Okta

Integration version: 7.0

Configure Okta to work with Google Security Operations

This document explains how to integrate Okta with Google Security Operations (Google SecOps).

Credentials

  1. Sign in to your Okta account to get your personal API token.

  2. On the Dashboard page, navigate to API > Tokens.

  3. To get your token, click Create Token.

  4. In the Create Token dialog, enter the token name and click Create Token.

  5. Copy and save generated token value. Use this token to configure the Okta integration in Google SecOps.

Network

Function Default Port Direction Protocol
API Multivalues Outbound apitoken

Configure Okta integration in Google SecOps

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.

Integration parameters

The Okta integration requires the following parameters:

Parameter Description
Api Root

Required.

The base URL of your Okta instance, used to access the API.

The default value is https://{okta_domain}.com/.
Api Token

Required.

The API Token generated from your Okta account, which grants the integration instance API access to perform actions.
Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting to the Okta server.

Not enabled by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

Add Group

Add a group.

Parameters

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Assign Role

Assign a role to a user.

Parameters

Parameter Name Type Default Value Description
User IDs String N/A IDs of users in Okta.
Role Types String N/A The type of role to assign to the users.
Also Run On Scope Checkbox Checked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
Roles Returns if it exists in JSON result
Insights

N/A

Disable User

Disables the specified user.

Parameters

Parameter Name Type Default Value Description
User IDs Or Logins String N/A IDs of users in Okta.
Is Deactivate Checkbox Checked Whether to deactivate or only suspend the user.
Send Email If Deactivate Checkbox Checked Whether to send an email after deactivating or not.
Also Run On Scope Checkbox Checked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
is_deactivate If it's True, the user is disabled. Otherwise: False
is_send_email_deactivate If it's True, the user is disabled. Otherwise: False
Insights

N/A

Enable User

Enables the specified user.

Parameters

Parameter Name Type Default Value Description
User IDs Or Logins String N/A IDs or logins of users in Okta.
Is Activate Checkbox Checked Whether to activate the user or just unsuspend.
Send Email If Activate Checkbox Checked Whether to send an email after activating or not.
Also Run On Scope Checkbox Checked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
is_reactivate If it's True, the user is enabled. Otherwise: False
is_send_email_reactivate If it's True, the user is disabled. Otherwise: False
Insights

N/A

Get Group

Get information about a group.

Parameters

Parameter Name Type Default Value Description
Group IDs Or Names String N/A IDs or names of groups in Okta.
Is Id Checkbox Checked Whether the value is an ID or a name.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Get user

Get information about a user

Parameters

Parameter Name Type Default Value Description
User IDs Or Logins String N/A IDs or logins (email or short email name) of a user in Okta, for example: test@gmail.com or simply 'test'.
Also Run On Scope Checkbox Checked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Result

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
[
  {
    "status": "ACTIVE",
    "profile": {
      "mobilePhone": null,
      "firstName": "Test",
      "lastName": "User",
      "secondEmail": null,
      "login": "test.user@asd.com",
      "email": "test.user@asd.com"
    },
    "passwordChanged": "2022-07-11T06:11:25.000Z",
    "created": "2022-07-11T06:07:55.000Z",
    "activated": null,
    "lastUpdated": "2022-07-11T06:11:25.000Z",
    "_links": {
      "schema": {
        "href": "https://trial-0000.okta.com/api/v1/meta/schemas/user/osc1xxxxxxxx"
      },
      "suspend": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/lifecycle/suspend",
        "method": "POST"
      },
      "forgotPassword": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/credentials/forgot_password",
        "method": "POST"
      },
      "self": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx"
      },
      "expirePassword": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/lifecycle/expire_password",
        "method": "POST"
      },
      "resetFactors": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/lifecycle/reset_factors",
        "method": "POST"
      },
      "deactivate": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/lifecycle/deactivate",
        "method": "POST"
      },
      "changePassword": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/credentials/change_password",
        "method": "POST"
      },
      "changeRecoveryQuestion": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/credentials/change_recovery_question",
        "method": "POST"
      },
      "type": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx"
      },
      "resetPassword": {
        "href": "https://trial-0000.okta.com/api/v1/users/00u1xxxxxxxx/lifecycle/reset_password",
        "method": "POST"
      }
    },
    "lastLogin": "2022-07-11T06:15:14.000Z",
    "credentials": {
      "password": {},
      "provider": {
        "type": "OKTA",
        "name": "OKTA"
      }
    },
    "type": {
      "id": "oty1xxxxxxxxxxxxx"
    },
    "id": "oty1xxxxxxxxxxxxx",
    "statusChanged": "2022-07-11T06:11:25.000Z"
  }
]
Entity Enrichment

N/A

Insights

N/A

List Providers

List identity providers (IdPs) in your organization.

Parameters

Parameter Name Type Default Value Description
Query String N/A Search the name property for a match.
Type Checkbox Checked Filter by type.
Limit String 20 Max amount of results to return.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

List Roles

Lists all roles assigned to a user.

Parameters

User IDs String N/A IDs of users in Okta.
Also Run On Scope Checkbox Checked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

List User Groups

Get the groups that the user is a member of.

Parameters

Parameter Name Type Default Value Description
User IDs Or Logins String N/A IDs or logins of users in Okta.
Also Run On Scope Checkbox Checked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
profile Returns if it exists in JSON result
name Returns if it exists in JSON result
Insights

N/A

List Users

Get the list of users.

Parameters

Parameter Name Type Default Value Description
Query String N/A Search for a match in the firstname, lastname or in the email.
Filter String N/A Custom search query for a subset of properties.
Search String N/A Custom search query for most properties.
Limit String 200 Max amount of results to return.

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
profile Returns if it exists in JSON result
name Returns if it exists in JSON result
Insights

N/A

Ping

Test Connection with Okta.

Parameters

N/A

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Reset Password

Generate a one-time token that can be used to reset a user's password.

Parameters

Parameter Name Type Default Value Description
User IDs Or Logins String N/A IDs or logins of users in Okta.
Send Email Checkbox Unchecked Whether to send an email for the password reset or return the token for every user.
Also Run On Scope Checkbox Unchecked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
send_email Returns if it exists in JSON result
Insights

N/A

Set Password

Set the password of a user without validating the existing credentials.

Parameters

Parameter Name Type Default Value Description
User IDs Or Logins String N/A IDs or logins of users in Okta.
New Password String N/A The new password.
Add 10 Random Chars Checkbox Unchecked Whether to add extra characters to every user password or not.
Also Run On Scope Checkbox Unchecked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
set_password Returns if it exists in JSON result
Insights

N/A

Send ITP Signal

Distribute Identity Threat Protection (ITP) signals to relevant consumers using the Shared Signals Framework (SSF).

Parameters

Parameter Name Type Default Value Description
Key ID String N/A The ID of the public key used to verify the private key's signature.
Private Key String Password N/A The private key used to sign the signal.

The key is provided in a string format and includes the "BEGIN" and "END" statements.
User Email Mail Address N/A The email address of the affected user.
Timestamp timestamp N/A The timestamp of the signal occurrence.

The timestamp format is ISO 8601.
Reason String N/A A brief description explaining why the signal was generated.
Severity String or DDL N/A The severity level of the signal.
Issuer URL URL N/A The source system that created the signal.

Action Results

JSON Result
{
   "status":200,
   "payload":{
      "iss":"https://www.google.com/",
      "jti":"3c5fbf0c-3977-11f0-a195-7e498c84a3dd",
      "iat":1748184472,
      "aud":"https://<your-okta-domain>.oktapreview.com",
      "events":{
         "https://schemas.okta.com/secevent/okta/event-type/user-risk-change":{
            "subject":{
               "user":{
                  "format":"email",
                  "email":"user@domain.net"
               }
            },
            "current_level":"medium",
            "previous_level":"low",
            "reason_admin":{
               "en":"BadNavigationEvent"
            },
            "event_timestamp":1742199770057
         }
      }
   }
}
Output messages
Output message Message description

Successfully sent the ITP signal to Okta.

Context value was not found for the provided context key CONTEXT_KEY and connector identifier CONNECTOR_IDENTIFIER.

Action can't return the Case Wall table as the context values are too big.

 The action succeeded.
Failed to send the ITP signal to Okta. Error is {0}".format(exception.stacktrace)

The action failed.

Check the connection to the server, input parameters, or credentials.
Script Result
Script Result Name Value Options
is_success True or False

Unassign Role

Unassign a role from a user.

Parameters

Parameter Name Type Default Value Description
User IDs String N/A IDs of users in Okta.
Role IDs Or Names String N/A IDs or names of roles in Okta.
Also Run On Scope Checkbox Unchecked Whether to run on entities as well as the input.

Use cases

N/A

Run On

This action runs on the following entities:

  • User
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
ScriptResult N/A N/A
JSON Result
N/A
Entity Enrichment
Enrichment Field Name Logic - When to apply
unassign_role Returns if it exists in JSON result
Insights

N/A

Need more help? Get answers from Community members and Google SecOps professionals.