Okta
    • 11 Apr 2024
    • 3 Minutes to read
    • Dark
      Light

    Okta

    • Dark
      Light

    Article summary

    Acante allows you to enrich the Access analysis with integration into Okta to bring complete Identity context into Acante. The integration is done using OAuth. By integrating Okta with Acante, the Privilege Analysis, Access Maps and all derivative solutions such as Entitlement Reviews, User Anomaly Detection, User Risk Analysis and so on are enriched in Acante with context from Okta.

    At the end of this integration you will enable the Acante Cloud to connect with your Okta instance and make API requests. Okta references:

    Sequence of Steps in Okta

    There are several ways to configure Okta to protect the admin API. The simplest and most secure approach is to use a Service Application which combines a Client ID with a Private Key which the user provides Acante through the Acante Web application. The steps are below

    1. From the Okta Admin console, click on Applications then Applications to get to the Application management tab.

    Screenshot 2023-10-02 at 9.55.33 AM.png

    1. Click on the Create App Integration button to create a new Application Integration.
      Screenshot 2023-10-02 at 10.00.11 AM.png

    2. In the Box, select the last bullet for API Services and click Next.
      Screenshot 2023-10-02 at 10.02.01 AM.png

    3. Provide the App integration name. Use “Acante API Client” or another name of your preference and click Save
      Screenshot 2023-10-02 at 2.56.09 PM.png

    4. This will generate a new Client ID. Click Edit in the Client Credentials section

    5. Under Client authentication, change the selection to use Public Key/ Private Key. Retain the default option to Save keys in Okta and click Add key button to add a new public and private key.
      Screenshot 2023-10-02 at 10.11.02 AM.png

    6. In the box for “Add a public key”, click on Generate new key instead of pasting an existing key.
      Screenshot 2023-10-02 at 10.12.28 AM.png

    7. A new public and private key will be created. The public key will be saved into Okta but you need to copy the contents of the "Private key" to a file on your computer.

    Screenshot 2023-10-02 at 10.58.39 AM.png

    • Copy the contents of the JSON key to a file named okta_acante_api_key.json. This file can be converted to a PEM later if needed.

    • Click on PEM to get the PEM-encoded version of the private key and Copy to Clipboard . Along with the "Client ID" you will provide the text of this "PEM key" in the Configurations page of the Acante UI.

    1. Click the Done and then Save buttons to activate the new public and private keys. The Key ID (KID) will need to be provided to

    Screenshot 2023-10-02 at 11.02.31 AM.png

    1. Okta will show a warning that the existing client secrets will no longer be used and that they will be deleted. This is alright. Click “Save”.
      Screenshot 2023-10-02 at 11.03.26 AM.png

    2. Now that the key is created, assign scopes to the application in order to have the necessary permission to allow Acante to read Users, Groups, Applications, and other meta-data. Click on the Okta API Scopes tab.

    Find the following scopes in the list and click “Grant”:
    Okta.apps.read
    Okta.groups.read
    Okta.logs.read
    Okta.users.read

    Screenshot 2024-04-11 at 9.39.01.png

    1. Okta also requires the Client to assigned a Role for selected Scopes to take effect. Click on the Admin Roles tab. --> Click on Edit Assignments --> Click on Add Assignment
      From the Role dropdown menu select Read-only Administrator . Save the changes.
      OktaAPIAdminRolesScreenShot.png

    2. Ensure that the DPoP configuration is disabled

    Screen Shot 2024-03-18 at 8.20.56 PM

    1. That’s it! The Okta configuration is complete. Please gather the following information to provide Acante:
      Client ID for the Application created
      Private Key (PEM)
      Okta Org Domain (see example in image below - “dev-xxxxx.okta.com” )

    Screenshot 2023-10-02 at 4.30.11 PM.png

    Providing the Okta Configuration in Acante UI

    Navigate to the Configurations tab of the Acante UI. At the bottom, select the Okta integrations.

    1. Click on Config

    Screenshot 2023-10-03 at 10.10.54 AM.png

    1. Retain the default OAuth selection and add the information collected from the previous section. All 3 fields are Mandatory. Click Save
      Screenshot 2023-10-03 at 12.12.19 PM.png

    2. The integration will check the connection and if successful, it will show a “Connected” success indicator as shown below

    Screenshot 2023-10-01 at 5.56.09 PM.png


    What's Next