Configuring the Okta integration for Veza Lifecycle Management.
The Veza integration for Okta enables automated user lifecycle management, with support for user provisioning and de-provisioning, group membership management, and attribute synchronization.
SYNC_IDENTITIES
Synchronizes identity attributes between systems, with options to create new identities and update existing ones
✅
MANAGE_RELATIONSHIPS
Controls entitlements such as group memberships and role assignments for identities
✅
DEPROVISION_IDENTITY
Safely removes or disables access for identities, includes user logout support
✅
CREATE_ENTITLEMENT
Creates entitlements such as Okta groups
✅
RESET_PASSWORD
Allows password reset operations for Okta users
✅
SOURCE_OF_IDENTITY
Okta can act as a source system for identity lifecycle policies
✅
You will need administrative access in Veza to configure the integration and grant API scopes in Okta.
Verify your Okta integration has completed at least one successful extraction
The Okta integration will need the additional required API scopes:
okta.users.manage - For user lifecycle operations
okta.groups.manage - For group membership management
To enable the integration:
In Veza, go to the Integrations overview
Search for or create an Okta integration
Check the box to Enable usage for Lifecycle Management
Configure the extraction schedule to ensure your Okta data remains current:
Go to Veza Administration > System Settings
In Pipeline > Extraction Interval, set your preferred interval
Optionally, set a custom override for Okta in the Active Overrides section
To verify the health of the Lifecycle Management data source:
Use the main Veza navigation menu to open the Lifecycle Management > Integrations page or the Veza Integrations overview
Search for the integration and click the name to view details
In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled
Okta can also be a target for identity management actions, based on changes in another external source of truth or as part of a workflow:
Primary action for user management (creating or updating users):
Login ID cannot be changed after creation
Email addresses must be unique
Required attributes must be present (login, email, first_name, last_name)
The following attributes can be synchronized:
Both adding and removing memberships are supported. Group memberships are removed in deprovisioning.
Add and remove group memberships
Synchronize group assignments
Track membership changes
When a user is deprovisioned:
User account is disabled
Group memberships are removed
Attribute history is preserved for audit
Account can be reactivated if needed
Entity Types: Okta Groups
Assignee Types: Okta Users
Supports Relationship Removal: Yes
Within Okta, groups can be associated with:
Application group assignments controlling SSO access
Permissions to resources within specific applications
Synchronized AWS SSO groups
Role-based access controls within Okta
Allows password reset operations for Okta users:
Requires the login attribute as a unique identifier
Non-idempotent action (each execution creates a new password reset event)
Will trigger Okta's standard password reset flow for the specified user
This document includes steps to enable the Okta integration for use in Lifecycle Management, along with supported actions and notes. See for more details.
Ensure you have an existing in Veza or add a new one for use with Lifecycle Management.
Okta can serve as a source for identity information in Lifecycle Management . User identity details are synchronized from Okta with changes propagated to connected systems
The integration supports the following lifecycle management :