Okta

Trelica connects to Okta using an Okta API token.

This is used to:

  • List your Okta users, and which groups they are in.
  • List the applications your users are assigned to.
  • Read the date/time that users last logged in to applications through Okta from the Okta audit log.

If you enable Provisioning or Deprovisioning then you can also:

  • Assign and unassign users to and from applications in Okta
  • Create and suspend users in Okta

Okta API tokens are granted the permissions of the user who issued them.

We always recommend limiting the permissions of access tokens to the minimum required and these instructions describe how to create a specific Trelica API user with the minimal permissions needed.

Creating an Okta user with limited permissions

Log in to Okta as a full administrator.

Create a new custom role

  • Go to Security > Administrators and click the Roles tab.
  • Click Create new role
  • Enter the name Trelica
  • Enter an appropriate description, e.g. if the role is going to allow provisioning and deprovisioning, then enter something like Trelica usage, provisioning & deprovisioning
  • Click the User, Group and Application type checkboxes.

Add the following permissions:

Permission to include Required for...
User permissions  
Create users Provisioning
Deactivate users Deprovisioning
Suspend users Deprovisioning
Clean users' sessions Deprovisioning
Edit users' group membership Provisioning
Edit user's application assignments Deprovisioning via Okta
Group permissions  
Manage group membership Provisioning
Edit users' group membership Provisioning
Edit groups' application assignments Deprovisioning via Okta
Applications permissions  
Edit application's user assignments Deprovisioning via Okta

Click Save role

Creating the Trelica role in Okta

Create a new resource set

  • Go to Security > Administrators and click the Resources tab
  • Click Create new resource set
  • Enter the name All resources and an appropriate description.
  • Add all three resource types by clicking Add another resource type for each type.
  • Tick Constrain to all for each
  • Click Save resource set

Creating a new resource set in Okta

Create a new person

Okta API tokens are linked to a user account so we need to create a new user account which can be used to issue the API token.

  • Go to Directory > People
  • Click Add person
  • Enter details
    • First name: Trelica
    • Last name: API
    • Username & Primary email: (your choice)
    • Choose Set by admin for the password, and untick User must change password on first login
    • Enter a strong password
    • Click Save

Creating a new person in Okta

Assign the new person administrative rights

  • Go to Security > Administrators and click the Admins tab
  • Click Add administrator
  • Search for and select the Trelica API person you just created

Now we need to add the required roles. For each role click Add assignment.

Role Usage
Read-only Administrator Read-only access to Okta data. This is required because the assignable permissions don't include access to the Okta audit log which is needed to analyze last usage data.
Trelica Specific permissions to modify users and groups
Organization Administrator Only assigned temporarily, but this is needed to issue the API token. Once the token is issued you will be shown how to remove this role assignment.

When you add the Trelica role, then you will need to choose a resource set. Use the All resources set that you created earlier.

Once you're done, don't forget to scroll to the top of the page and click Save changes.

Creating an Okta API token

Log in as the person we just created, using the credentials that you entered for them.

Go to Security > API > click the Tokens tab, and then click Create Token:

Enter a name for the token, e.g. Trelica and click Create Token:

The token will now be shown:

Click the Clipboard icon to copy it to the clipboard, click OK, got it and then paste the token into Trelica when you connect to Okta.

Removing the Organization Administrator role

The Organization Administrator role is only required to issue the API token. Once the token has been issued you should remove this role.

  • Login to Okta as a full administrator.
  • Go to Security > Administrators and click the Admins tab
  • Find the Trelica role in the list, click Edit and choose Edit assignments
  • Click the trash icon by the Organization Administrator role
  • Click Save Changes (at the top of the page)
  • Confirm the assignment deletion in the dialog box that appears.

People directory profile fields retrieved by Trelica

By default Trelica pulls the following default fields from Okta People directory profiles:

  • Title
  • User type
  • Employee number
  • Cost center
  • Department
  • Manager email

If you need support for mapping custom schema items, or other changes, please contact support@trelica.com.

Trelica also extracts the Okta groups that each person is a member of.

How does Trelica deprovision users from applications in Okta?

Users are associated with applications in Okta through an 'assignment' that links the user to the application.

Typically group membership is used to assign users to applications (e.g. members of the 'All staff' group are assigned to 'Airtable'). 

Okta's API supports modifying this assignment on a per user basis: even though a user might be assigned via group membership, this assignment can be converted to a 'user' scope assignment and then the assignment removed.

The user will no longer see the app in Okta, and if Okta has a SCIM connection to the application that the user was assigned to, then SCIM deprovisioning is triggered and the user is also removed from the underlying application.

This means that Trelica can instruct Okta to remove a user from an application, even if the assignment was originally through group membership, without having to remove the user from a group (which might have broader implications).

You can reverse this process (using the Convert assignments button in Okta.

mceclip0.png

FAQs

Is there a way to terminate a user's Okta sessions and log them out of all apps that they've signed in to via Okta?

No. This isn't possible because once Okta has logged someone in, then it has no control over their access to the application in question. 

See: https://support.okta.com/help/s/article/How-does-Okta-end-active-application-session-after-revoking-access-to-a-managed-SAML-application?language=en_US

 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.