Release Notes

Okta

Configuring the Okta integration for Veza Lifecycle Management.

Overview

The Veza integration for Okta enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization.

Action Type
Description
Supported

SYNC_IDENTITIES

Synchronizes identity attributes between systems, with options to create new identities and update existing ones

MANAGE_RELATIONSHIPS

Controls entitlements such as group memberships and role assignments for identities

DEPROVISION_IDENTITY

Safely removes or disables access for identities, includes user logout support

CREATE_ENTITLEMENT

Creates entitlements such as Okta groups

RESET_PASSWORD

Allows password reset operations for Okta users

SOURCE_OF_IDENTITY

Okta can act as a source system for identity lifecycle policies

This document includes steps to enable the Okta integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Okta

Prerequisites

  1. You will need administrative access in Veza to configure the integration and grant API scopes in Okta.

  2. Ensure you have an existing Okta integration in Veza or add a new one for use with Lifecycle Management.

  3. Verify your Okta integration has completed at least one successful extraction

  4. The Okta integration will need the additional required API scopes:

    • okta.users.manage - For user lifecycle operations

    • okta.groups.manage - For group membership management

Configuration Steps

To enable the integration:

  1. In Veza, go to the Integrations overview

  2. Search for or create an Okta integration

  3. Check the box to Enable usage for Lifecycle Management

Configure the extraction schedule to ensure your Okta data remains current:

  1. Go to Veza Administration > System Settings

  2. In Pipeline > Extraction Interval, set your preferred interval

  3. Optionally, set a custom override for Okta in the Active Overrides section

To verify the health of the Lifecycle Management data source:

  1. Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview

  2. Search for the integration and click the name to view details

  3. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled

Supported Actions

Okta can serve as a source for identity information in Lifecycle Management Policies. User identity details are synchronized from Okta with changes propagated to connected systems

Okta can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow:

The integration supports the following lifecycle management Actions:

Sync Identities

Primary action for user management (creating or updating users):

  • Login ID cannot be changed after creation

  • Email addresses must be unique

  • Required attributes must be present (login, email, first_name, last_name)

The following attributes can be synchronized:

Okta User Attributes
Property
Required
Type
Description
Notes

login

Yes

String

Primary login identifier

Unique identifier

email

Yes

String

User's email address

Unique

first_name

Yes

String

Given name

last_name

Yes

String

Family name

display_name

No

String

User's display name

user_type

No

String

User type

department

No

String

Organizational department

title

No

String

Job title

manager

No

String

Manager's name

manager_id

No

String

Manager's identifier

employee_id

No

String

Employee identifier

division

No

String

Business division

organization

No

String

Organization name

cost_center

No

String

Cost center

country_code

No

String

Country code

second_email

No

String

Secondary email address

nickname

No

String

User's nickname

Manage Relationships

Both adding and removing memberships are supported. Group memberships are removed in deprovisioning.

  • Add and remove group memberships

  • Synchronize group assignments

  • Track membership changes

Deprovision Identity

When a user is deprovisioned:

  • User account is disabled

  • Group memberships are removed

  • Attribute history is preserved for audit

  • Account can be reactivated if needed

Create Entitlement

  • Entity Types: Okta Groups

  • Assignee Types: Okta Users

  • Supports Relationship Removal: Yes

Within Okta, groups can be associated with:

  • Application group assignments controlling SSO access

  • Permissions to resources within specific applications

  • Synchronized AWS SSO groups

  • Role-based access controls within Okta

Okta Group Attributes
Property
Required
Type
Description

unique_id

Yes

String

Group identifier

description

No

String

Group description

type

No

String

Group type

source

No

String

Group source

last_membership_updated_at

No

Timestamp

Last membership update time

Reset Password

Allows password reset operations for Okta users:

  • Requires the login attribute as a unique identifier

  • Non-idempotent action (each execution creates a new password reset event)

  • Will trigger Okta's standard password reset flow for the specified user

PreviousExchange ServerNextSalesforce

Last updated

Was this helpful?