IEM Okta Setup

this feature is currently in beta for select customers general availability is scheduled for june 24th the okta idp integration allows you to sync user identities from your okta organization directly into flare as identity identifiers once synced, flare can automatically validate exposed credentials against those identities whenever a new leaked credential is detected, and perform mitigation actions on compromised accounts key features of the okta integration here are some benefits of using flare's okta integration identity sync flare pulls users from your okta organization and creates identity identifiers for each one these identifiers are then used to match against leaked credentials found in our threat intelligence sources identity profiles each synced user gets an identity profile in flare populated with data returned from okta identity profiles are the central place to investigate a user following a credential exposure event automated credential validation when a leaked credential matching one of your synced identifiers is detected, it can be automatically validated to determine whether that credential is still active against your okta environment no manual intervention is required bulk password validation bulk password validation is enabled by default this allows you to bulk select leaked credentials and validate them all at once mitigation actions when a credential is confirmed valid, the following mitigation actions can be taken manual mitigation triggered by an analyst from within flare's credential browser automated mitigation triggered automatically when a valid leaked credential is confirmed most of these features require certain okta scopes and admin permissions in okta (see prerequisites for okta docid\ mu24qqelslh5g2og6bqws for details) tenant considerations your tenant has a cap on the number of identity identifiers if you are syncing a large user base, consult with your flare customer success manager(csm) before enabling a full sync currently, one idp integration per tenant is supported if you already have an entra id integration in a tenant, create a new dedicated tenant for okta integration docid\ mu24qqelslh5g2og6bqws how it works flare reads users from your okta organization through a configured service app integration, creating identity identifiers and identity profiles for each user (automated identity creation must be enabled when configuring the okta integration docid\ mu24qqelslh5g2og6bqws ) when flare detects a new leaked credential that matches one of your identifiers, credential validation can be automatically initiated to confirm whether the credential is still active (automated validation must be enabled when configuring the okta integration docid\ mu24qqelslh5g2og6bqws ) if the credential is confirmed valid, you can trigger mitigation actions (manual or automated) to revoke sessions and/or disable the account (revoke session and disable account options must be enabled when configuring the okta integration docid\ mu24qqelslh5g2og6bqws ) daily limit of password validation attempts to prevent account lockouts, flare enforces a configurable maximum number of password validation attempts per identity per day by default, okta will lock a user out after 10 failed password attempts the default value for this in flare is 2, and we do not recommend going higher than half your lockout policy threshold (if the value is set to 10 in okta, do not go higher than 5) prerequisites for okta before configuring the integration in flare, complete the following setup in okta configure resource set and admin role create a service app integration, and grant the relevant oauth 2 0 scopes and admin roles oauth 2 0 scopes in okta the following oauth 2 0 scopes https //developer okta com/docs/api/oauth2 are required depending on which features you enable okta users read syncing user identities into flare and creating identity identifiers okta users manage automated and manual mitigation actions (revoke sessions, disable users) it is recommended to start with okta users read scope add okta users manage only when you are ready to enable mitigation admin roles in okta for the okta integration to work correctly, certain admin roles/permissions must be assigned to the service app okta admin roles if using a standard admin role, choose a role based on the level of access required read only admin use this role to sync identity identifiers only, with no mitigation actions group admin use this role to enable mitigation actions in addition to identity sync see okta's standard roles and permissions https //help okta com/en us/content/topics/security/administrators admin comparison htm for full details when creating a custom admin role, the following permissions are needed view users and their details to sync identity identifiers without enabling any mitigation actions suspend users and clear user sessions to enable mitigation actions follow these steps to setup the necessary configuration in okta using okta resource sets a resource set is a collection of okta resources, such as user groups, that limits the permissions of a custom admin role to specific resources by binding the flare service app to a resource set, you can limit the integration to a specific subset of users rather than granting access to your entire okta directory for more information on resource set, see working with resource sets https //help okta com/en us/content/topics/security/custom admin role/work with resource set htm configure okta integration in flare in your flare tenant, navigate to configure > integrations to view the integrations hub find the add okta integration box and click configure enter the following information integration name a descriptive name for the integration okta domain url of your okta domain okta service app client id client id of the service app configured in prerequisites for okta docid\ mu24qqelslh5g2og6bqws maximum daily password attempts maximum number of validation attempts per identity per day it is recommended to set this to half of your lockout policy threshold in okta to automatically sync identity profiles, toggle the automatically create identity identifiers for my synced identities option, and select automated or manual mitigation actions automated validation this requires the okta users read scope, and okta admin role with "view users and their details" permissions automatically revoke sessions and disable accounts this requires the okta users manage scope, and okta admin role with "suspend users" and "clear user sessions" permissions manual mitigation this requires the okta users manage scope, and okta admin role with "suspend users" and "clear user sessions" permissions see prerequisites for okta docid\ mu24qqelslh5g2og6bqws for more information use the test integration button to test the integrations click add integration to complete the integration procedure tenant requirement flare currently supports only one idp integration per tenant if you already have an entra id integration in a tenant, create a new flare tenant dedicated to the okta integration recommended rollout approach create a new flare tenant configure the okta integration scoped to a small pilot group validate identity sync, credential validation, and mitigation behavior expand scope incrementally to your full user population starting with a small technically capable group limits the blast radius if anything unexpected occurs during testing, such as an account lockout troubleshooting identities are not populating after setup verify the service app has okta users read and that the client id and okta domain are entered correctly in flare verify the required okta admin roles and permissions docid\ mu24qqelslh5g2og6bqws have been granted if you scoped to a resource set, confirm the service app role is correctly bound to it it can take up to 24 hours for identities to be created identifier limit reached contact your flare csm to increase the cap before syncing your full user population credential validation is triggering account lockouts reduce the daily attempt limit in the password validation settings review your okta lockout threshold and ensure your per identity daily limit stays comfortably below it