IEM Okta Setup

13 min

the okta idp integration allows you to sync user identities from your okta organization directly into flare as identity identifiers once synced, flare can automatically validate exposed credentials against those identities whenever a new leaked credential is detected, and perform mitigation actions on compromised accounts a few important things to note this feature is available on request reach out to your csm to get access identity synchronization after the integration is configured, the initial sync can take up to 24 hours to complete once the initial sync has run, identities are automatically synchronized every night tenant considerations your tenant has a cap on the number of identity identifiers if you are syncing a large user base, consult with your csm before enabling a full sync currently, one idp integration per tenant is supported if you already have an entra id integration in a tenant, create a new tenant for okta integration docid\ gvu3v0xvtlo ej0kylebb prerequisites for okta before setting up the okta integration in flare, complete a few configuration steps in okta you can view our interactive product tours https //flaredemo storylane io/hub/wcikksxovdlg for a guided walkthrough, or follow the steps below step 1 create groups, resource sets, and admin role a resource set is a collection of okta resources, such as user groups, that limits the permissions of a custom admin role to specific resources by binding the flare service app to a resource set, you can limit the integration to a specific subset of users rather than granting access to your entire okta directory for more information on resource sets, see okta's documentation on working with resource sets https //help okta com/en us/content/topics/security/custom admin role/work with resource set htm this step is optional custom groups, roles, and resource sets are only required if you want to limit the integration to a specific subset of users if you want to enable the integration for your entire okta organization, you can use one of okta's built in admin roles https //help okta com/en us/content/topics/security/administrators admin comparison htm instead if you are not using custom groups, roles, or resource sets, continue to step 2 create the okta service app docid\ gvu3v0xvtlo ej0kylebb create a group of users first, let's create a group of users to assign to the resource set from the okta admin console , go to directory and then groups click add group to create a new group provide a name and description for the group click on the newly created group name to add users to it from the people tab, click assign people to add users click done to save the group create a resource set and admin role next, let's create a resource set and admin role from the okta admin console, go to security and then administrators select the resources tab to create a new resource set click create a new resource set , and enter a name and description click add resource and select users as the resource type important when completing this step, select users rather than groups use the select users option and select a group click create to finish creating the resource set next, go to the roles tab you can use either one of the standard admin roles https //help okta com/en us/content/topics/security/administrators admin comparison htm , or create a custom role to create a custom role, click create new role to sync identity identifiers without any mitigation actions, select the v iew users and their details permission to enable mitigation actions, select additional roles of suspend users and clear user's session click save role to save the admin role step 2 create the okta service app in the okta admin console, navigate to applications > applications click create app integration to start the setup select api services as the integration type, then click next enter a name for your integration and click save in the client credentials section, click edit and set the client authentication option to public key / private key under public keys , select use a url to fetch keys dynamically and enter the following url https //api flare io/ well known/jwks json select okta api scopes to grant permissions grant one or both of the following oauth 2 0 scopes https //developer okta com/docs/api/oauth2 based on your needs okta users read required for syncing user identities into flare and creating identity identifiers okta users manage required for automated and manual mitigation actions, such as revoking sessions and disabling users it is recommended to start with okta users read scope add okta users manage only when you are ready to enable mitigation navigate to the admin roles tab to assign administrative permissions follow these guidelines when using a standard admin role read only admin role use this to sync only the identity identifiers without any remediation actions group admin role use this role to allow mitigation actions in addition to the identity sync for more information, view okta's standard roles and permissions documentation https //help okta com/en us/content/topics/security/administrators admin comparison htm click edit assignments select the admin role and resource set you configured earlier, then click save changes click save changes the service app is now ready to use configure okta integration in flare navigate to the settings menu in the top right corner, and then click integrations find the add okta integration box and click configure enter the following information integration name a descriptive name for the integration okta domain url of your okta domain okta service app client id client id of the service app configured in prerequisites for okta docid\ gvu3v0xvtlo ej0kylebb maximum daily password attempts maximum number of validation attempts per identity per day it is recommended to set this to half of your lockout policy threshold in okta daily limit of password validation attempts to prevent account lockouts, flare enforces maximum validation attempts per identity per day the default value for this in flare is 2, and we do not recommend going higher than half your okta lockout policy threshold (if the value is set to 10 in okta, do not go higher than 5) to automatically sync identity profiles, toggle the automatically create identity identifiers for my synced identities option, and select automated or manual mitigation actions automated validation this requires the okta users read scope, and okta admin role with "view users and their details" permissions automatically revoke sessions and disable accounts this requires the okta users manage scope, and okta admin role with "suspend users" and "clear user sessions" permissions manual mitigation this requires the okta users manage scope, and okta admin role with "suspend users" and "clear user sessions" permissions see prerequisites for okta docid\ gvu3v0xvtlo ej0kylebb for more information if you can't access this setting, reach out to your csm to enable it use the test integration button to test the integrations click add integration to complete the integration procedure tenant requirement flare currently supports only one idp integration per tenant if you already have an entra id integration in a tenant, create a new flare tenant dedicated to the okta integration recommended rollout approach create a new flare tenant configure the okta integration scoped to a small pilot group validate identity sync, credential validation, and mitigation behavior expand scope incrementally to your full user population starting with a small technically capable group limits the blast radius if anything unexpected occurs during testing, such as an account lockout troubleshooting identities are not populating after setup verify the service app has okta users read and that the client id and okta domain are entered correctly in flare verify the required admin roles and permissions docid\ gvu3v0xvtlo ej0kylebb have been granted if you scoped to a resource set, confirm the service app role is correctly bound to it it can take up to 24 hours for identities to be created identifier limit reached contact your flare csm to increase the cap before syncing your full user population credential validation is triggering account lockouts reduce the daily attempt limit in the password validation settings review your okta lockout threshold and ensure your per identity daily limit stays comfortably below it unable to configure automated identity identifier creation this setting is not enabled by default please reach out to your csm to get access