In order to connect Okta to Salto, you can either:
To get to the application connection screen, go to the environment's settings tab, and select the "Application Connections" section. In the "Application Connections" screen, click on "Connect an application" and select Okta.
API Token Authentication
Obtain an API Token using user with super administrator privileges from https://your-subdomain.okta.com/admin/access/api/tokens
In application credentials screen, provide:
Your Okta Base URL (remove
-admin
part), e.g. https://your-subdomain.okta.com/)The token you created in step 1
OAuth Authentication
In order to connect to Okta using OAuth, you need to set up an OIDC application in your Okta tenant.
Certain elements can't be fetched when connecting with OAuth, such as Group Push and certain Settings (See "Types that can't be fetch" for the full list). To fetch these, use API Token authentication.
Using Salto's OAuth integration
To streamline the connection process, it's recommended to use Salto's pre-built integration via the Okta Integration Network. The application is assigned with the required scopes by Salto.
Add Salto's OAuth App - In your Okta tenant, go to the application tab, browse the OIN catalog and search for "Salto Okta Adapter OAuth".
Assign Users or Groups - Assign users / groups to the created application.
β
π‘ Important Ensure that the user selected for the initial OAuth login has a super administrator role.
π‘ Important Verify the user that will be used to connect Salto is assigned to a group with access to the application.Connect to Salto -
In Okta, go to the application's "Sign On" tab, and copy the Client ID and Client Secret.
In Salto, choose "OAuth" as the authentication method and provide the Client ID and Client Secret you copied from the previous step
Using custom OAuth integration
If you wish to adjust the scopes granted to Salto, you can create a custom OIDC application within your Okta tenant. However, be aware that modifying scopes may hinder Salto's ability to fetch and deploy certain resources.
For detailed instructions on creating a custom OAuth integration, refer to the following guide: Creating a custom OAuth integration for Okta Adapter.
Types that can not be fetched with OAuth
EmailNotifications (settings)
EndUserSupport (settings)
ThirdPartyAdmin (settings)
EmbeddedSignInSuppport (settings)
SignOutPage (settings)
BrowserPlugin (settings)
DisplayLanguage (settings)
Reauthentication (settings)
GroupPush
GroupPushRule
OAuth required scopes
okta.orgs.manage
okta.apps.manage
okta.authenticators.manage
okta.authorizationServers.manage
okta.behaviors.manage
okta.brands.manage
okta.deviceAssurance.manage
okta.domains.manage
okta.eventHooks.manage
okta.features.read
okta.groups.manage
okta.idps.manage
okta.inlineHooks.manage
okta.networkZones.manage
okta.policies.manage
okta.profileMappings.manage
okta.rateLimits.manage
okta.roles.manage
okta.schemas.manage
okta.templates.manage
okta.trustedOrigins.manage
okta.userTypes.manage
okta.users.read
okta.emailDomains.manage
okta.linkedObjects.manage
π‘ To limit Salto for read-only access, follow Creating a custom OAuth integration for Okta Adapter, and replace 'manage' with 'read' in each scope.