Skip to main content

Data import

General settings

SettingDescription
NameType a unique name for the system. Two systems cannot have the same name.
System IDType a unique System ID for the system. Two systems cannot have the same System ID. You cannot change this setting.
DescriptionType an optional description of the system.
StatusStatus of the system. Set the status to Removed to ensure the system is no longer included in warehouse imports, reconciliation or provisioning. Setting a system as removed will delete all objects referring to the system, including resources, manual and automated provisioning tasks, and assignment policies.
ContentThe type of content to import. You can choose: Identity data Access rights Both (Identity data and access rights)
TrustsOptionally, select one or more trusted systems to associate with the system.
info

Trust is specifically designed for use between physical systems. It is not intended for use between logical and physical systems.

Connection details

ParameterDescription
Base URLThis field is optional. You can specify the Base URL of the service. When you specify a Base URL, this URL will be used for all defined queries if these do not specify a full URL of their own. The Base URL is part of the data connection data, and the Base URL should not be transported between environments. For example, http://dev-12345.okta.com/api/v1
Authentication typeChoose the type of authentication to use for the Okta system. For Okta connectivity, the only supported authentication is: OAuth2 Static Token – uses statically generated bearer token.
OAuth static tokenThis field applies only to OAuth2 Static Token authentication option. Enter a statically generated bearer token. The value will be encrypted upon storage.
OAuth static token typeProvide a custom keyword that will be supplied in front of the static token. For Okta connectivity, the tokens are of SSWS type. If the field is left blank, the default Bearer value is used.
Test connectionThis field is optional. You can check this field to force the collector to test the defined connection before moving forward.
Test queryThis field only appears if the Test connection field is enabled. Here you can enter an optional test query used to verify the connection. The query must be relative to the base address, e.g., 'Users.' Entering a test query is important for a proper test for authentication methods which doesn't access the target system, e.g., basic authentication or static bearer token.

Mappings

Out of the box, the Omada Okta Connectivity provides the following mappings:

Users - Accounts

ParameterValue
URLusers
DestinationOperatorSource
Business keyMapid
Unique IDMapid
Account nameMapprofile_login
Display nameExpressionprofile_firstName + " " + profile_lastName
StatusMapstatus
Last logonMaplastLogin
Last password changeMappasswordChanged
userIdMapid

Groups - Resources

ParameterValue
URLgroups
DestinationOperatorSource
Business keyMapid
Security resource business keyMapid
NameMapprofile_name
CategoryConstantPermission
TypeConstantOkta Group
Display nameMapprofile_description
Short nameMapid
group typeMaptype

Apps - Resources

ParameterValue
URLapps
DestinationOperatorSource
Business keyMapid
Security resource business keyMapid
NameExpressionlabel == null | label == "" ? name : label
CategoryConstantPermission
TypeConstantOkta App
Display nameMaplabel
Short nameMapid

Groups - Resource assignments

ParameterValue
URLgroups
Nested URLgroups/{PARENT_id}/users
DestinationOperatorDescription
Resource business keyMapPARENT_id
Account - business keyMapid

Apps - Resource assignments

ParameterValue
URLapps
Nested URLapps/{PARENT_id}/users
DestinationOperatorDescription
Resource business keyMapPARENT_id
Account - business keyMapid

Apps - Resources Parent/Child

ParameterValue
URLapps
Nested URLapps/{PARENT_id}/groups
DestinationOperatorDescription
IndirectConstant1
Parent resource business keyMapPARENT_id
Child resource - business keyMapid

Naming convention for mapping and expressions

  • The name used for mapping or expressions is converted into a name that is usable as a C# parameter.
  • Names can contain the characters _, a-z, A-Z, and 0-9, but the first character of the name cannot be a digit (0-9).

Furthermore, any illegal characters will be stripped from the name under the conversion. For example, $somekey1 becomes somekey1 and 1another_key becomes another_key.

Advanced configuration

  1. Optionally, in the Append URL parameters(s) field, enter any additional query parameters that should be added to any of the queries defined under Queries and Mappings.

    info

    The value must be entered following standard of the service, for example, parameter1=value&parameter2=value. The collector ensures the correct formatting of the entire URL.

  2. Optionally, in the Security Protocol drop-down list, choose a security protocol to use for an HTTPS connection, for example, TLS 1.2. Your organization may limit the use of one or more of the default available security protocols.

  3. Optionally, in the Paging mechanism field, select the type of paging the service uses. Services may result from large datasets and will return data in chunks. The Okta collector offers the following options:

    • None: Select this option if the service offers no paging and all data is returned.
    • Paging marker: Use this option if the response contains a field with an indicator which should be used in the URL for the subsequent call. If the response is truncated (that is, if it does not contain all the requested objects), it will contain an IsTruncated element set to True and a Marker element, whose value needs to be used as a parameter in the URL of the call for the subsequent page.
    • Paging URL: Use this option if the response contains a field with a URL for the next page.
    • URL parameters: Use this option if the paging must be specified as URL parameters.

When the selected Paging mechanism is Paging marker:

  • In the Marker element field, type in the name of the response element, whose value will be used in the subsequent pagination requests to obtain the next set of items if the pagination results are truncated.
  • In the Marker parameter field, type in the name of the parameter that will be used in the subsequent pagination requests, with the Marker element value, to obtain the next set of items.

When the selected Paging mechanism is Paging URL:

  • In the Paging URL field, specify the JSON field in the response that contains the URL for the next page of data. The collector will continue querying the service until this field is empty. When the selected Paging mechanism is URL parameters:

  • In the URL Parameters field, enter the parameters that must be appended to the query to get the next page of data.

info

You can use variables from the response by placing the name of the field in curly brackets, for example, startIndex={index}&count=100.

  • Optionally, in the Total field, enter the JSON field in the response that indicates the total amount of records. If this field is not specified, the service will be called until an empty result set is returned.
  • The Timeout in seconds field allows you to specify how long the collector should wait for a response of the Okta service. The default value is set to 3600 seconds (1 hour).

Account rules

Out-of-the box, the Omada Okta connectivity has the following Account rules:

Account rulesDescription
Ownership ruleThe account owner is set to the identity where the 'Email' value of the identity matches the 'Name' value of the account.
Classification ruleIf an identity with the account attribute 'Identity joins reason' Equals 'Exact Match', the account type is set to 'Email'.

Ownership rule

FieldValue
TypeIdentity lookup
Join reasonExact Match
Account attributeName
Identity attributeEmail

Classification rule

FieldValue
Account typeEmail
Scope attributeIdentity join reason
Scope operatorEquals
Scope valueExact Match