Okta OAuth2 Platform

Okta OAuth2 Platform, a Single Sign-On (SSO) provider, offers cloud software that helps companies manage and secure user authentication into modern applications.

The following sections provide prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Okta OAuth2 Platform Information
Required Minimum Permissions for Okta OAuth2 Platform
Authentication Method for Okta OAuth2 Platform
Required Credentials for Okta OAuth2 Platform
Obtaining Client ID and Private Key for Okta OAuth2 Platform
Integrating Okta OAuth2 Platform With SaaS Management
Okta OAuth2 Platform API Endpoints

Stored Okta OAuth2 Platform Information

The following table describes the available integration tasks and stored data.

Available Integration Tasks

Information Stored

HR Roster

User ID
Email
First Name
Last Name
Active Date
Status
Location
Department

Application Roster

User ID
Email
First Name
Last Name
Active Date
Status

Application Access

User ID
Occurred (Last Login)

Application Discovery

Instance ID
Application Name
Application Label
Logo Link

SSO Application Roster

First Name
Last Name
Unique ID
Email
Active Date
Application Instance ID
Application Name

SSO Application Access

Unique ID
Occurred (Application Launch)
Application Instance ID

Note:The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Okta OAuth2 Platform

Minimum API required permissions are based on the Required Application Permissions for Okta OAuth2 Platform and the Required User Role for Okta OAuth2 Platform.

Required Application Permissions for Okta OAuth2 Platform

Application Permission

Description

Integration Task Name

okta.users.read

To read the list of users in your Okta account.

Application Roster, HR Roster, SSO App Roster

okta.logs.read

To read the user access event details in your Okta account.

Application Access, SSO Application Access

okta.apps.read

To read the SSO Apps in your Okta account.

App Discovery, SSO App roster

Required User Role for Okta OAuth2 Platform

Note:The following SaaS application user role is not applicable to Flexera One roles.

User Role

Description

Super Administrator

To grant the application permissions, the user must have Super Admin Access. For details, see the Okta Developer documentation section Create a service app and grant scopes.

Authentication Method for Okta OAuth2 Platform

Oauth2 Client credentials flow with JWT assertion.

Required Credentials for Okta OAuth2 Platform

Domain URL
Client ID
Private Key
Number of API calls allowed per minute

Obtaining Client ID and Private Key for Okta OAuth2 Platform

To obtain a Client ID and a Private Key, perform these high-level steps. The Private Key is only used to sign the JSON Web Token (JWT), which is then used for requesting the scoped access token.

To obtain the Client ID and Private Key:

1. Sign in to your Okta organization as a user with administrative privileges.
2. In the Admin Console, go to Applications > Applications, and then click Create App Integration. The Create a New App Integration page opens.
3. On the Create a New App Integration page:
a. Select the following sign-in method: API Services—Interact with Okta APIs using the scoped OAuth 2.0 access tokens for machine-to-machine authentication.
b. Click Next.
4. Enter a name for your app integration and click Save.
5. In the General tab:
a. Edit the client credentials.
b. Change the client authentication to Public key / Private key.
6. Leave the default option as Save keys in Okta and click the Add Key button. The Add a Public Key dialog opens.
7. In the Add a Public Key dialog:
a. Scroll down and on the upper-right side, click Generate New Key.
b. After the key is generated, scroll down to the Private Key - Copy this! section and on the left side select PEM.
c. Copy and paste the private key to a separate file, as the private key is displayed only once.
d. Click Done.
8. From the General tab, go to the Okta API Scopes tab and grant access to the following three scopes:
okta.apps.read 
okta.logs.read 
okta.users.read.
9. As an option, you can set the API rate limit. Go to the Applications Rate Limits tab and edit the number of API calls allowed. By default, the API rate limit is set to 50%.

Integrating Okta OAuth2 Platform With SaaS Management

Complete the following steps to integrate Okta OAuth2 Platform with SaaS Management.

To integrate Okta OAuth2 Platform with SaaS Management:

1. Complete the prerequisite steps in Obtaining Client ID and Private Key for Okta OAuth2 Platform.
2. In SaaS Management, add the Okta OAuth2 platform application. For details, see Adding an Application.
3. Sign in to the Okta Platform portal homepage. Copy and paste your domain URL into the URL field in SaaS Management, which follows the convention: mycompany.okta.com.
4. Copy and paste the Client ID and Private Key values generated in the Obtaining Client ID and Private Key for Okta OAuth2 Platform into their respective SaaS Management fields.

Note:The Private Key is only used to sign the JWT fields.

5. Number of API calls allowed per minute is an optional SaaS Management field. This field limits the number of API calls made by an integration to Okta Platform. For details, see Okta Platform’s Rate Limits.

Note:Leave the Number of API calls allowed per minute field blank for automatic rate limit handling.

Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For details, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Okta OAuth2 Platform API Endpoints

HR Roster, Application Roster

https://<<Domain-URL>>/api/v1/users

Application Access and SSO Application Access

https://<<Domain-URL>>/api/v1/logs

SSO Application Roster

https://<<Domain-URL>>/api/v1/users 
https://<<Domain-URL>>/api/v1/apps 
https://<<Domain-URL>>/api/v1/apps/<<app instance id>>/users 

Application Discovery

https://<<Domain-URL>>/api/v1/apps