Skip to main content
All CollectionsIntegrations
Connecting Okta to Drata
Connecting Okta to Drata

Making the initial connection to Okta

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

HERE'S WHY

Connecting Okta to Drata allows all of your company's personnel to be synced with Drata, and to provision personnel. This is the first connection/integration that should be completed, as it will allow for the compliance monitoring of your company's personnel.

BEFORE DIVING IN

  • The email domain, when connecting the IdP, must match each of the personnel’s email domains that you would like to sync. Personnel that have different domains or multiple domains are not synced.

    • If you need to sync multiple email domains, please reach out to our Technical Support team.

  • For customers who previously had Okta SSO configured: If your Drata tenant has previously connected to Okta using our Enterprise SSO connector, you will need to disconnect it to use the new "Sign in with Okta" SSO option. If you do not, you will still need to use the original "Sign in with SSO" option.

  • Drata does not support nested groups. We will sync members at the specified group's top level, but not members in the second-level or further groups.

Important to note: The user data that is treated as a source of truth in Drata is a user's listed Primary Email. Since that value is the only one we pull in, it is also used as the login for SSO into the Drata app, after Okta is connected.

HERE'S HOW

There are four parts to the Okta integration:

  • Part 1: Copy your Okta organization URL to enter into the Drata connection drawer.

  • Part 2: Create a service account with a read-only or a global administrator permission in Okta and generate an API token with the new service account.

  • Part 3: Install the Drata OIN application and assign the okta.users.read.self API scope.

  • Part 4: Enter Okta details into the Drata connection drawer.

The corresponding steps for each part are detailed in the following sections

Part 1: Make note of your Okta organization URL. This will be added to the corresponding ‘Organization’ field in the Okta connection drawer in Drata in Part 4.

Part 2: Create Read-Only Admin Service Account user and API Token

  1. Log into Okta as a Super Administrator.

  2. Create a new user and activate it via Okta’s user activation email.

  3. Grant the newly created user the Read-Only Admin role by going to Security > Administrators > Add Administrator.

    1. NOTE: To use the User Access Review feature, you must create an API key under a user who has the Super Administrator role assigned. You may do this either on an existing user, or create a new service user and assign this role.

      1. If you want to use an existing user who is already assigned the Super Administrator role, simply skip steps 2-4 here.

      2. Alternatively, if you want to dedicate a new service user to the Drata connection, assign the Super Administrator role to the new service user in this step.

    2. The Okta Identity sync and SSO features will work with a Read-Only Admin role assigned to the user who creates the API key, but the User Access Review feature will not.

  4. Log out of the Super Administrator account, and log into the new service account.

  5. Create an API token by going to Security > API > Token > Create Token.

  • IMPORTANT! Copy the token when it is created and store it in a trusted password device as this is the only time you will be able to copy it. This will be added to the corresponding ‘API Key’ field in the Okta connection drawer in Drata in Part 4.

Part 3: Drata OIN App Installation

  1. Log in to your Okta organization as a Super Administrator

  2. Install the Drata OIN app by going to Applications > Browse App Catalog.

    • Search for "Drata," and select the "Drata - OIDC" option under Integrations. Click the "Add" button.

  3. Open the Drata OIN app and select the ‘Sign On’ tab. From here you will want to copy the Client ID and Client Secret. These values will be added to the corresponding fields in the Okta connection drawer in Drata in Part 4.

User-uploaded Image

4. Staying on the Drata OIN app, select the ‘Okta API Scopes’ tab on the far right.

  • IMPORTANT! Scroll down to find okta.users.read.self and click "Grant" to enable this scope.

5. Lastly, make sure you assign the Drata OIN app to the users you wish to grant [SSO] login access into the Drata application

Drata OIN App supports the following authentication types:

  • IdP-initiated SSO - From the Okta dashboard, a user can click on the app integration tile to SSO into the Drata application.

  • Service provider (SP)-initiated SSO - From the Drata application's login page, a user can provide their email address and be sent to the standard Okta authentication page.

Part 4: Follow these instructions to connect Okta to Drata:

  1. Select "Connections" on the side navigation menu.

2. Select the 'Available connections' tab and then search for 'Okta' to select the connect button for the Okta integration.

  • Note: You can only connect one (1) IdP.

3. Follow the instructions in the connection drawer carefully. Take your time and complete one step entirely before moving on to the next. Paste the required values in each field as indicated.

Monitoring Test

  • Test 77: Employee Users Require MFA

  • Test 86: MFA on Identity Provider

  • Test 96: Employees have Unique Email Accounts

Did this answer your question?