Creating and Configuring an Okta System of Record

Prerequisites

  • An Okta User account with elevated privileges to read the Okta APIs

Permissions Required

  • Ability to add a new API Service Integration with scopes:
    • okta.users.read, okta.groups.read
  • Ability to generate an Okta API Key (if using an API Key method of authentication)
  • Ability to read User and/or Group objects that are needed to be synchronized to SGNL

Configuring Okta

Using OAuth2 with an API Service Integration

  1. Login to your Okta Organization and select Applications from the left-navigation menu
  2. Choose API Service Integrations and select ‘Add Integration’
  3. Find and select SGNL in the list of integrations then choose ‘Next’
  4. On the ‘Authorize SGNL’ page, choose to ‘Install & Authorize’ SGNL
  5. On the next screen, you will have a single opportunity to copy your ‘client secret’ – copy it and keep it somewhere safe, you’ll need this to configure SGNL in a moment
  6. Once copied, select ‘Done’
  7. In the ‘General’ tab, copy the ‘Client ID’ - you’ll need those to configure SGNL in a moment
  8. By default, the new API Service integration will use scopes ‘okta.users.read’ and ‘okta.groups.read’ to support the synchronization of users and groups from Okta
  9. (Optional) Give the App an image to make it more easily discernable later

Using OpenID Connect with Authorization Code Flow

  1. Login to your Okta Organization and select Applications from the left-navigation menu
  2. Choose Applications again and select ‘Create App Integration’
  3. Select OIDC - OpenID Connect and choose ‘Web Application’
  4. Give the OIDC App a Name
  5. Select ‘Authorization Code’ and ‘Refresh Token’ as Core grants
  6. Update the Sign-in redirect URI to be ‘https://{clientname}.sgnl.cloud/auth/oidcCallback’ (or your client-specific console url)
  7. In Assignments, grant the User(s) who will need to step through the Authorization Code Flow access to this app
  8. Save the App
  9. From within Okta API Scopes - grant the relevant scopes for the actions you want to take, e.g.
  • To Enable/Suspend Users, ensure that okta.users.manage is granted
  • To Add/Remove Users from Groups, ensure that okta.groups.manage is granted
  • To revoke sessions, ensure that okta.sessions.manage is granted
  1. From the General tab, copy the Client ID and Client Secret, you’ll need those in SGNL in a moment

Using an API Key

  1. Login to your Okta Organization with the desired User Account that will be responsible for synchronization - note the Okta sub-domain you use to sign-in to this organization
    • Note: SGNL and Okta recommends using an account that does not belong to any individual, but instead acts as a service account in Okta
  2. Create an Okta API Token

Configuring SGNL

  1. Login to the SGNL Console

  2. From the left menu, select Identity Data Fabric

  3. Click “Add System of Record” or “Add”.

  4. The SGNL SoR Catalog will show up on the screen

    SGNL - Catalog

  5. Click on “Okta” which will open up the New System of Record screen with some configuration options pre-populated from the Okta SoR template.

    SGNL - Catalog

  6. Choose the correct adapter that matches the Okta System of Record Type.

  7. Select the Authentication Method - SGNL recommends using OAuth2 Authentication using an Okta API Service Integration

  8. Replace all fields that have the {{Input Required:}} placeholder with relevant information. The following fields are required: Okta Domain: Enter the domain you use to login to Okta. Generally, this takes the form of https://acmecorp.okta.com

If you are using OAuth2 authentication for the API Service Integration

  • Client ID: Enter the Client ID you copied previously from Okta
  • Client Secret: Enter the Client Secret you copied previously from Okta
  • Token URL: https://{{Your Okta Subdomain}}.okta.com/oauth2/v1/token

If you are using OpenID Connect with Authorization Code Flow

  • Client ID: Enter the Client ID you copied previously from Okta
  • Client Secret: Enter the Client Secret you copied previously from Okta
  • Scope: The scopes you selected, with the addition of offline_access, to enable a refresh token to be granted
  • Token URL: https://{{Your Okta Subdomain}}.okta.com/oauth2/v1/token
  • Auth URL: https://{{Your Okta Subdomain}}.okta.com/oauth2/v1/authorize
  1. a) Double-check that the Redirect URI matches the configuration you entered into Okta’s Sign-in redirect URI, if not, update it in Okta
  2. b) Select Authenticate, and Authenticate to Okta in the pop-up with a user account that has been assigned the application

If you are using an API key, choose Bearer as the Authentication Method, and enter:

  • Auth Token: Enter the API Key you generated in Okta, prefixed with needed Okta Token type of “SSWS " - note trailing space

  1. Click “Continue” to save your Okta System of Record. You will be taken to the Okta System of Record page.

    SGNL - Save Okta SoR Config

  2. All entities and relationships are created as defined in the Okta template. If applicable, you can edit an entity and modify any properties of the entity or the associated attributes. Hover over the entity on the screen above to see the Edit button as shown above.

  3. You can check the relationships created through the Relationships tab. However, relationships cannot be modified. You will need to delete an existing one, and create a new relationship.

  4. (If applicable) You can also create relationships joining entities and attributes in Okta to entities and attributes in other Systems of Record configured in SGNL. For example, if User Employee Numbers in your ServiceNow instance are consistent with the User Employee Numbers in your HRIS system, you can create a relationship between the Employee Number attribute in the Okta instance and the Employee Number attribute in your HRIS System of Record. For more information on relationships, please refer to our Relationships page.

  5. Note that synchronization is disabled by default when a new System of Record is created. You can choose to enable synchronization on Entities individually. Hover over the entity to see the Enable Sync button, and click on it.

  6. Repeat for all Entities you want to synchronize to SGNL. Finally, Enable synchronization for the System of Record.

SGNL - Enable Sync for Okta SoR

  1. After some time, SGNL should complete ingesting the data from your Okta instance into the SGNL graph. The number of objects ingested per entity are displayed on the Okta screen. You should then be able to construct policies based on your Okta data and make access evaluation calls to SGNL.

SGNL - Okta Entities Ingested

  1. Once ingestion is complete and Okta data is in the SGNL graph, you can use Data Lens to explore the SGNL graph.

Synchronization Filters

Basic Filters

In most cases, you will want to reduce the data coming from Okta to only the entities, attributes, and objects that you need to successfully evaluate your policies or take action within SGNL. You can apply filtering using either Okta’s filter or search parameters to reduce that data. Basic filters use Okta filtering syntax exactly as documented, without additional processing or intelligence in SGNL.

Filters are configured per Entity and are passed directly to Okta at synchronization time to be evaluated and have only the right data made available to SGNL.

Filter vs Search Parameters

Okta provides two different query parameters for filtering data:

Filter Parameter (filter)

  • Returns users that match a filter expression checked against a limited subset of user object properties
  • Supported properties: status, lastUpdated, id, profile.login, profile.email, profile.firstName, and profile.lastName
  • Only uses the equal (eq) operator (except lastUpdated which supports inequality operators)
  • Designed for basic filtering scenarios

Search Parameter (search) - Recommended

  • Returns users matched against a search expression and any user object properties, including custom-defined properties
  • Uses standard Okta API filtering semantics with mathematical and logical operators (eq, ge, lt, gt, and, or)
  • Supports complex expressions with parentheses for grouping
  • Okta recommends using the search parameter for optimal performance

Important: You cannot use both filter and search parameters simultaneously for the same entity. SGNL will return a validation error if both are configured.

Using Filter Parameters

To use Okta filters, add the appropriate filter expression to the relevant entity in the Adapter config.

Sample Adapter Config with Filters

{
  "requestTimeoutSeconds": 10,
  "filters": {
    "User": "status eq \"ACTIVE\"",
    "Group": "id in (\"1a902e2d-76ec-4341-b351-2ad18978ae2c\",\"52e20194-dca1-489b-8ebc-c836d8ea871e\")"
  }
}

Using Search Parameters

To use Okta search parameters, add the appropriate search expression to the relevant entity in the Adapter config. Search expressions must be at least 7 characters long (minimum valid search is “id eq x”).

Sample Adapter Config with Search Parameters

{
  "requestTimeoutSeconds": 10,
  "search": {
    "User": "profile.department eq \"Engineering\" and status eq \"ACTIVE\"",
    "Group": "profile.name sw \"Admin\" or profile.description co \"Management\""
  }
}

Search Expression Examples

User Search Examples:

  • Find users by department: profile.department eq \"Engineering\"
  • Find users by first name: profile.firstName eq \"John\"
  • Find active users in specific departments: status eq \"ACTIVE\" and (profile.department eq \"Engineering\" or profile.department eq \"Marketing\")
  • Find users with mobile phones: profile.mobilePhone pr
  • Find users created after a date: created gt \"2023-01-01T00:00:00.000Z\"

Group Search Examples:

  • Find groups by name prefix: profile.name sw \"Admin\"
  • Find groups containing text in description: profile.description co \"Project\"
  • Find specific group types: type eq \"OKTA_GROUP\"

Quote Escaping in Configuration

When configuring search expressions in SGNL, you need to escape double quotes using backslashes. SGNL will automatically convert \" to " when sending the request to Okta.

Example:

  • In SGNL Config: "profile.department eq \"Engineering\""
  • Sent to Okta: profile.department eq "Engineering"

Supported Operators

Comparison Operators:

  • eq - Equal to
  • gt - Greater than
  • ge - Greater than or equal to
  • lt - Less than
  • le - Less than or equal to
  • pr - Present (attribute has a non-null value)
  • sw - Starts with
  • co - Contains (requires at least 3 characters)

Logical Operators:

  • and - Logical AND
  • or - Logical OR
  • () - Grouping with parentheses

Note: Okta does not support the ne (not equal) operator. Use lt ... or ... gt to achieve the same result.

Adapter Config Fields

  • requestTimeoutSeconds - How long to wait for a request to Okta to complete before failing and retrying, default 10
  • filters - Basic filter expressions using Okta’s filter parameter syntax
  • search - Search expressions using Okta’s search parameter syntax (recommended)

Important: For each entity, use either filters or search, but not both. SGNL will validate this configuration and return an error if both are specified for the same entity.