Skip to main content
Version: Next

Integration with Okta

To enable Okta integration you need to generate Okta API token and configure EDFN agent.

You don't have to do any special configuration in Okta. Only API token has to be generated and user who generates the token must have read System Logs permission (for example, user may have role “Report Administrator”). For API token generation:

  1. Sign in to your Okta organization
  2. Navigate to Admin Console > Security > API > Token tab
  3. Click Create Token
  4. Enter token name and click Create Token button
  5. Record the token value

For more details about API token and how to generate it, visit the following link: https://developer.okta.com/docs/guides/create-an-api-token/main/

User Identity Agent Configuration

Open NFO web interface and navigate to External Data Feeder page or to the Network Conversations Monitor module’s page, and perform the following:

  1. Open User Identity Monitor agent configuration window

  2. Select Okta Identity Cloud tab and add a new record. Enter the following properties:

    • IDP: Identity Provider name to be reported in idp output syslog field
    • Okta domain: Okta organization URL, like https://<org>.okta.com
    • API token: Okta API token to authenticate EDFN agent’s requests
    • Session timeout: if there are no logs during timeout period, user session expected to be closed. Format example: 1d 2h 5m 10s indicates 1 day, 2 hours 5 minutes, 10 seconds

We recommend to set Session timeout equals to Maximum Okta session lifetime. If this value is No time limit, set it to 12h. Maximum Okta session lifetime value is available on Okta organization Admin console > Security > Authentication > Sign On tab > select Policy and expand rule to view the value.

The agent may request logs from different Okta organizations. Please add separate configuration record for each Okta organization.

Save the agent changes. The agent will request new event logs and update the watch list according to the scheduler expression: every minute by default.

Implementation Details

EDFN agent reads Okta logs via the System Log API: https://developer.okta.com/docs/reference/api/system-log/

During first agent execution, all logs no older than session timeout are requested. After that only logs since last event are requested.

The agent reads only success events where event types starts with user., filter: eventType sw "user." and outcome.result eq "SUCCESS". All event types are available here: https://developer.okta.com/docs/reference/api/event-types/

There are three different groups of event types:

  • New user session or session prolongation events: user.session.start and other events except types from next two items
  • Session close events: user.session.end or user.session.expire
  • Close all user sessions: user.session.clear, user.lifecycle.deactivate, or user.lifecycle.suspend

User name is read from actor json section or from target section. IP address is taken from client section.