Okta is an identity and single sign-on service. In order to collect data from Okta, you will need to authorize InsightIDR to access your Okta administrator account.
To use the Okta event source, the minimum permissions required for an account are the 'Read-Only Admin' permissions. These permissions are used as the service account role.
Before You Begin
When creating an Okta event source, you will be prompted to create a credential containing a "Token / Secret" and a "Subdomain."
You can generate a Token value by following these instructions: https://developer.okta.com/docs/api/getting_started/getting_a_token/
You must enter the subdomain value when setting up this event source
The subdomain value is the first component of your Okta domain. For example, if you use "mydomain.okta.com," the Subdomain field should be populated with "mydomain."
Configure the Okta integration
You first must configure Okta to accept the integration with a user account that is enrolled in multi-factor authentication (MFA) to create an API token. When you configure this integration, create the token from an account that has the proper privileges.
Okta uses a bearer token for API authentication with a sliding scale expiration. Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed for your organization.
Deactivating a user account in Okta will deprovision the API token concurrently.
To configure Okta:
- In the Okta application, select API from the "Security" menu.
- Click the Create Token button. The token inherits the permissions of the user account used to create the token.
- Follow the instructions that the Okta screen displays to finish creating the token.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Cloud Service icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Select your Okta credential or optionally optionally create a new credential.
- In the "Refresh Frequency" field, enter the refresh frequency in minutes.
- In the Subdomain field, enter the subdomain value. This is the first component of your Okta domain. For example, if you use "mydomain.okta.com," the Subdomain field should be populated with "mydomain."
- In the "Okta Domain" field, select your Okta domain.
- Press Save.
Okta requires the use of a token to integrate with other applications. For more information, read this article: https://developer.okta.com/docs/api/getting_started/getting_a_token.html.