Onboarding Okta Application in SailPoint IIQ

bhanuprakashkuruva · September 10, 2024, 12:39pm

Hi Everyone,

In this document, we will talk about how to onboard the Okta application and use it for user lifecycle activities in the application.

I have my own SailPoint IIQ and Okta instances to explain it to you. You can use your instances for your practice.

SailPoint IIQ Instance:

Okta Instance:

Okta Admin Console:

Okta: Okta is a cloud-based identity and access management (IAM) platform that can be used to securely access business apps and resources. It can be used for a variety of purposes, including:

Authentication and authorization

Single sign-on (SSO)

User identity management

Multi-factor authentication (MFA)

Identity governance and compliance

API and application backend security

Now, I am going to explain the onboard Okta application and use it for provisioning activities for the user.

Let’s configure the Okta application first in SailPoint.

In the configuration section, we need two main details: One is Authentiation Type and second one is API Token. So, how do I get those details?
I tell you: Log in to Okta and go to admin console and get those two details:
Security → API → Tokens, and click on Create token

Now, you have the token. Next, get the URL from the URL search box.

Now, let’s do the test connection.

If you go to the Schema section, we have three objects by default: account, group, and application. I am not changing anything, going with the default one. You can just preview before aggregating the data to see if SailPoint is pulling data or not.

In the provisioning policies section, we are getting Create and Disable account forms by default. If you want, you can update them. I am just going with the default ones for now.

In the Correlation section, I am using one account correlation config. It is pretty straight forward, as we already did for other applications like Delimited, JDBC, etc. I hope you have done it before.

Here, I am not going to write any rules for now. If you want, you can write rules according to your customization while pulling or reading the data from Okta.
Now, let’s run the account and group aggregation for the Okta application.

Now, let’s check the accounts and groups.

So far, it is clear that we have a total 12 group objects from Okta, which include applications and groups. And we have 12 accounts as well.

Raise Access Request:

It will ask us to provide details about the user because we have not done so to get the user details dynamically in the provisioning policy form. You can write simple code to rerun the values dynamically for the user in the form.

After approval is done, the access request is now completed.

Now, let’s check in the Okta application.

User account got created with the group. Now try to login with user.

By doing so, we can conclude that the user successfully created and logged in as well.

If you see Access Request status is Provisioning and verifying in SailPoint.

We can make it complete by running the account aggregation of Okta and Perform Identity Request Maintenance tasks.

Disable Okta Account through SailPoint

It will ask us to provide details to Suspend or Deprovision because we have not configured status (have not provided any value. So, you can provide according to your requirements) in the provisioning policy form.

Since I have not configured any approvals, it is not going for the approvals. It directly disables the account.

Now, check the user in the Okta application.

Now, the user is deactivated in the application.

Enable the Account:

To enable account updates during the enable operation (updateAccountWithEnableOperation), add the following entry to the application XML using the application Debug page:

true

Now, enable the account.

Check the user in Okta and see if the user is activated or not.

Now, the user is activated. The Okta admin has to reset the password and provide it to the user. Later, the user will be able to login to the Okta application.

Update the User Details:
I am setting up the target mapping for one of the attributes called email in the Okta application.

Now, update the email attribute and run Refresh Identity Cube by enabling (Synchronize attributes) for the user (For updating the email, change the samaccount name and do aggregation and refresh, it is vary from one customer to one customer).
Current email is: [email protected]

Now, refresh task is completed. Let’s check the user in Okta, if it is updated or not.

Current email is: [email protected]
Likewise, you can update any value in the application as well.

Besides these things, Okta supports lots of features. Please go through the documentation once. We can also do SSO by Okta for which we have to setup some configuration. I will explain in another document.

Note: This is an integration that requires additional licensing or subscriptions to use. For more information, contact your customer success manager.

For more information: Supported Features

kavindar_sharma · September 10, 2024, 7:02pm

Nicely articulated @bhanuprakashkuruva .

bhanuprakashkuruva · September 10, 2024, 10:51pm

Thank you. Kavindar!

kitho9 · September 17, 2024, 4:02pm

Hi @bhanuprakashkuruva, is there a way to define the partitions for Okta Account Aggregation, similar to AD/Google? Or a way to improve aggregation performance?

In our pre-production environment, it took over 12 hours to aggregate 189100 accounts with the following parameters in our Okta Application XML:

<entry key="ListUsersWithSearch" value="true"/>
<entry key="groupSkinnyUsers" value="true"/>
<entry key="maxPermissibleCalls" value="70"/>
<entry key="partitionCount" value="24"/>

We also noticed it took almost an hour to create the partitions during aggregation.

bhanuprakashkuruva · October 9, 2024, 8:26am

Hey Kit,

Sorry, I missed your comment somehow.
Probably, you can try with enabling partitioning in the task. It may reduce time for your aggregation to complete. I believe this application does support that.

MuhammadMustafa · October 20, 2024, 6:26pm

Super Nice, thanks a lot for sharing @bhanuprakashkuruva!

bhanuprakashkuruva · October 21, 2024, 12:38am

Thanks much, @MuhammadMustafa .
Please like and share it with others needed.

MuhammadMustafa · October 21, 2024, 3:36pm

Done bro @bhanuprakashkuruva

bhanuprakashkuruva · November 14, 2024, 5:29pm

I also tried in SailPoint IIQ 8.3p3. But giving below error, and for that we also have solution as mentioned below.

We are getting an error while aggregating with a URL error like below.

It is a known issue that the URL needs to be corrected.

(Check in aggregation errors)

But still we are getting issues, and later we found there is an update from Okta that they changed in the URL, which has to be updated in the connector itself. So, SailPoint has provided a patch. 8.3p4, in which Okta issues are taken care of and fixed. I applied, and the aggregations are working fine.

https://support.okta.com/help/s/article/discontinuing-support-for-malformed-syntax?language=en_US

https://community.sailpoint.com/t5/IdentityIQ-Server-Software/IdentityIQ-8-3p4/ta-p/254414

bhanuprakashkuruva · December 4, 2024, 4:17am

Recently I faced one issue regarding the Okta account while the leaver event is triggering. The problem is, if the user has few groups that grant access to other applications (the user might have other applications also in Okta). Now, the lever is triggering (I have enabled the option called Disable account along with Remove Entitlements except Everyone group in the Leaver Rapid Setup configuration) like below, for this account leaver is failing because of the reason that the application cannot be unassigned from the user while their group memberships grant them access

The reason for this, why we are getting this, is there is a group that grants the applications in Okta. So, while leveraging is triggering, SailPoint will try to remove the applications first, so that from Okta’s perspective, it is not allowed to deassign the application that grants by group. So, first remove the group and deassign the application.

So, for that, what I did is I have removed the applications attribute request while the leaver is triggering (by default in Okta, once the user is deactivated, then Okta will take care to deassign the applications). It will only deassign applications and roles, not groups. So I have removed them from the plan in the before provisioning rule of the application, and then later, the leaver went well without any error. Once the account is deactivated in Okta, all those applications are removed from the user, so that our requirement is also fulfilled. You can check the below link for code and process.

malarvanan12 · December 18, 2024, 10:55am

when i try to Aggregate, sailpoint is throwing this endpoint error, does anyone has the actual working endpoint?

bhanuprakashkuruva · December 18, 2024, 11:31am

Which versioin of IIQ you are using? if you are using 8.3p3 or before version. You have to upgrade to 8.3p4, then the issue will be resolved. I have provided explanation above. Please find Onboarding Okta Application in SailPoint IIQ - #9 by bhanuprakashkuruva

Topic		Replies	Views
Feature: SaaS Connectivity - New Okta SaaS Connector is now LIVE! Product News saas-connector , identity-security-cloud , new-capability	0	295	March 17, 2024
Seeking Guidance and Clarifications for SailPoint IIQ Implementation IIQ Discussion and Questions apis , identityiq , roles	3	492	May 5, 2024
Briefly describes the migration steps for OIM 12c to SailPoint IIQ 8.4 IIQ Discussion and Questions identityiq , connectors	2	390	June 10, 2024
Aggregate a subset of OKTA users IIQ Discussion and Questions aggregation , identityiq	6	282	April 1, 2024
Connector suggestions for onboarding the application into sailpoint identityNow ISC Discussion and Questions identity-security-cloud	2	55	September 7, 2024

Onboarding Okta Application in SailPoint IIQ

Related topics