Okta

Integrate Query with your Okta Identity Provider to retrieve User, Group, and Authentication records.

Suggest Edits

📘

TL;DR

To integrate Okta with Query:

  • Setup the required connection parameters in Okta mentioned in the Prerequisites section of this document.
  • Onboard the Okta Connector in the Query Federated Search platform.
  • Perform searches for users and devices managed by Okta and their sign-in activity.

Overview

Okta is a cloud-based identity and access management platform that provides secure single sign-on, multi-factor authentication, and user management for web and mobile applications. By integrating with Query, you can:

  • Retrieve all Users, their Groups, and relevant details within your Okta organization.
  • and, search Logs to retrieve authentication activity for specific Users.

Users and authentication logs can be searched with Usernames, Email Addresses, and/or IP Addresses or viewed within our Summary Insights dashboards.

Prerequisites

Make sure you have the following connection parameters from Okta to add it as a Connector in Query.

  • Okta URL - The org's base URL including the HTTP scheme (e.g.,: https://dev-1234.okta.com)
  • API Token - Create an API token for your org.

Use the following steps to create a new Query Federated Search Connector for Okta.

  1. Navigate to the Connections page, select Add Connections, and selectOkta from the Threat Intelligence & Enrichment category as shown below you can speed this up by typing Okta into the search bar.

  2. In the Configure Connector tab, add the following detail:

    1. Connector Alias Name:
    2. Default Login: Leave this the default value (e.g., Default Login)
    3. Okta URLThe org's base URL including the HTTP scheme (e.g.,: https://dev-1234.okta.com)
    4. API Token: The API Token you generated for your Okta organization.

  3. Select Test Connection from the bottom-right of the connection pane to ensure that your API Token is valid and you can pull information from the various Okta APIs (e.g., List Users, List Devices, etc.).

  4. Finally, select Save to store and activate the Connector.

You will now see Okta added as an available Platform within the Query Search and Query Summary Insights UI, the "platform" term is synonymous with Connector.

Querying the Okta Connector

Within the Query Search UI, all Platforms (A.K.A Connectors) are enabled by default, to check that Okta is enabled, navigate to the Identity & HR section of the Platforms dropdown and ensure that Okta is selected (denoted by a checkbox) before running your searches as shown below.

As of 1 MAY 2024, the following Entities, Events and Objects are supported by Query for Okta. For more information about this terminology, refer to the Normalization and the Query Data Model (QDM) section of the docs or check out our QDM Schema website. If results are not returned it means that Okta currently does not have any entries in their backend for the specific user of interest.

Entities

  • Username
  • Email Address
  • IP Address

Events

  • Authentication

Objects

  • User
  • Group

Resources

Updated 2 days ago