okta.rateLimits.manage
okta.roles.manage
okta.schemas.manage
okta.templates.manage
okta.trustedOrigins.manage
okta.userTypes.manage
okta.users.read
okta.emailDomains.manage
okta.linkedObjects.manage