Connecting Okta to Drata allows all of your company's personnel to be synced with Drata, to provision personnel, and to allow for SSO authentication into Drata. This is the first connection to establish for your identity management process.
If you're also leveraging Okta UAR, refer to the User Access Reviews for Okta.
BEFORE DIVING IN
Drata uses the email field for both syncing as the personnel record and for login authentication. You may set any email value in this field and Drata will ensure that both behaviors function against that value.
That email field must be set to at least Read Only in the User permission area on the Okta profile. This allows Drata to read this field to ensure it matches with the synced personnel list and allow authentication into Drata.
The email domain, when connecting the Identity (IdP) connection, must match each of the personnel’s email domains that you would like to sync. Personnel with different or multiple domains will not be synced.
To sync multiple email domains, contact our Technical Support team.
Drata does not support nested groups. We will sync members at the specified group's top level, but not members in the second-level or further groups.
You can only connect one Okta group at a time. If you attempt to connect multiple groups simultaneously, the connection will fail.
For customers who previously had Okta SSO configured: If your Drata tenant has previously connected to Okta using our Enterprise SSO connector, you must disconnect it before using the new "Sign in with Okta" option. Otherwise, you'll need to continue using the original "Sign in with SSO" option.
If you are not using an HRIS, Drata will take the creation date of the Okta user profile as the Hire Date. You may override this behavior by utilizing custom attributes:
Any Okta admin can set up two custom attributes in Okta to track employee start date and the employment status.
Custom attribute 1: Start Date (attribute is
drataStartDate
in Okta, data typestring
)Custom attribute 2: Contractor/Employee (attribute is
drataContractor
in Okta, data typeboolean
)
Drata’s system is configured to pick these up automatically and this would essentially substitute the HRIS integration, without having to manually update the personnel records. This would allow all personnel records to continue syncing with Okta.
NOTE: Separation date is not supported at this time. The separation date will remain the date the Okta user profile was deactivated.
HERE'S HOW
There are four parts to the Okta integration:
Part 1: Copy your Okta organization URL, which you will later enter into the Drata connection drawer.
Part 2: Create a service account with a read-only permission and generate an API token with the new service account.
Part 3: Install the Drata OIN application and assign the
okta.users.read.self
API scope.Part 4: Enter Okta details into the Drata connection drawer.
The corresponding steps for each part are detailed in the following sections.
Part 1: Copy Okta organization URL.
This will be added to the corresponding ‘Organization’ field in Drata's Okta connection drawer in Drata in Part 4.
Part 2: Create a service account to generate the API token:
You’ll now need to create a service account and assign administrator rights to it.
Create a new service account by navigating to Directory > People as an Okta Admin and selecting ‘Add Person’.
Once created, assign the Read-only Administrator role to the new account created. Navigate to Security > Administrators as an Okta Admin and selecting ‘Add Administrator’. Select the user you just created and assign the ‘Read-only Administrator’ role.
Generate the API key.
To do this, log in to the service account with the Read-only administrator role that you just created. Then, navigate to Security > API > Token > Create Token.
IMPORTANT: Copy the token immediately after creation and store it in a secure password manager. This is the only time you will be able to access it. This will be added to the corresponding ‘API Key’ field in the Okta connection drawer in Drata in Part 4.
Part 3: Drata OIN App Installation
Log in to your Okta organization as a Super Administrator
Install the Drata OIN app by going to Applications > Browse App Catalog.
Search for "Drata," and select the "Drata - OIDC" option under Integrations. Click the "Add" button.
Open the Drata OIN app and select the ‘Sign On’ tab. From here you will want to copy the Client ID and Client Secret. These values will be added to the corresponding fields in the Okta connection drawer in Drata in Part 4.
4. Staying on the Drata OIN app, select the ‘Okta API Scopes’ tab on the far right.
5. Lastly, make sure you assign the Drata OIN app to the users you wish to grant [SSO] login access into the Drata application
Drata OIN App supports the following authentication types:
IdP-initiated SSO: From the Okta dashboard, an user can click on the app integration tile to SSO into the Drata application.
Service provider (SP)-initiated SSO: From the Drata application's login page, an user can provide their email address and be sent to the standard Okta authentication page.
Part 4: Connect Okta to Drata
1. Select "Connections" on the side navigation menu.
2. Select the Available connections tab and then search for Okta to select the connect button for the Okta integration.
You can only connect one (1) Identity connection type.
Ensure to select the Okta under the Identity section.
3. Follow the instructions in the connection drawer carefully. Take your time and complete one step entirely before moving on to the next. Paste the required values in each field as indicated.
Monitoring Test
Test 86: MFA on Identity Provider
Test 96: Employees have Unique Email Accounts