Skip to main content

Okta OAuth2 Platform

Okta OAuth2 Platform, a Single Sign-On (SSO) provider, offers cloud software that helps companies manage and secure user authentication into modern applications.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Okta OAuth2 Platform Information

The following table describes the available integration tasks and stored data within SaaS Management.

Available Integration TasksInformation Stored
HR RosterUser ID
Email
First Name
Last Name
Active Date
Status
Location
Department
Application RosterUser ID
Email
First Name
Last Name
Active Date
Status
Application AccessUser ID
Occurred (Last Login)
Application DiscoveryInstance ID
Application Name
Application Label
Logo Link
SSO Application RosterFirst Name
Last Name
Unique ID
Email
Active Date
Application Instance ID
Application Name
SSO Application AccessUnique ID
Occurred (Application Launch)
Application Instance ID
note

The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Okta OAuth2 Platform

The minimum API required permissions are based on the Required Scopes for Okta OAuth2 Platform and the Required User and Application Role for Okta OAuth2 Platform.

Required Scopes for Okta OAuth2 Platform

For more information on the required scopes, see Okta’s Developer documentation topic, OAuth 2.0 Scopes.

Required ScopeDescriptionIntegration Task Name
okta.users.readEnables you to read the list of users in your Okta account.Application Roster
HR Roster
SSO Application Roster
okta.logs.readEnables you to read the user access event details in your Okta account.Application Access
SSO Application Access
okta.apps.readEnables you to read the SSO Apps in your Okta account.Application Discovery
SSO Application Roster

Required User and Application Role for Okta OAuth2 Platform

note

The following user and application role is not applicable to Flexera One roles.

User RoleDescription
Super AdministratorThe user must have the Super Administrator role to grant the application permissions.
For more information, see Okta’s Developer documentation topic, Implement OAuth for Okta With a Service App.
Application RoleDescription
Super AdministratorThe application must have the Super Administrator role to read the users, apps, and the log.
For more information, see Okta’s Developer documentation topic, Assign Admin Roles to the OAuth 2.0 Service App.
note

Consider the following:

  • The admin roles determine which resources the admin can perform the actions on. For example, the admin can assign resources to a specific group of users or to a specific set of apps.

  • Scopes determine the action that the admin can perform. For example, the admin can manage users, read applications, and more.

Authentication Method for Okta OAuth2 Platform

The required authentication method is OAuth 2.0 Client Credentials Flow With JWT Assertion.

Required Credentials for Okta OAuth2 Platform

The following credentials are required:

  • Domain URL

  • Client ID

  • Private Key

  • Number of API calls allowed per minute.

Obtaining Client ID and Private Key for Okta OAuth2 Platform

To obtain a Client ID and a Private Key, perform these high-level steps. The Private Key is only used to sign the JSON Web Token (JWT), which is then used for requesting the scoped access token.

  1. Sign in to your Okta organization as a user with administrative privileges.
  2. In the Admin Console, go to Applications > Applications, and then click Create App Integration. The Create a New App Integration page opens.
  3. On the Create a New App Integration page:
    1. Select the following sign-in method: API Services—Interact with Okta APIs using the scoped OAuth 2.0 access tokens for machine-to-machine authentication.
    2. Click Next.
  4. Enter a name for your app integration and click Save.
  5. In the General tab:
    1. Edit the client credentials.
    2. Change the client authentication to Public key / Private key.
  6. Leave the default option as Save keys in Okta and click the Add Key button. The Add a Public Key dialog opens.
  7. In the Add a Public Key dialog:
    1. Scroll down and on the upper-right side, click Generate New Key.
    2. After the key is generated, scroll down to the Private Key - Copy this! section and on the left side select PEM.
    3. Copy and paste the private key to a separate file, as the private key is displayed only once.
    4. Click Done.
  8. From the General tab, go to the Okta API Scopes tab and grant access to the following three scopes:

    • okta.apps.read

    • okta.logs.read

    • okta.users.read.

  9. From the General tab, go to the Admin Roles tab.
    1. Click Edit Assignments to go to the Administrator Assignment by Admin screen.
    2. Go to the Complete the Assignment section.
    3. Click the Role dropdown list, enter Super Administrator in the search box, and select the Super Administrator role.
    4. Click Save Changes to grant the Super Administrator role.
      note

      You can also grant the Super Administrator role by following the instructions in the Okta Developer documentation topic, Assign Admin Roles to Apps.

  10. As an option, you can set the API rate limit. Go to the Applications Rate Limits tab and edit the number of API calls allowed. By default, the API rate limit is set to 50%.

Integrating Okta OAuth2 Platform With SaaS Management

Complete the following steps to integrate Okta OAuth2 Platform with SaaS Management.

  1. Complete the prerequisite steps in Obtaining Client ID and Private Key for Okta OAuth2 Platform.
  2. In SaaS Management, add the Okta OAuth2 platform application. For more information, see Adding an Application.
  3. Sign in to the Okta Platform portal homepage. Copy and paste your domain URL into the URL field in SaaS Management, which follows the convention: mycompany.okta.com.
  4. Copy and paste the Client ID and Private Key values generated in the Obtaining Client ID and Private Key for Okta OAuth2 Platform into their respective SaaS Management fields.
    note

    The Private Key is only used to sign the JWT fields.

  5. Number of API calls allowed per minute is an optional SaaS Management field. This field limits the number of API calls made by an integration to Okta Platform. For more information, see Okta Platform’s Rate Limits.
    note

    Leave the Number of API calls allowed per minute field blank for automatic rate limit handling.

tip

After the Application Discovery integration task has been enabled after 24 hours, you can add the discovered SSO enabled applications to your list of Managed SaaS Applications. For more information, see Adding Discovered SSO Enabled Applications to Your List of Managed SaaS Applications.

Okta OAuth2 Platform API Endpoints

HR Roster, Application Roster

https://<<Domain-URL>>/api/v1/users

Application Access and SSO Application Access

https://<<Domain-URL>>/api/v1/logs

SSO Application Roster

  • https://<<Domain-URL>>/api/v1/users

  • https://<<Domain-URL>>/api/v1/apps

  • https://<<Domain-URL>>/api/v1/apps/<<app instance id>>/users

Application Discovery

https://<<Domain-URL>>/api/v1/apps