Integration with Okta
To enable Okta integration you need to generate Okta API token and configure EDFN agent.
You don't have to do any special configuration in Okta. Only API token has to be generated and user who generates the token must have read System Logs permission (for example, user may have role “Report Administrator”). For API token generation:
- Sign in to your Okta organization
- Navigate to Admin Console > Security > API > Token tab
- Click Create Token
- Enter token name and click Create Token button
- Record the token value
For more details about API token and how to generate it, visit the following link: https://developer.okta.com/docs/guides/create-an-api-token/main/
User Identity Agent Configuration
Open NFO web interface and navigate to External Data Feeder page or to the Network Conversations Monitor module’s page, and perform the following:
-
Open User Identity Monitor agent configuration window
-
Select
Okta Identity Cloud
tab and add a new record. Enter the following properties:- IDP: Identity Provider name to be reported in
idp
output syslog field - Okta domain: Okta organization URL, like
https://<org>.okta.com
- API token: Okta API token to authenticate EDFN agent’s requests
- Session timeout: if there are no logs during timeout period, user session expected to be closed. Format example:
1d 2h 5m 10s
indicates 1 day, 2 hours 5 minutes, 10 seconds
- IDP: Identity Provider name to be reported in
We recommend to set Session timeout
equals to Maximum Okta session lifetime
. If this value is No time limit
, set it to 12h. Maximum Okta session lifetime value is available on Okta organization Admin console > Security > Authentication > Sign On tab > select Policy and expand rule to view the value.
The agent may request logs from different Okta organizations. Please add separate configuration record for each Okta organization.
Save the agent changes. The agent will request new event logs and update the watch list according to the scheduler expression: every minute by default.
Implementation Details
EDFN agent reads Okta logs via the System Log API: https://developer.okta.com/docs/reference/api/system-log/
During first agent execution, all logs no older than session timeout are requested. After that only logs since last event are requested.
The agent reads only success events where event types starts with user.
, filter: eventType sw "user." and outcome.result eq "SUCCESS"
. All event types are available here: https://developer.okta.com/docs/reference/api/event-types/
There are three different groups of event types:
- New user session or session prolongation events:
user.session.start
and other events except types from next two items - Session close events:
user.session.end
oruser.session.expire
- Close all user sessions:
user.session.clear
,user.lifecycle.deactivate
, oruser.lifecycle.suspend
User name is read from actor
json section or from target
section. IP address is taken from client
section.