Okta OAuth2 Platform

Okta OAuth2 Platform, a Single Sign-On (SSO) provider, offers cloud software that helps companies manage and secure user authentication into modern applications.

Information Stored
Minimum Permissions Required
Authentication Method
Credentials Required
Obtaining Client ID and Private Key
Integrating Okta OAuth2 Platform with SaaS Management
API Endpoints

Information Stored

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Integration Task

Information Stored

HR Roster

User ID
Email
First Name
Last Name
Active Date
Status
Location
Department

Application Roster

User ID
Email
First Name
Last Name
Active Date
Status

Application Access

User ID
Occurred (Last Login)

Application Discovery

Instance ID
Application Name
Application Label
Logo Link

SSO Application Roster

First Name
Last Name
Unique ID
Email
Active Date
Application Instance ID
Application Name

SSO Application Access

Unique ID
Occurred (Application Launch)
Application Instance ID

Note:The information stored is subject to change as enhancements are made to the product.

Minimum Permissions Required

Application Permission

Application Permission

Permission

Description

Integration Task Name

okta.users.read

To read the list of users in your Okta account.

Application Roster, HR Roster, SSO App Roster

okta.logs.read

To read the user access event details in your Okta account.

Application Access, SSO Application Access

okta.apps.read

To read the SSO Apps in your Okta account.

App Discovery, SSO App roster

User Role

User Role

Role

Description

Super Administrator

To grant the application permissions, the user must have Super Admin Access. For details, refer to the Okta Developer documentation section Create a service app and grant scopes.

Authentication Method

Oauth2 Client credentials flow with JWT assertion.

Credentials Required

Domain URL
Client ID
Private Key
Number of API calls allowed per minute

Obtaining Client ID and Private Key

To obtain a Client ID and a Private Key, perform these high-level steps. The Private Key is only used to sign the JSON Web Token (JWT), which is then used for requesting the scoped access token.

To obtain the Client ID and Private Key:

1. Create a public/private Private Key (JWKS) key pair and extract the public key to pass it along with the client creation API call.
2. Create the app and register the public key with the app.
3. Grant the required scopes from the Admin Console.
4. Complete the Okta OAuth2 steps 1-3 below.

STEP 1

a. Follow the steps in the Okta Developer documentation section Create a public/private key pair to generate the Public/Private key pair.

Important:Select the Public Key option and NOT Public Key (X.509 PEM Format).

b. Select the following values while creating the key:

Values

Key size

2048

Key use

Signature

Algorithm

RSA256

Show X.509

Yes

c. Make a note of the JWKS public key, which should have the format shown below:

{ "kty": "RSA", "e": "AQAB", "use": "sig", "alg": "RS256", "n": "gOo_Ue7X8teQXObZdbdfLXUHb0Zx5YemmJp_188PLj7pNPD5wUl9nrig9w_llFXUnljW8ZFB6wRaiCJpOGAMb1Q_MdLt-9perTTQlrR1WNE7wc-dlaEbk-WWXNlWLdcDzj7AhquFGezII-1Q8FGb8iSlsZkWBbBabpNw93Vyp4XAqVOfVh7t1StJpD_lKgUpu-qHBS5RDA5hTL43BBjVEIhNQOXI30MzjaPLk2ru8DusNNEtXAnFOfmfz2rVjNJGvNQnBiDHffEVhSIHCLckCwOoE8flL_2DTLONwv-AitFJ2avcyMJvHOpN7ryWXv3KPWIx-v3oQ1iHtLrA1_fyJQ"}

d. Make a note of the Private Key (X.509 PEM Format).

STEP 2

a. Follow the steps in the Okta Developer documentation section Create a service app and grant scopes to create a service app and register the public key.
b. Follow the steps in the Okta Developer documentation section Create an API token to generate the token that will be required in the next steps to create a service app.
c. Under the JWKS parameter of request body, paste the public key which was copied in STEP 1. It should look like this:

"jwks": {

"keys": [

{

"kty": "RSA",

"e": "AQAB",

"use": "sig",

"alg": "RS256",

"n": "gOo_Ue7X8teQXObZdbdfLXUHb0Zx5YemmJp_188PLj7pNPD5wUl9nrig9w_llFXUnljW8ZFB6wRaiCJpOGAMb1Q_MdLt-9perTTQlrR1WNE7wc-dlaEbk-WWXNlWLdcDzj7AhquFGezII-1Q8FGb8iSlsZkWBbBabpNw93Vyp4XAqVOfVh7t1StJpD_lKgUpu-qHBS5RDA5hTL43BBjVEIhNQOXI30MzjaPLk2ru8DusNNEtXAnFOfmfz2rVjNJGvNQnBiDHffEVhSIHCLckCwOoE8flL_2DTLONwv-AitFJ2avcyMJvHOpN7ryWXv3KPWIx-v3oQ1iHtLrA1_fyJQ"}

]

}

d. Make a note of the client_id and the client_name that is returned in the response.

STEP 3

a. Sign in to Admin console with the Super Admin credentials.
b. Select the Applications tab and click on Applications. The Applications screen opens.
c. Select the Application which you created in the STEP 2 referring to the client_name.
d. Click Grant for each of the scopes set up in the Application Permission. This will add to the application's grant collection under the Okta API Scopes tab.

Integrating Okta OAuth2 Platform with SaaS Management

To integrate Okta OAuth2 Platform with SaaS Management, perform the following steps.

To integrate Okta OAuth2 Platform with SaaS Management:

1. In SaaS Management, add the Okta OAuth2 platform application. Refer to Adding an Application.
2. Sign in to the Okta Platform portal homepage. Copy and paste your domain URL into the URL field in SaaS Management, which follows the convention: mycompany.okta.com.
3. Copy the Client ID and Private Key generated in the Obtaining Client ID and Private Key.
4. Paste them in the SaaS Management Client ID and Private Key (Note: The private key is only used to sign the JWT) fields.
5. Number of API calls allowed per minute is an optional SaaS Management field. This field limits the number of API calls made by an integration to Okta Platform. For details, refer to Okta Platform’s Rate Limits.

Note:Leave this field blank for automatic rate limit handling.

Tip:Once the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For details, refer to Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

API Endpoints

HR Roster, Application Roster

https://<<Domain-URL>>/api/v1/users

Application Access and SSO Application Access

https://<<Domain-URL>>/api/v1/logs 

SSO Application Roster

https://<<Domain-URL>>/api/v1/users
https://<<Domain-URL>>/api/v1/apps
https://<<Domain-URL>>/api/v1/apps/<<app instance id>>/users

Application Discovery

https://<<Domain-URL>>/api/v1/apps