Salto

To adjust the scopes granted to Salto, you can create a custom OIDC application within your Okta tenant and use it to connect to Salto. However, be aware that modifying scopes may hinder Salto's ability to fetch and deploy certain resources.

Create an OIDC app integration - In your Okta tenant, go to the application tab. Click on “Create App Integration”, select OIDC as the Sign-in method, and Web Application as the Application type.

1. In the application creation page, select “Authorization Code” and “Refresh Token” as grant types. Enter the following Sign-in redirect URL: <a href="https://app.salto.io/okta-oauth2-redirect" rel="nofollow noopener noreferrer" target="_blank">https://app.salto.io/okta-oauth2-redirect</a>
2. Click “Save”

Assign scopes - In order for Salto to fetch your account configuration, Salto needs access to certain scopes. In the “Okta API Scopes” tab in the application integration page, assign <a href="https://help.salto.io/en/articles/9127461-connect-your-okta-account#h_48b6c83433">the required scopes</a>. ​ 💡 Important The <code>okta.orgs.manage</code> scope, which is necessary for Salto, can't be added through the UI requires an API call in order to be added. For detailed instructions see <a href="#h_024c0a34ed">this section below</a>. In addition, this scope is mandatory and can't be adjusted.

Assign Users or Groups - Assign users and / or groups to the created application. 💡 Important Ensure that the user selected for the initial OAuth login has a super administrator role. 💡 Important Verify the user that will be used to connect Salto is assigned to a group with access to the application. ​

Connect to Salto - when connecting a new application, select Okta and choose "OAuth". Copy the Client ID and Client Secret for the OIDC app you created in the previous steps, and connect.​

1. Create an OIDC app integration - In your Okta tenant, go to the application tab. Click on “Create App Integration”, select OIDC as the Sign-in method, and Web Application as the Application type.

2. Application settings -
 1. In the application creation page, select “Authorization Code” and “Refresh Token” as grant types. Enter the following Sign-in redirect URL: <a href="https://app.salto.io/okta-oauth2-redirect" rel="nofollow noopener noreferrer" target="_blank">https://app.salto.io/okta-oauth2-redirect</a>
 2. Click “Save”
 
 
3. Assign scopes - In order for Salto to fetch your account configuration, Salto needs access to certain scopes. In the “Okta API Scopes” tab in the application integration page, assign <a href="https://help.salto.io/en/articles/9127461-connect-your-okta-account#h_48b6c83433">the required scopes</a>. ​ 💡 Important The <code>okta.orgs.manage</code> scope, which is necessary for Salto, can't be added through the UI requires an API call in order to be added. For detailed instructions see <a href="#h_024c0a34ed">this section below</a>. In addition, this scope is mandatory and can't be adjusted.
 
4. Assign Users or Groups - Assign users and / or groups to the created application. 💡 Important Ensure that the user selected for the initial OAuth login has a super administrator role. 💡 Important Verify the user that will be used to connect Salto is assigned to a group with access to the application. ​
5. Connect to Salto - when connecting a new application, select Okta and choose "OAuth". Copy the Client ID and Client Secret for the OIDC app you created in the previous steps, and connect.​

<code>okta.orgs.manage</code> scope cannot be added directly though Okta's UI.

The scope can be assigned using an API call with <a href="https://www.postman.com/satellite-architect-82400743/workspace/oauth-for-okta/collection/22023600-ddeb8e30-5105-468c-8355-e0d902728344?action=share&amp;creator=22023600" rel="nofollow noopener noreferrer" target="_blank">postman</a> or curl :

curl -i -X POST \ 'https://subdomain.okta.com/api/v1/apps/{appId}/grants' \ -H 'Authorization: SSWS YOUR_API_KEY_HERE' \ -H 'Content-Type: application/json' \ -d '{ "issuer": "{yourOktaDomain}", "scopeId": "okta.orgs.manage" }'

Use an <a href="https://support.okta.com/help/s/article/How-do-I-create-an-API-token?language=en_US" rel="nofollow noopener noreferrer" target="_blank">API token</a> issued by an Admin in order to make this request.

Setup

Add okta.orgs.manage Scope