# Okta

Okta (opens new window) is a cloud service that organizes workforce and customer identities.

It provides cloud software that helps companies to manage secure user authentication for modern applications and helps developers to build identity controls into applications, web services, and devices.

# API version

The Okta connector uses the Core Okta API v1 (opens new window).

# How to connect to Okta

Workato supports three different types of connections to Okta:

Workato recommends using either Authorization code grant authentication (OAuth 2.0) or Client credentials-based authentication (OAuth 2.0) for improved security in your connection. This also allows you to set up granular permissions to control resources that Workato can access in Okta.

# Authorization code grant authentication

1

Log in to your Workato account and navigate to the project you plan to add your Okta connection to.

2

Click Create > Connection > select Okta as your connection.

3

To use authorization code grant authentication, select the Authorization code grant option from the Authentication type drop-down menu and enter the following information:

Connection field Description
Connection name Give this connection a unique name that identifies which Okta instance it is connected to.
Okta domain Your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com).
Client ID Provide the client ID generated in Okta by completing the following steps.
Client secret Provide the client secret generated in Okta by completing the following steps.
Advanced settings Select the necessary OAuth 2.0 scopes to request from Okta in this connection. This should match the scopes defined in the Okta API Scopes section of the app integration in Okta.

# Generating a client ID and secret for authorization code grant authentication

To generate a client ID and secret for authorization code grant authentication:

1

Sign in to your Okta organization as a user with administrator privileges.

2

In Okta's Admin Console, navigate to Applications > Applications.

Applications > Applications Navigate to Applications > Applications

3

Select Create App Integration.

Select Create App Integration Select Create App Integration

4

Select OIDC - OpenID Connect in the Sign-in method section of the Create a new app integration page.

Create a new app integration Create a new app integration

5

Select Web Application in the Application type section.

6

Enter a meaningful App integration name on the New Web App Integration page.

New Web App Integration page New Web App Integration page

7

Ensure the Proof of possession field is deselected.

8

Select the following checkboxes in the Client acting on behalf of a user field of the Grant type section:

  • Authorization Code
  • Refresh Token
9

Enter the Workato callback URI in the Sign-in redirect URIs section according to your data center:

  • US Data Center: https://www.workato.com/oauth/callback
  • EU Data Center: https://app.eu.workato.com/oauth/callback
  • JP Data Center: https://app.jp.workato.com/oauth/callback
  • SG Data Center: https://app.sg.workato.com/oauth/callback
  • AU Data Center: https://app.au.workato.com/oauth/callback

Sign-in redirect URIs Sign-in redirect URIs

10

Select an Assignment option according to your preference and then select Save. Okta creates the app integration.

11

Copy the Client ID and Client Secret in the new app integration's General tab so you can enter these credentials in Workato's Okta connection settings.

Copy the Client ID and Client Secret Copy the Client ID and Client Secret

12

Under General Settings, ensure the Proof of possession field is deselected.

13

Navigate to the Okta API Scopes tab and assign the necessary scopes to the integration. The connection requires the following scopes at a minimum:

  • okta.logs.read
  • okta.schemas.read

Assign Okta API scopes Assign Okta API scopes

# Client credentials-based authentication

1

Log in to your Workato account and navigate to the project you plan to add your Okta connection to.

2

Click Create > Connection > select Okta as your connection.

3

To use client credentials-based authentication, select the Client credentials option from the Authentication type drop-down menu and enter the following information:

Connection field Description
Connection name Give this connection a unique name that identifies which Okta instance it is connected to.
Okta domain Your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com).
Client ID Provide the client ID generated in Okta by completing the following steps.
Private Key Provide the private key generated in PEM format in Okta by completing the following steps.
Advanced settings Select the necessary OAuth 2.0 scopes to request from Okta in this connection. This should match the scopes defined in the Okta API Scopes section of the app integration in Okta.

# Generating a client ID and secret for client credentials-based authentication

To generate a client ID and secret for client credentials-based authentication:

1

Sign in to your Okta organization as a user with administrator privileges.

2

In Okta's Admin Console, navigate to Applications > Applications.

Applications > Applications Navigate to Applications > Applications

3

Select Create App Integration.

Select Create App Integration Select Create App Integration

4

Select API Services in the Sign-in method section of the Create a new app integration page.

Select API Services Select API Services

5

Enter a meaningful App integration name on the New API Services App Integration page and then select Save.

App integration name App integration name

6

Copy the Client ID in the new app integration's General tab.

Copy Client ID Copy Client ID

7

Select Edit and then select Public key / Private key in the Client authentication field.

8

Select Add key in the PUBLIC KEYS section.

9

Select Generate new key in the Add a public key section to generate a new key pair.

Add a public key Add a public key

10

Select PEM in the Private key section and copy the private key so you can enter it in Workato's Okta connection settings. You will not be able to retrieve this private key again.

Copy the private key Copy the private key

11

Select Done.

12

Select Save in the new app integration's General tab to store and activate the key. You must save the key before you can use it to connect to Workato.

If you see the message Existing client secrets will no longer be used, select Save.

The key status changes to Active.

Active the key Activate the key

13

Navigate to the Okta API Scopes tab and assign the necessary scopes to the integration. The connection requires the following scopes at a minimum:

  • okta.logs.read
  • okta.schemas.read

Assign Okta API scopes Assign Okta API scopes

# API key-based authentication

The Okta connector uses an API key to authenticate with Okta.

Okta connection setup Okta connection setup

Connection field Description
Connection name Give this connection a unique name that identifies which Okta instance it is connected to.
Okta domain Your Okta domain name (for example, mycompany.okta.com or mytest.oktapreview.com).
API Key An API key. You can generate API keys from your Okta instance by navigating to Security > API > Create token.

API TOKEN PRIVILEGES

Creating API tokens requires administrator privileges. Ensure that you are logged in as an administrator before proceeding. Refer to Okta's documentation (opens new window) for more information.

# Roles and permissions required to connect

Workato recommends that the user and API key used to connect to Workato have Organization Administrator or Super Administrator entitlements. Several triggers and actions require administrator privileges.

# Troubleshooting connection issues with OAuth 2.0 connections

# Issue: 400 Bad Request error

If you encounter a 400 Bad Request error when setting up an OAuth 2.0 connection to Okta, it may be due to the newly introduced Demonstrating Proof-of-Possession (DPoP) for OAuth 2.0, which is now enabled by default for new applications. To ensure successful connection, disable DPoP for your Okta applications.

1

Log in to your Okta Admin Console.

2

Navigate to Applications and select your application.

3

Go to the General > General Settings > APPLICATION.

4

Ensure the Proof of possession field is deselected.

For more details, refer to the following resources:

# Triggers and actions

The following documentation contains triggers supported on Workato:

The following documentation contains user lifecycle actions supported on Workato:

The following documentation contains resource discovery actions supported on Workato:


Last updated: 5/17/2024, 2:35:03 AM