Okta OAuth2 Platform

Okta OAuth2 Platform, a Single Sign-On (SSO) provider, offers cloud software that helps companies manage and secure user authentication into modern applications.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

•

Stored Okta OAuth2 Platform Information

•

Required Minimum Permissions for Okta OAuth2 Platform

•

Authentication Method for Okta OAuth2 Platform

•

Required Credentials for Okta OAuth2 Platform

•

Obtaining Client ID and Private Key for Okta OAuth2 Platform

•

Integrating Okta OAuth2 Platform With SaaS Management

•

Okta OAuth2 Platform API Endpoints

Stored Okta OAuth2 Platform Information

The following table describes the available integration tasks and stored data within [ProductName].

Available Integration Tasks	Information Stored
HR Roster	• User ID • Email • First Name • Last Name • Active Date • Status • Location • Department
Application Roster	• User ID • Email • First Name • Last Name • Active Date • Status
Application Access	• User ID • Occurred (Last Login)
Application Discovery	• Instance ID • Application Name • Application Label • Logo Link
SSO Application Roster	• First Name • Last Name • Unique ID • Email • Active Date • Application Instance ID • Application Name
SSO Application Access	• Unique ID • Occurred (Application Launch) • Application Instance ID

Note:The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Okta OAuth2 Platform

The minimum API required permissions are based on the Required Scopes for Okta OAuth2 Platform and the Required User and Application Role for Okta OAuth2 Platform.

Required Scopes for Okta OAuth2 Platform

For more information on the required scopes, see Okta’s Developer documentation topic, OAuth 2.0 Scopes.

Required Scope	Description	Integration Task Name
okta.users.read	Enables you to read the list of users in your Okta account.	Application Roster  HR Roster  SSO Application Roster
okta.logs.read	Enables you to read the user access event details in your Okta account.	Application Access  SSO Application Access
okta.apps.read	Enables you to read the SSO Apps in your Okta account.	Application Discovery  SSO Application Roster

Required User and Application Role for Okta OAuth2 Platform

Note:The following user and application role is not applicable to Flexera One roles.

User Role	Description
Super Administrator	The user must have the Super Administrator role to grant the application permissions. For more information, see Okta’s Developer documentation topic, Implement OAuth for Okta With a Service App.

Note:

Application Role	Description
Super Administrator	The application must have the Super Administrator role to read the users, apps, and the log. For more information, see Okta’s Developer documentation topic, Assign Admin Roles to the OAuth 2.0 Service App.

Note:Consider the following:

•

The admin roles determine which resources the admin can perform the actions on. For example, the admin can assign resources to a specific group of users or to a specific set of apps.

•

Scopes determine the action that the admin can perform. For example, the admin can manage users, read applications, and more.

Authentication Method for Okta OAuth2 Platform

The required authentication method is OAuth 2.0 Client Credentials Flow With JWT Assertion.

Required Credentials for Okta OAuth2 Platform

The following credentials are required:

•

Domain URL

•

Client ID

•

Private Key

•

Number of API calls allowed per minute.

Obtaining Client ID and Private Key for Okta OAuth2 Platform

To obtain a Client ID and a Private Key, perform these high-level steps. The Private Key is only used to sign the JSON Web Token (JWT), which is then used for requesting the scoped access token.

To obtain the Client ID and Private Key:

1.

Sign in to your Okta organization as a user with administrative privileges.

2.

In the Admin Console, go to Applications > Applications, and then click Create App Integration. The Create a New App Integration page opens.

3.

On the Create a New App Integration page:

a.

Select the following sign-in method: API Services—Interact with Okta APIs using the scoped OAuth 2.0 access tokens for machine-to-machine authentication.

b.

Click Next.

4.

Enter a name for your app integration and click Save.

5.

In the General tab:

a.

Edit the client credentials.

b.

Change the client authentication to Public key / Private key.

6.

Leave the default option as Save keys in Okta and click the Add Key button. The Add a Public Key dialog opens.

7.

In the Add a Public Key dialog:

a.

Scroll down and on the upper-right side, click Generate New Key.

b.

After the key is generated, scroll down to the Private Key - Copy this! section and on the left side select PEM.

c.

Copy and paste the private key to a separate file, as the private key is displayed only once.

d.

Click Done.

8.

From the General tab, go to the Okta API Scopes tab and grant access to the following three scopes:

•

okta.apps.read

•

okta.logs.read

•

okta.users.read.

9.

From the General tab, go to the Admin Roles tab.

a.

Click Edit Assignments to go to the Administrator Assignment by Admin screen.

b.

Go to the Complete the Assignment section.

c.

Click the Role dropdown list, enter Super Administrator in the search box, and select the Super Administrator role.

d.

Click Save Changes to grant the Super Administrator role.

Note:You can also grant the Super Administrator role by following the instructions in the Okta Developer documentation topic, Assign Admin Roles to Apps.

10.

As an option, you can set the API rate limit. Go to the Applications Rate Limits tab and edit the number of API calls allowed. By default, the API rate limit is set to 50%.

Integrating Okta OAuth2 Platform With SaaS Management

Complete the following steps to integrate Okta OAuth2 Platform with SaaS Management.

To integrate Okta OAuth2 Platform with SaaS Management:

1.

Complete the prerequisite steps in Obtaining Client ID and Private Key for Okta OAuth2 Platform.

2.

In SaaS Management, add the Okta OAuth2 platform application. For more information, see Adding an Application.

3.

Sign in to the Okta Platform portal homepage. Copy and paste your domain URL into the URL field in SaaS Management, which follows the convention: mycompany.okta.com.

4.

Copy and paste the Client ID and Private Key values generated in the Obtaining Client ID and Private Key for Okta OAuth2 Platform into their respective SaaS Management fields.

Note:The Private Key is only used to sign the JWT fields.

5.

Number of API calls allowed per minute is an optional SaaS Management field. This field limits the number of API calls made by an integration to Okta Platform. For more information, see Okta Platform’s Rate Limits.

Note:Leave the Number of API calls allowed per minute field blank for automatic rate limit handling.

Tip:After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Okta OAuth2 Platform API Endpoints

HR Roster, Application Roster

https://<<Domain-URL>>/api/v1/users

Application Access and SSO Application Access

https://<<Domain-URL>>/api/v1/logs

SSO Application Roster

•

https://<<Domain-URL>>/api/v1/users

•

https://<<Domain-URL>>/api/v1/apps

•

https://<<Domain-URL>>/api/v1/apps/<<app instance id>>/users

Application Discovery

https://<<Domain-URL>>/api/v1/apps