To adjust the scopes granted to Salto, you can create a custom OIDC application within your Okta tenant and use it to connect to Salto.
However, be aware that modifying scopes may hinder Salto's ability to fetch and deploy certain resources.
Setup
Create an OIDC app integration - In your Okta tenant, go to the application tab. Click on “Create App Integration”, select OIDC as the Sign-in method, and Web Application as the Application type.
Application settings -
In the application creation page, select “Authorization Code” and “Refresh Token” as grant types. Enter the following Sign-in redirect URL: https://app.salto.io/okta-oauth2-redirect
Click “Save”
Assign scopes - In order for Salto to fetch your account configuration, Salto needs access to certain scopes. In the “Okta API Scopes” tab in the application integration page, assign the required scopes.
💡 Important Theokta.orgs.manage
scope, which is necessary for Salto, can't be added through the UI requires an API call in order to be added. For detailed instructions see this section below. In addition, this scope is mandatory and can't be adjusted.Assign Users or Groups - Assign users and / or groups to the created application.
💡 Important Ensure that the user selected for the initial OAuth login has a super administrator role.
💡 Important Verify the user that will be used to connect Salto is assigned to a group with access to the application.
Connect to Salto - when connecting a new application, select Okta and choose "OAuth". Copy the Client ID and Client Secret for the OIDC app you created in the previous steps, and connect.
Add okta.orgs.manage Scope
okta.orgs.manage
scope cannot be added directly though Okta's UI.
The scope can be assigned using an API call with postman or curl :
curl -i -X POST \
'https://subdomain.okta.com/api/v1/apps/{appId}/grants' \
-H 'Authorization: SSWS YOUR_API_KEY_HERE' \
-H 'Content-Type: application/json' \
-d '{ "issuer": "{yourOktaDomain}", "scopeId": "okta.orgs.manage" }'
Use an API token issued by an Admin in order to make this request.