Okta

Trelica connects to Okta using an Okta API token.

This is used to:

  • List your Okta users, and which groups they are in.
  • List the applications your users are assigned to.
  • Read the date/time that users last logged in to applications through Okta from the Okta audit log.

If you enable Provisioning or Deprovisioning then you can also:

  • Assign and unassign users to and from applications in Okta
  • Create and suspend users in Okta
  • Run additional workflow actions related to onboaring and offboarding
  • Automate access requests that assign users to Okta groups or apps to grant access

Okta API tokens are granted the permissions of the user who issued them.

We always recommend limiting the permissions of access tokens to the minimum required and these instructions describe how to create a specific Trelica API user with the minimal permissions needed.

If you change permissions you will have to recreate the Okta access token.

If you're wanting to configure Okta SSO with Trelica please read the dedicated article on SAML configuration.

There's also an article about how Trelica works with Okta particularly relating to approaches to onboarding and offboarding.

Creating an Okta user with limited permissions

Log in to Okta as a full administrator.

Create a new custom role

  • Go to Security > Administrators and click the Roles tab.
  • Click Create new role
  • Enter the name Trelica
  • Enter an appropriate description, e.g. if the role is going to allow provisioning and deprovisioning, then enter something like Trelica usage, provisioning & deprovisioning

Add the following permissions:

Permission to include Connection feature Needed for
User permissions    
Create users Provisioning Provision user
Suspend users Deprovisioning Suspend user
Clear users' sessions Deprovisioning Revoke all active Okta sessions for a user
Unsuspend users Provisioning Activate user
Activate users Provisioning Activate user
Deactivate users Deprovisioning Deactivate user
View users and their details Default  
Reset users' passwords Deprovisioning Reset password
Reset users' authenticators Deprovisioning Reset all MFA factors
Edit user's application assignments Deprovisioning Removing access from an app / Assigning access to an app / Access requests
Edit user's profile attributes Provisioning Set Okta Profile attribute
Edit users' group membership Provisioning Provision user / Add to group / Remove from group / Access requests
Group permissions    
Edit groups' application assignments Deprovisioning Removing access from an app / Assigning access to an app / Access requests
Manage group membership Provisioning Provision user / Add to group / Remove from group / Access requests
View groups and their details Default  
Applications permissions    
View application and their details Default  
Edit application's user assignments Deprovisioning via Okta

Deprovision user / Access requests
Manage applications (optional) Default

Map additional profile fields during integration synchronization

Click Save role

If you change permissions at a later date you will have to recreate the Okta access token.

Creating the Trelica role in Okta

Create a new resource set

  • Go to Security > Administrators and click the Resources tab
  • Click Create new resource set
  • Enter the name All resources and an appropriate description.
  • Clicking Add another resource type to add resources for Users, Groups and Applications.
  • For each type, select 'All users', 'All groups', 'All applications' respectively (or restrict according to specific requirements you may have).
  • Click Create

Creating a new resource set in Okta

Create a new person

Okta API tokens are linked to a user account so we need to create a new user account which can be used to issue the API token.

  • Go to Directory > People
  • Click Add person
  • Enter details
    • First name: Trelica
    • Last name: API
    • Username & Primary email: (your choice)
    • Choose Set by admin for the password, and untick User must change password on first login
    • Enter a strong password
    • Click Save

Creating a new person in Okta

Assign the new person administrative rights

  • Go to Security > Administrators and click the Admins tab
  • Click Add administrator
  • Search for and select the Trelica API person you just created

Now we need to add the required roles. For each role click Add assignment.

Role Usage
Read-only Administrator Read-only access to Okta data. This is required because the assignable permissions don't include access to the Okta audit log which is needed to analyze last usage data.
Trelica Specific permissions to modify users and groups
Organization Administrator Only assigned temporarily, but this is needed to issue the API token. Once the token is issued you will be shown how to remove this role assignment.

When you add the Trelica role, then you will need to choose a resource set. Use the All resources set that you created earlier.

Once you're done, don't forget to scroll to the top of the page and click Save changes.

Creating an Okta API token

Log in as the person we just created, using the credentials that you entered for them.

Go to Security > API > click the Tokens tab, and then click Create Token:

Enter a name for the token, e.g. Trelica and click Create Token:

The token will now be shown:

Click the Clipboard icon to copy it to the clipboard, click OK, got it and then paste the token into Trelica when you connect to Okta.

Removing the Organization Administrator role

The Organization Administrator role is only required to issue the API token. Once the token has been issued you should remove this role.

  • Login to Okta as a full administrator.
  • Go to Security > Administrators and click the Admins tab
  • Find the Trelica role in the list, click Edit and choose Edit assignments
  • Click the trash icon by the Organization Administrator role
  • Click Save Changes (at the top of the page)
  • Confirm the assignment deletion in the dialog box that appears.

People directory profile fields retrieved by Trelica

By default Trelica pulls the following default fields from Okta People directory profiles:

Trelica Okta profile attribute name
Job title title
Line manager managerEmail, manager, managerId
Team department
Location location
Cost center costCenter
Employee number employeeNumber
Employee type userType
Start date hireDateHireDatestartDateemployee_start_date
Trelica tries to parse most date formats. xx-xx-yyyy is ambiguous and is interpreted as mm-dd-yyyy on app.trelica.com and dd-mm-yyyy on eu.trelica.com.
Leaving date
future_termination_dateTerminationDateterminationDatetermDate
Trelica tries to parse most date formats. xx-xx-yyyy is ambiguous and is interpreted as mm-dd-yyyy on app.trelica.com and dd-mm-yyyy on eu.trelica.com.
Personal email personalEmail
Time-zone timezone

Okta statuses are mapped in Trelica as follows:

Trelica Okta status
Active Active, Password Expired, Provisioned
Invited Staged
Suspended Suspended, Recovery
Inactive Deprovisioned

If you need support for mapping custom schema items, or other changes, please contact support@trelica.com.

Trelica also extracts the Okta groups that each person is a member of.

How does Trelica deprovision users from applications in Okta?

Users are associated with applications in Okta through an 'assignment' that links the user to the application.

Typically group membership is used to assign users to applications (e.g. members of the 'All staff' group are assigned to 'Airtable'). 

Okta's API supports modifying this assignment on a per user basis: even though a user might be assigned via group membership, this assignment can be converted to a 'user' scope assignment and then the assignment removed.

The user will no longer see the app in Okta, and if Okta has a SCIM connection to the application that the user was assigned to, then SCIM deprovisioning is triggered and the user is also removed from the underlying application.

This means that Trelica can instruct Okta to remove a user from an application, even if the assignment was originally through group membership, without having to remove the user from a group (which might have broader implications).

You can reverse this process (using the Convert assignments button in Okta).

mceclip0.png

FAQs

Is there a way to terminate a user's Okta sessions and log them out of all apps that they've signed in to via Okta?

No. This isn't possible because once Okta has logged someone in, then it has no control over their access to the application in question. 

See: https://support.okta.com/help/s/article/How-does-Okta-end-active-application-session-after-revoking-access-to-a-managed-SAML-application?language=en_US

Does Trelica import bookmarked apps?

Trelica returns bookmark applications that have been added by an Okta administrator via the Admin UI, since these have Okta assignments for people and or groups. It doesn't, however, return personal bookmarks due to API restrictions and the fact that the data quality is potentially poor and very noisy.

Administrator created bookmarks don't get created as recognised apps in Trelica, so won't display in the default filter on the application list when you load it. To see these apps currently go to the Applications list, select the All apps filter and then add a filter for Source = Okta.


To make these apps appear in the default application list we recommend editing each relevant app to set the Audience to Business.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.