Okta

Configuring the Veza integration for Okta.

Veza integrates with Okta to gather individual user metadata, applications, groups, and domains. After synchronizing with Okta, Veza shows the relationships connecting Okta identities and the external data sources and services they have access to (such as Snowflake databases, SQL tables, or AWS S3 buckets).

  • You can use Okta properties such as country, department, or login date to filter queries and define access reviewers for Okta users

  • If an identity mapping from Okta to another integrated data source is not detected by Veza, you can define the relationships with custom identity mappings

  • If your organization uses custom attributes in addition to the standard properties collected by Veza, you can enable them on the Veza configuration screen.

Integrating with Okta

Veza can establish a connection to Okta using OAuth 2.0 application credentials or user API keys. OAuth is recommended to provide greater control over application permissions, but you can use API keys for testing or non-production environments.

Authenticate using OAuth 2.0 Credentials

Log in to Okta to create a new app integration, generate keys, and assign scopes and roles:

The OAuth App requires a super admin or read-only admin role in your Okta organization. If you encounter a permissions error at step 5, the feature is not enabled. Go to Okta Settings > Features and enable the Assign admin roles to public client app option.

  1. Go to Applications after logging into your Okta account. Record your Okta organization's URL, omitting https://

  2. Create a new app:

    • Click on Create App Integration.

    • Choose API Services as the integration type.

  3. Configure the Application:

    • Assign a descriptive name to your application.

    • In the app configuration section, Edit the client credentials:

      • Copy the Client ID.

      • For Client Authentication, enable Public key/Private key.

      • In General Settings, ensure the option Require Demonstrating Proof of Possession (DPoP) is disabled.

      • Under Public Keys, add a key and copy the PEM value (starting with -----BEGIN PRIVATE KEY-----). Save this key and copy the Key ID (KID). Save your changes.

      • Convert the PEM private key to an RSA private key using OpenSSL: Run openssl rsa -in ~/okta_generated.key -out okta_updated.key -traditional in your terminal.

  4. Assign scopes: In the Okta API Scopes section, find and grant the application scopes:

    • okta.users.read

    • okta.groups.read

    • okta.apps.read

    • okta.roles.read

    • okta.logs.read

    • okta.userTypes.read

  5. On the Admin Roles tab, click Edit Assignments > Add Assignment. Assign the Read-only Administrator role and save the changes.

    • (Optional) To gather and show metadata for Okta Admin Roles, the Veza app needs the Super Administrator role. The application scopes granted above will restrict the integration to read-only capabilities. For a full visualization of access in Okta, Veza recommends granting a super admin role if possible.

Authenticate with an admin user API token

Create a user for Veza and assign an administrator role:

  1. Open Directory > People and click Add Person.

  2. Enter user details for the profile (such as VezaIntegration). Click Save.

  3. Open Security > Administrators and click Add Administrator.

  4. In the Grant Administrator Role To field, enter the name of the Veza user.

  5. Pick Read-Only Administrator for the assigned role.

  6. Save the changes.

Gathering metadata for Administrator Roles requires that the integration has Okta superuser permissions. To optionally do so you must assign the super admin role instead of read-only admin.

Get an access token for the Okta user

  1. Sign in to your Okta domain with the read-only admin username and password.

  2. Go to Security > API using the admin console menu. Open the Tokens tab.

  3. Click Create Token.

  4. Give it a name and click Create Token.

  5. Save the token value, which will only appear once.

For more information, see Create an API Token in the Okta documentation.

Configure the Veza integration for Okta

Go to the Veza Integrations page to enable the Okta integration:

  1. Click Integrations on the main navigation.

  2. Click Add Integration > Okta*.

  3. Enter your organization's Okta Domain to authenticate with.

  4. Pick the Credential Type: API token or OAuth.

  5. For OAuth authentication, enter your client ID and private key ID. Upload the RSA private key.

  6. For API token authentication, enter the token generated for your Okta user.

  7. Click Next to configure optional identity mappings. These mapping correlate Okta users with local accounts in other systems, when Veza cannot automatically detect a connection.

  8. Click Next to specify any custom properties you want Veza to discover.

  9. Click Create Integration to save the configuration.

  10. To prevent large Okta environments from causing integration pipeline delays, Veza recommends enabling audit log extraction as described in the next section.

By default, Veza discovers all Okta domains and applications in the account. You can deselect the "Gather All Applications" option to only sync specific apps, based on the allowlist settings.

Enable Audit Logs for Okta

Veza can parse Okta system logs to extract activity metadata. This enables two key capabilities:

  • Incremental Extraction for the Okta integration: Enabling audit logs allows updates to Authorization Graph metadata only for entities that have changed since the last snapshot. This reduces the time needed to gather users, groups, apps, and roles during each sync. Administrators should enable this feature post-Okta integration setup to improve extraction speed and minimize traffic to Okta API endpoints.

  • Support for Activity Monitoring, including generation of Over Provisioned Scores for Okta users.

To enable audit logs for an Okta integration:

  1. Open the Integrations overview and locate the Okta integration.

  2. Click Actions > Enable Audit Logs.

To disable activity monitoring and incremental extraction, toggle the option to Disable Audit Logs.

Okta Custom properties

Your Okta organization might add additional user metadata with Custom Attributes. To include these custom properties during discovery, specify the Name and data Type of each property to collect.

For example, if your organization used a custom attribute to track employee region, you can use this information for attribute filters by adding the custom property to the Okta integration configuration.

  1. On Edit Integration > Custom Properties tab, click Add Custom Property.

  2. Enter the variable name region as the property name to collect.

  3. Pick String as the property type.

  4. Save the configuration.

The specified attributes will appear on Authorization Graph entities the next time Veza connects to the Okta domain.

The supported types are:

  • String

  • Number

  • Boolean

  • RFC339 Timestamp

  • String List

Veza honors RFC339 timestamp formats such as: 2006-01-02T15:04:05Z07:00, 2006-01-02T15:04:05.999999999Z07:00, 2006-01-02 15:04:05Z07:00, 2006-01-02 15:04:05, 2006-01-02, 2006-01-02T, 2006-01-02T15:04:05, 2006-01-02T15:04:05Z Time values in the format "18:47:12.019Z" (that do not contain dates) are only supported in strings.

Okta custom identity mappings

Veza can automatically detect relationships for Okta and AWS, Snowflake, and other providers. However, some connections to standalone data sources need to be explicitly mapped.

  • Administrators can disable default IdP User > Local User mapping by email when adding a custom mapping.

  • Administrators can configure up to four property matchers for custom identity mapping based on possible combinations of user name and email. If any matcher is valid, Veza connects the IdP and local identities.

  • When submitting authorization metadata for custom apps with the Open Authorization API, local users, groups, roles, and permissions map to Okta identities by login email and group name.

  • Veza identifies Okta-AWS relationships based on the official AWS Account Federation app

Use Custom Identity Mappings to manually create a connection to another provider. For example, employees might be able to access a standalone SQL database with their Okta credentials:

  1. Open the Okta provider configuration menu (Configuration > Identity Providers > Add or Edit)

  2. Click Identity Mapping Configurations

  3. Pick the Destination Datasource Type. The mapping will apply to all resources of the chosen provider (such as SQL Server).

  4. Pick an optional transformation. By default, Veza will link identities based on email addresses (username@domain). To match only the username, use Ignore Domain. You can also ignore special characters in local usernames.

Notes and supported entities

Veza gathers metadata and creates searchable Authorization Graph entities to represent:

  • Okta Domains

  • Okta Groups

  • Okta Apps

  • Okta App Users (Application Roles)

  • Okta App Group Assignments

  • Okta Users

  • Okta Roles (Administrator Roles)

Last updated