Okta is an identity and single sign-on service. In order to collect data from Okta, you will need to authorize InsightIDR to access your Okta administrator account.
To use the Okta event source, the minimum permissions required for an account are the 'Read-Only Admin' permissions. These permissions are used as the service account role.
Before You Begin
When creating an Okta event source, you will be prompted to create a credential containing a "Token / Secret" and a "Subdomain."
You can generate a Token value by following these instructions: https://developer.okta.com/docs/api/getting_started/getting_a_token/
You must enter the subdomain value when setting up this event source
The subdomain value is the first component of your Okta domain. For example, if you use "mydomain.okta.com," the Subdomain field should be populated with "mydomain."
Configure the Okta integration
You first must configure Okta to accept the integration with a user account that is enrolled in multi-factor authentication (MFA) to create an API token. When you configure this integration, create the token from an account that has the proper privileges.
Okta uses a bearer token for API authentication with a sliding scale expiration. Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed for your organization.
Deactivating a user account in Okta will deprovision the API token concurrently.
To configure Okta:
- In the Okta application, select API from the "Security" menu.
- Click the Create Token button. The token inherits the permissions of the user account used to create the token.
- Follow the instructions that the Okta screen displays to finish creating the token.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Okta.com in the event sources search bar.
- In the Product Type filter, select Cloud Service.
- Select the Okta.com event source tile.
- Select your collector and Okta.com from the event source dropdown.
- Name your event source.
- Optionally choose to send unparsed logs.
- Select your LDAP account attribution preference.
- Select your Okta credential or optionally create a new credential.
- Enter the refresh rate in minutes.
- Select your Okta domain.
- Click Save.
Okta requires the use of a token to integrate with other applications. For more information, read this article: https://developer.okta.com/docs/api/getting_started/getting_a_token.html.