If your Okta Multi-factor enrollment policies are such that traffic from Veza's Cloud IP Addresses is denied the ability to use a factor, Veza will not be able to detect user enrollment in that factor. As a result, the "MFA Active" property for Okta users will be "False," even if factors are enabled for the user. To prevent this, you can can:

• Configure an Okta Network Zone that allows optional MFA factors

• Use an Insight Point to connect to Okta from an IP address internal to your data center that does not have these restrictions

See below for more details and steps to enable:

Background

Okta MFA enrollment policies have the ability to not only set enrollment but also define usage. MFA enrollment policies work by evaluating from the highest priority to the lowest priority at the policy level (filtered by groups), and then at the rule level (filtered by Network Zones and App Condition).

This means that if there is not a policy rule that fits the incoming request, Okta will check the next policy that applies to the user until it finds one (Default Policy applies to everyone and Default Rule applies everywhere).

Resolution

There are 2 options to allow Veza to fully collect MFA enrollment.

1. Configure a Network Zone specifically for the Veza IP Addresses and allow the factors as optional at the Policy level and deny the Enrollment at the Policy Rule Level:

   • Create an Okta Group to control scope during deployment.

   • Configure Network IP Zones for Veza's Cloud IP Addresses under Gateway IPs.

   • Create a Veza MFA Enrollment Policy.

     • For Assigned Groups, enter the group created in step 1.

     • All authenticators are Optional (OIE requires 1 as Required).

     • Create a Veza Policy Rule:

       1. IF User's IP is "in zone" (Add the Zone for Veza's Cloud IP Addresses)

       2. AND User is accessing "Okta"

       3. THEN Enrollment is "Allowed if required authenticators are missing".

   • Test the configuration by adding users to the group.

     • Veza should see everything and user experience should not be affected.

     • After testing, Remove the "Assigned" Group, and Apply the "Everyone" group.

2. Have Veza traffic to Okta run through an Insight Point installed in your data center. This asumes your data center IP Addresses do not have the same restrictions as Veza's Cloud IP Addresses.

Veza integrates with Okta to gather individual user metadata, applications, groups, and domains. After synchronizing with Okta, Veza shows the relationships connecting Okta identities and the external data sources and services they access (such as Snowflake databases, SQL tables, or AWS S3 buckets).

• You can use Okta properties such as country, department, or login date to filter queries and define access reviewers for Okta users

• If Veza does not detect an identity mapping from Okta to another integrated data source, you can define the relationships with custom identity mappings

• If your organization uses custom attributes in addition to the standard properties collected by Veza, you can enable them on the Veza configuration screen.

Integrating with Okta

Veza can establish a connection to Okta using OAuth 2.0 application credentials or user API keys. OAuth is recommended to provide greater control over application permissions, but you can use API keys for testing or non-production environments.

Overview Video - Okta Integration

Authentication using OAuth 2.0 Credentials

Log in to Okta to create a new app integration, generate keys, and assign scopes and roles:

The OAuth App requires a super admin or read-only admin role in your Okta organization. If you encounter a permissions error at step 5, the feature is not enabled. Go to Okta Settings > Features and enable the Assign admin roles to public client app option.

1. Go to Applications after logging into your Okta account. Record your Okta organization's URL, omitting https://

2. Create a new app:

   • Click on Create App Integration.

   • Choose API Services as the integration type.

3. Configure the Application:

   • Assign a descriptive name to your application.

   • In the app configuration section, edit the client credentials:

     • Copy the Client ID.

     • For Client Authentication, enable Public key/Private key.

     • In General Settings, ensure the option Require Demonstrating Proof of Possession (DPoP) is disabled.

     • Under Public Keys, add a key and copy the PEM value (starting with -----BEGIN PRIVATE KEY-----). Save this key and copy the Key ID (KID). Save your changes.

     • Convert the PEM private key to an RSA private key using OpenSSL: Run openssl rsa -in ~/okta_generated.key -out okta_updated.key -traditional in your terminal.

4. Assign scopes: In the Okta API Scopes section, find and grant the application scopes:

   • okta.users.read

   • okta.groups.read

   • okta.apps.read

   • okta.roles.read

   • okta.logs.read

   • okta.userTypes.read

5. On the Admin Roles tab, click Edit Assignments > Add Assignment. Assign the Read-only Administrator role and save the changes.

6. (Optional) To gather and show metadata for Okta Admin Roles, the Veza app needs the Super Administrator role.

   1. The application scopes granted above will restrict the integration to read-only capabilities. For a full visualization of access in Okta, Veza recommends granting a super admin role if possible.

Authenticate with an admin user API token

Create a user for Veza and assign an administrator role:

1. Open Directory > People and click Add Person.

2. Enter user details for the profile (such as VezaIntegration). Click Save.

3. Open Security > Administrators and click Add Administrator.

4. In the Grant Administrator Role To field, enter the name of the Veza user.

5. Pick Read-Only Administrator for the assigned role.

6. Save the changes.

Gathering metadata for Administrator Roles requires that the integration has Okta superuser permissions. To optionally do so you must assign the super admin role instead of read-only admin.

Get an access token for the Okta user

1. Sign in to your Okta domain with the read-only admin username and password.

2. Go to Security > API using the admin console menu. Open the Tokens tab.

3. Click Create Token.

4. Give it a name and click Create Token.

5. Save the token value, which will only appear once.

For more information, see Create an API Token in the Okta documentation.

Configure the Veza integration for Okta

Go to the Veza Integrations page to enable the Okta integration:

1. Click Integrations on the main navigation.

2. Click Add Integration > Okta*.

3. Enter your organization's Okta Domain to authenticate with.

4. Pick the Credential Type: API token or OAuth.

5. For OAuth authentication, enter your client ID and private key ID. Upload the RSA private key.

6. For API token authentication, enter the token generated for your Okta user.

7. Click Next to configure optional identity mappings. These mappings correlate Okta users with local accounts in other systems when Veza cannot automatically detect a connection.

Security Note: For enhanced security, you can store Okta credentials in an external secrets vault instead of directly in Veza. This keeps sensitive credentials in your private network. See Secrets Vaults for configuration details.

1. Click Next to specify any custom properties you want Veza to discover.

2. Click Create Integration to save the configuration.

3. To prevent large Okta environments from causing integration pipeline delays, Veza recommends enabling audit log extraction as described in the next section.

By default, Veza discovers all Okta domains and applications in the account. You can deselect the "Gather All Applications" option to only sync specific apps based on the allowlist settings.

Enable Audit Logs for Okta

Veza can parse Okta system logs to extract activity metadata. This enables two key capabilities:

• Incremental Extraction for the Okta integration: Enabling audit logs allows updates to Authorization Graph metadata only for entities that have changed since the last snapshot. This reduces the time needed to gather users, groups, apps, and roles during each sync. Administrators should enable this feature post-Okta integration setup to improve extraction speed and minimize traffic to Okta API endpoints.

• Support for Activity Monitoring, including generation of Over Provisioned Scores for Okta users.

To enable audit logs for an Okta integration:

1. Open the Integrations overview and locate the Okta integration.

2. Click Actions > Enable Audit Logs.

To disable activity monitoring and incremental extraction, toggle the option to Disable Audit Logs.

Okta Custom properties

Your Okta organization might add additional user metadata with Custom Attributes. To include these custom properties during discovery, specify the Name and data Type of each property to collect.

For example, if your organization used a custom attribute to track employee region, you can use this information for attribute filters by adding the custom property to the Okta integration configuration.

1. On Edit Integration > Custom Properties tab, click Add Custom Property.

2. Enter the variable name region as the property name to collect.

3. Pick String as the property type.

4. Save the configuration.

The specified attributes will appear on Authorization Graph entities the next time Veza connects to the Okta domain.

The supported types are:

• String

• Number

• Boolean

• RFC339 Timestamp

• String List

Veza honors RFC339 timestamp formats, such as: 2006-01-02T15:04:05Z07:00, 2006-01-02T15:04:05.999999999Z07:00, 2006-01-02 15:04:05Z07:00, 2006-01-02 15:04:05, 2006-01-02, 2006-01-02T, 2006-01-02T15:04:05, 2006-01-02T15:04:05Z Time values in the format "18:47:12.019Z" (that do not contain dates) are only supported in strings.

Okta custom identity mappings

Veza can automatically detect relationships for Okta and AWS, Snowflake, and other providers. However, some connections to standalone data sources need to be explicitly mapped.

• Administrators can disable default IdP User > Local User mapping by email when adding a custom mapping.

• Administrators can configure up to four property matchers for custom identity mapping based on possible combinations of user name and email. If any matcher is valid, Veza connects the IdP and local identities.

• When submitting authorization metadata for custom apps with the Open Authorization API, local users, groups, roles, and permissions are mapped to Okta identities by login email and group name.

• Veza identifies Okta-AWS relationships based on the official AWS Account Federation app

Use Custom Identity Mappings to manually create a connection to another provider. For example, employees might be able to access a standalone SQL database with their Okta credentials:

1. Open the Okta provider configuration menu (Configuration > Identity Providers > Add or Edit)

2. Click Identity Mapping Configurations

3. Pick the Destination Datasource Type. The mapping will apply to all resources of the chosen provider (such as SQL Server).

4. Pick an optional transformation. By default, Veza will link identities based on email addresses (username@domain). To match only the username, use Ignore Domain. You can also ignore special characters in local usernames.

Notes and supported entities

Veza gathers metadata and creates searchable Authorization Graph entities to represent:

• Okta Domains

• Okta Groups

• Okta Apps

• Okta App Users (Application Roles)

• Okta App Group Assignments

• Okta Users

• Okta Roles (Administrator Roles)