Data provisioning
Provisioning configuration
| Parameter | Description |
|---|---|
| Base address | Specify the server address. |
| Entity root | This is optional and is a fragment of the URL that points to provisioned entities (for example, v1/IdentityData). |
| Content-type header | Choose the format of the content. The default value is application/json. |
| Accept header | The default value is application/json. |
| Authentication type | The type of authentication to use for the Okta system. Depending on the type of authentication that you choose to use, you may see more or fewer settings.For Okta connectivity, the only supported option is: OAuth2 – all OAuth mandatory * fields must be completed with proper value. These values can be found in your external vendor’s documentation of your Okta system. |
| Security protocol | Security protocol of your Okta system. |
| Use numeric values | Setting this to true will ensure that intType, longType, and referenceType values in the JSON payload are sent as numeric values and not strings. For referenceType properties, the value is only set as a numeric value when the resolved value can be converted to a numeric value. |
| Test connection | This field is optional. You can check this field to force the collector to test the defined connection before moving forward. |
| Test query | This field only appears if the Test connection field is enabled. Here you can enter an optional test query used to verify the connection. The query must be relative to the base address, e.g., 'Users.' Entering a test query is important for a proper test for authentication methods which doesn't access the target system, e.g., basic authentication or static bearer token. |
Oauth2 authentication
| Parameter | Description |
|---|---|
| OAuth Grant Type | The type of OAuth2 Grant used for authorization. For Okta connectivity, the only supported option is Static token. |
Static token grant
| Parameter | Description |
|---|---|
| OAuth Static Token | Provide your OAuth Static Token. This token is required for the Static token grant. |
| OAuth Static Token Type | Provide a custom keyword that will be supplied in front of the static token. For Okta connectivity, the tokens are of SSWS type. If the field is left blank, the default Bearer value is used. |
Data model
The data model for Okta is extensible and consists of two sections: properties and objects.
Properties
The properties section serves as a repository of properties of all objects in the remote system that is subject to provisioning. A single property consists of the following attributes:
| Name | Description |
|---|---|
| name | Unique name of the property. This name must match the property name in the target system. |
| required | Here, you can specify if the property is required or not. |
| dataType | The data type of the property. By default, the type is a string. If this value is set to referenceType, the property will be used to either calculate reference properties or to calculate the object ID value. |
Here, you can see the XML configuration for properties:
<connectorDataModel xmlns="http://schemas.omada.net/ops/2015/ConnectorDataModelML" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" modelNamespace="Okta">
<properties>
<property name="profile.firstName"/>
<property name="profile.lastName"/>
<property name="profile.email"/>
<property name="profile.login"/>
<property name="credentials.password.value" dataType="secureStringType"/>
<property name="userId" dataType="referenceType"/>
<!--Group specific-->
<property name="groupId"/>
<property name="appId"/>
</properties>
Objects
Here, objects refers to a set of objects. Each object has a name property that must match one of the names in task mappings. For more about task mappings, see the Task mappings subchapter of the Omada Identity - Import and Onboarding Guide.
Inside an object, there are two subnodes: objectDetails and objectProperties. For more information about each, see the following two subchapters.
objectDetails
ObjectDetails are used to provide details about how an object is treated. Each property can also have a reference property as part of its value. The name of the reference property must be in curly brackets, for example:
<objectProperty referenceObject="Profile"
referenceKeyProperty="Id"
referenceLookupProperty="Name">ProfileId</objectProperty>
When a property is used as part of an objectDetail, the property is removed from the JSON body of the HTTP request. If the property is needed for both the object detail and the JSON body, you must make another reference property with a different name.
The Okta Connector issues HTTP requests to the REST endpoints of the remote system. These endpoints are defined/calculated relatively and appended to a single baseAddress following the REST standards.
If the remote system has a custom REST implementation, you can use the objectDetails to define the custom properties in the Okta connector:
| Name | Description |
|---|---|
| ResourcePathCreate | The path to be appended to the EndPointAddress for create operations. |
| ResourcePathUpdate | The path to be appended to the EndPointAddress for update operations. |
| ResourcePathDelete | The path to be appended to the EndPointAddress for delete operations. |
| ResourcePath | Use this property if the path is the same for all the create, update, and delete options. This setting will override these properties, even if they are specified. |
| VerbForCreate | Use this property if the remote system requires another verb for create operations where the default is POST. |
| VerbForUpdate | Use this property if the remote system requires another verb for update operations where the default is POST. |
| VerbForDelete | Use this property if the remote system requires another delete for update operations where the default is POST. |
objectProperty
| Name | Description |
|---|---|
| referenceObject | The object to query. |
| referenceKeyProperty | The property of an object that is the result of the query. |
| referenceLookupProperty | A string property that indicates the property in the referenced object to make a lookup against to find the reference object from the task property value. |
JSONPath property names
You can use the JSONPath to update existing field values in the request. This feature is useful for reconciliation or when utilizing request template object details.
The JSONPath properties can be utilized with appropriate fields present in the JSON file path. The JSONPath can't create new fields.
If you don't use reconciliation, add other properties which will build localization of this JSON Path.
The property names starting with $. are interpreted by the connector as a JSON path. The values of those properties can be either text or JSON format. In the
latter instance the connector adds an appropriate structure in the designated location.
The JSONPath properties can be combined with the existing properties and they are applied on top of the prepared request.
<properties>
<property name="$.added[0].loginId" />
<property name="$.added[0].roles" multiValued="true" />
<property name="$.added[0].sampleArray" muliValued="true" />
</properties>
Request templates
You can provide JSON request template in the object details with the request template being defined per operation.
The following convention should be followed when naming a detail:
{Operation}Request,
As shown in the example below values should be stored within the <largeDataField> element.
<object name="SampleUser">
<objectDetails>
<objectDetail name="CreateRequest">
<largeDataField>
{
"added":[
{
"organization":{
"name":"my comapny",
"type":"Comapny"
},
"roles":[
{
"name":"Role 1"
},
{
"name":"Role 2"
}
],
"sampleArray":[],
"loginId":"myLogin"
}
]
}
</largeDataField>
</objectDetail>
Task mappings
The Omada Okta Connectivity provides the following mappings out of the box.
| Parameter | Description |
|---|---|
| Okta Users | Contains mappings of account assignments to Okta user assignments |
| Okta Groups | Contains mappings of group assignments to Okta group assignments |
| Okta Apps | Contains mappings of app assignments to Okta app assignments |
Okta users
| Destination | Operator | Source |
|---|---|---|
| Object Id | Map | ObjectId |
| Object type | Constant | users |
| Operation | Map | Operation |
| profile.firstName | Map | ROPE_ATTR_FIRSTNAME |
| profile.lastName | Map | ROPE_ATTR_LASTNAME |
| profile.email | Map | ROPE_AccountName |
| profile.login | Map | ROPE_AccountName |
| credentials.password.value | Expression | Operation == "Create" ? ROPE_ATTR_INITIALPASSWORD : null |
| userId | Expression | Operation == "Create" ? null : ROPE_AccountName |
Okta groups
| Destination | Operator | Source |
|---|---|---|
| Object Id | Map | ObjectId |
| Object type | Constant | groups |
| Operation | Map | Operation |
| groupId | Map | ROPE_ResourceIdentifier |
| userId | Map | ROPE_AccountName |
Okta Apps
| Destination | Operator | Source |
|---|---|---|
| Object Id | Map | ObjectId |
| Object type | Constant | apps |
| Operation | Map | Operation |
| appId | Map | ROPE_ResourceIdentifier |
| userId | Map | ROPE_AccountName |