The Okta connected app uses an API integration between Nudge Security and Okta in order to share information and perform certain actions between the two services. To enable the Okta connected app, you'll need to create an API token in Okta and configure it in Nudge Security. This article describes the configuration process.
Please use the web chat or email help@nudgsecurity.com with questions.
In Okta, API tokens inherit the permissions of the user who creates them, rather than allowing fully customized permissions. To generate a token with restricted access, we must ensure the creating user has only the minimum necessary permissions. This process involves the following steps, which are explained in greater detail below.
Log in to Okta as a Super Admin: This is necessary because only Super Admins can create new users and assign roles.
Create a Custom Role with Read-Only Access: Define a new role with only the specific read permissions needed. This allows for restricted access on the token.
Create a New User and Assign Roles: Create a new user and assign them both the new custom role and the Read-Only Admin role for broader but still limited access.
Log in as the New User and Generate the Token: This token will inherit the restricted permissions from the roles assigned to the new user.
Integrate the Token: Use this token in your system’s Okta integration, ensuring access is limited only to necessary read permissions.
This approach enhances token security by limiting access to essential functionality only.
Step 1: Create a custom role in Okta
Log in to the Okta Admin Console with Super Admin Access. Begin by logging in to the Okta Admin Console using an account with Super Admin privileges, as this is required to create new roles.
Navigate to Security Settings. In the Admin Console, go to Security in the left-hand navigation menu to access settings related to user permissions and roles.
Open the Administrators Section. Under Security, select Administrators. This section lists all administrative users and roles in your Okta environment.
Create a New Custom Role. Click on Roles at the top of the Administrators page, then select Create Role to open the role creation wizard. From here, you can define the permissions specific to this new role.
Identify Required Permissions for the Role:
Under Identity and Access Management, select View roles, resources, and admin assignments to review and choose the permissions required for this role
Under Authorization Server, click on View authorization server to configure specific access for authorization-related tasks
Save the Role Configuration. Once you’ve selected all necessary permissions, click Save Role to apply the settings and finalize the custom role setup.
Create a New Resource Set. To define resources that the new role will control, start by creating a new resource set.
Access the Resources Section. Click on Resources in the navigation menu, then select Create New Resource Set to begin setting up the resource set.
Name and Describe the Resource Set. Enter a clear and descriptive Name for the resource set that reflects its intended purpose. In the Description field, provide a brief overview of what the resource set will encompass or restrict, to ensure clarity for future administrators.
Add Resources to the Resource Set.
Click Add Resource and select:
Authorization Servers > All Authorization Servers. Once selected, click Save Selection.
Click Add Another Resource and select:
Identity and Access Management > All Identity and Access Management Resources. Again, click Save Selection.
Finalize the Resource Set. Once all resources are added, click Create to save and finalize the resource set.
Step 2: Create a new user
Navigate to the People Directory. In the Admin Console, go to Directory in the left-hand navigation menu. Select People to view and manage all users in your Okta organization.
Add a New User. Click Add Person to open the user creation form. Populate the form with the required details for the new user, such as name, email, and any other necessary fields.
Save the New User. Once all the information is filled in, click Save to create the user and add them to the directory.
Step 3: Assign roles to the new user
Navigate to the Administrators Section
In the Admin Console, go to Security in the left-hand menu, then click on Administrators.
Add a New Administrator
Click Add Administrator to begin the process of assigning admin roles.
Select the New User
Under Select Admin, find and choose the new user you created earlier.
Complete the Role Assignment
In the Complete the Assignment section, choose Read Only Administrator from the role options to grant them limited permissions.
Add the Custom Role
Click on Add Assignment to assign the custom role you created earlier.
Under Role, select the custom role, and under Resource Set, choose the resource set you established.
Save the Assignments
Ensure all selections are correct, then click Save to finalize the new administrator's role assignments.
Step 4: Login as the new user and create the token
Log In: Use the credentials of the new user you created to log in to the Okta Admin Console.
Access the Token Creation Page: Navigate to Security in the left-hand menu, then select API and click on Tokens.
Create the Token: Click on Create Token. Provide a descriptive name for the token to identify its purpose easily.
Save the Token: Once the token is generated, ensure to copy it and store it securely, as it will only be displayed once. This token will inherit the permissions from the assigned roles.
Step 5: Configure the connected app in Nudge Security
Navigate to the Integration Settings
In your application, go to Settings in the main menu, then select Integrations.
Locate the Okta Integration
Scroll through the list of available integrations to find the Okta Integration.
Enter Your Okta Domain
In the Okta integration settings, input your Okta domain (e.g.,
https://yourdomain.okta.com
).
Input the API Key
Paste the API key you just created in the designated field.
Add an Optional Label
If desired, enter a label for the integration to easily identify it later.
Verify the Connection
Click on Verify Connection to ensure that the integration is set up correctly and the API key is functioning.