Skip to main content

Okta

Overview​

Okta is a cloud-based Identity and Access Management (IAM) platform that offers tools for user authentication, access control, and security, helping streamline identity management and improve user experiences across applications and devices.

Below you can find the Aembit configuration required to work with the Okta Workforce Identity Cloud service as a Server Workload using the Core Okta API.

Prerequisites​

Before proceeding with the configuration, you must have an Okta Workforce Identity Cloud organization (tenant).

Server Workload Configuration​

To retrieve the connection information in the Okta Admin Console:

  • Click on your username in the upper-right corner of the Admin Console. The domain appears in the dropdown menu; copy the domain.

Okta Endpoint

  1. Create a new Server Workload.
  • Name - Choose a user-friendly name.
  1. Configure the service endpoint:
  • Host - <subdomain>.okta.com (Provide the domain copied from Okta)
  • Application Protocol - HTTP
  • Port - 443 with TLS
  • Forward to Port - 443 with TLS
  • Authentication method - API Key
  • Authentication scheme - Header
  • Header - Authorization

Credential Provider Configuration​

  1. Sign in to your Okta organization as a user with administrator privileges.

  2. In the left navigation pane, select Security, then click on API.

  3. Navigate to the Tokens tab in the ribbon list.

  4. Click Create Token, name your token, and then click Create Token.

  5. Click the Copy to Clipboard icon to securely store the token for later use in the tenant configuration. For detailed information on API tokens, please refer to the official Okta documentation.

Copy API Token

  1. Create a new Credential Provider.
  • Name - Choose a user-friendly name.
  • Credential Type - API Key
  • API Key - Provide the key copied from Okta and use the format SSWS api-token, replacing api-token with your API token.

Client Workload Configuration​

Aembit now handles the credentials required to access the Server Workload, eliminating the need for you to manage them directly. You can safely remove any previously used credentials from the Client Workload.

If you access the Server Workload through an SDK or library, it is possible the SDK/library may still require credentials to be present for initialization purposes. In this scenario, you can provide placeholder credentials. Aembit will overwrite these placeholder credentials with the appropriate ones during the access process.

Access Policy​

  • Create an Access Policy for a Client Workload to access the Okta Server Workload. Assign the newly created Credential Provider to this Access Policy.

Required Features​

  • You will need to configure the TLS Decrypt feature to work with the Okta Server Workload.