Okta
Port's Okta integration allows you to model Okta identity and access management resources in your software catalog and ingest data into them.
Overviewโ
This integration allows you to:
- Map and organize your desired Okta resources and their metadata in Port (see supported resources below).
- Watch for Okta object changes (create/update/delete) in real-time, and automatically apply the changes to your entities in Port.
- Track user and group relationships for better access management visibility.
Supported resourcesโ
The resources that can be ingested from Okta into Port are listed below. It is possible to reference any field that appears in the API responses linked below in the mapping configuration.
Prerequisitesโ
Create an Okta API tokenโ
- Log in to your Okta admin console.
- Navigate to Security > API > Tokens.
- Click Create Token.
- Provide a name for your token (e.g., "Port Integration").
- Click Create Token.
- Copy the generated token and save it securely.
Store your API token securely and never share it. The token provides access to your Okta data.
Okta Domainโ
Your Okta domain is the subdomain of your Okta organization URL. For example, if your Okta URL is https://dev-123456.okta.com, your domain would be dev-123456.okta.com.
Setupโ
Choose one of the following installation methods:
Not sure which method is right for your use case? Check the available installation methods.
- Hosted by Port (Recommended)
- Self-hosted
- CI
Using this installation option means that the integration will be hosted by Port, with a customizable resync interval to ingest data into Port.
Live event support
This integration supports live events, allowing real-time updates to your software catalog without waiting for the next scheduled sync.
Supported live event triggers
User:
- user.lifecycle.create
- user.lifecycle.activate
- user.lifecycle.deactivate
- user.lifecycle.suspend
- user.lifecycle.unsuspend
- user.lifecycle.delete
- user.account.update_profile
Group:
- group.lifecycle.create
- group.lifecycle.delete
- group.lifecycle.update
Group Membership:
- group.user_membership.add
- group.user_membership.remove
Alternatively, you can install the integration using the Self-hosted method to update Port in real time using webhooks.
Installation
To install, follow these steps:
-
Go to the Data sources page of your portal.
-
Click on the
+ Data sourcebutton in the top-right corner. -
Click on the relevant integration in the list.
-
Under
Select your installation method, chooseHosted by Port. -
Configure the
integration settingsandapplication settingsas you wish (see below for details).
Application settings
Every integration hosted by Port has the following customizable application settings, which are configurable after installation:
-
Resync interval: The frequency at which Port will ingest data from the integration. There are various options available, ranging from every 1 hour to once a day. If a sync is still in progress when the next one is due, the new sync will be skipped (up to 24 hours delay).
This ensures that all kinds are fully synchronized and that cleanup of stale entities always takes place at the end of each sync. -
Send raw data examples: A boolean toggle (enabledby default). If enabled, raw data examples will be sent from the integration to Port. These examples are used when testing your mapping configuration, they allow you to run yourjqexpressions against real data and see the results.
Integration settings
Every integration has its own tool-specific settings, under the Integration settings section.
Each of these settings has an โ icon next to it, which you can hover over to see a description of the setting.
Port secrets
Some integration settings require sensitive pieces of data, such as tokens.
For these settings, Port secrets will be used, ensuring that your sensitive data is encrypted and secure.
When filling in such a setting, its value will be obscured (shown as โขโขโขโขโขโขโขโข).
For each such setting, Port will automatically create a secret in your organization.
To see all secrets in your organization, follow these steps.
Limitations
- The maximum time for a full sync to run is based on the configured resync interval. For very large amounts of data where a resync operation is expected to take longer, please use a longer interval.
Port source IP addresses
When using this installation method, Port will make outbound calls to your 3rd-party applications from static IP addresses.
You may need to add these addresses to your allowlist, in order to allow Port to interact with the integrated service:
- Europe (EU)
- United States (US)
54.73.167.226
63.33.143.237
54.76.185.219
3.234.37.33
54.225.172.136
3.225.234.99
Using this installation method means that the integration will be able to update Port in real time using webhooks.
Prerequisites
To install the integration, you need a Kubernetes cluster that the integration's container chart will be deployed to.
Please make sure that you have kubectl and helm installed on your machine, and that your kubectl CLI is connected to the Kubernetes cluster where you plan to install the integration.
If you are having trouble installing this integration, please refer to these troubleshooting steps.
To install the integration using Helm:
-
Go to the Okta data source page in your portal.
-
Select the
Real-time and always onmethod:
-
A
helmcommand will be displayed, with default values already filled out (e.g. your Port client ID, client secret, etc).
Copy the command, replace the placeholders with your values, then run it in your terminal to install the integration.
BaseUrl & webhook configuration
integration.config.appHost is deprecated: Please use liveEvents.baseUrl for webhook URL settings instead.
In order for the Okta integration to update the data in Port on real-time changes in Okta, you need to specify the liveEvents.baseUrl parameter.
The liveEvents.baseUrl parameter should be set to the url of your Okta integration instance. Your integration instance needs to have the option to setup webhooks via http requests/recieve http requests , so please configure your network accordingly.
To test webhooks or live event delivery to your local environment, expose your local pod or service to the internet using ngrok:
ngrok http http://localhost:8000
This will provide a public URL you can use for webhook configuration and external callbacks during development.
If liveEvents.baseUrl is not provided, the integration will continue to function correctly. In such a configuration, to retrieve the latest information from the target system, the scheduledResyncInterval parameter has to be set, or a manual resync will need to be triggered through Port's UI.
Scalable Mode for Large Integrations
If you are deploying the integration at scale and want to decouple the resync process from the live events process (recommended for large or high-throughput environments), you can enable scalable mode by adding the following flags to your Helm install command:
--set workload.kind="CronJob" \
--set workload.cron.resyncTimeoutMinutes=60 \
--set scheduledResyncInterval="'*/60 * * * *'" \
--set liveEvents.worker.enabled=true
For details about the available parameters for the installation, see the table below.
This table summarizes the parameters used for the installation.
Note the parameters specific to this integration, they are last in the table.
| Parameter | Description | Required |
|---|---|---|
port.clientId | Your Port client id, used to identify your account | โ |
port.clientSecret | Your Port client secret, used to identify your account | โ |
port.baseUrl | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | โ |
initializePortResources | Default: true. When true, the integration will create default blueprints and configuration mapping | โ |
sendRawDataExamples | Default: true. Enable sending raw data examples from the third party API to Port for testing and managing the integration mapping | โ |
integration.identifier | The integration's identifier, used to reference the integration when using Port's API | โ |
integration.type | The integration type, used to denote the integrated tool/platform | โ |
integration.eventListener.type | The method used to listen to events from the 3rd party tool (POLLING or KAFKA) | โ |
integration.secrets.oktaApiToken | The Okta API token used to authenticate Port to Okta | โ |
integration.config.oktaDomain | Your Okta domain (e.g., dev-123456.okta.com) | โ |
integration.secrets.oktaWebhookSecret | Optional secret used to verify incoming webhook requests | โ |
This workflow/pipeline will run the Okta integration once and then exit, this is useful for scheduled ingestion of data.
If you want the integration to update Port in real time you should use the Self-hosted installation option.
- GitHub
- Jenkins
- Azure Devops
Make sure to configure the following GitHub Secrets:
| Parameter | Description | Required |
|---|---|---|
OCEAN__PORT__CLIENT_ID | Your Port client id | โ |
OCEAN__PORT__CLIENT_SECRET | Your Port client secret | โ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | โ |
OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN | Your Okta domain. For example dev-123456.okta.com | โ |
OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN | The Okta API token. Generate it from Okta Admin Console under Security > API > Tokens | โ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration; if not set, a default identifier will be used | โ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true. When set to false, the integration will not create default blueprints and mapping | โ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Default true. When set to false, raw data examples will not be sent to Port | โ |
Here is an example for okta-integration.yml workflow file:
name: Okta Exporter Workflow
on:
workflow_dispatch:
schedule:
- cron: '0 */1 * * *' # Determines the scheduled interval for this workflow. This example runs every hour.
jobs:
run-integration:
runs-on: ubuntu-latest
timeout-minutes: 30 # Set a time limit for the job
steps:
- uses: port-labs/ocean-sail@v1
with:
type: 'okta'
port_client_id: ${{ secrets.OCEAN__PORT__CLIENT_ID }}
port_client_secret: ${{ secrets.OCEAN__PORT__CLIENT_SECRET }}
port_base_url: https://api.getport.io
config: |
okta_domain: ${{ secrets.OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN }}
okta_api_token: ${{ secrets.OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN }}
Your Jenkins agent should be able to run docker commands.
Make sure to configure the following Jenkins Credentials
of Secret Text type:
| Parameter | Description | Required |
|---|---|---|
OCEAN__PORT__CLIENT_ID | Your Port client id | โ |
OCEAN__PORT__CLIENT_SECRET | Your Port client secret | โ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | โ |
OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN | Your Okta domain. For example dev-123456.okta.com | โ |
OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN | The Okta API token. Generate it from Okta Admin Console under Security > API > Tokens | โ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration; if not set, a default identifier will be used | โ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true. When set to false, the integration will not create default blueprints and mapping | โ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Default true. When set to false, raw data examples will not be sent to Port | โ |
Here is an example for Jenkinsfile groovy pipeline file:
pipeline {
agent any
stages {
stage('Run Okta Integration') {
steps {
script {
withCredentials([
string(credentialsId: 'OCEAN__PORT__CLIENT_ID', variable: 'OCEAN__PORT__CLIENT_ID'),
string(credentialsId: 'OCEAN__PORT__CLIENT_SECRET', variable: 'OCEAN__PORT__CLIENT_SECRET'),
string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN', variable: 'OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN'),
string(credentialsId: 'OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN', variable: 'OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN'),
]) {
sh('''
# Set Docker image and run the container
integration_type="okta"
version="latest"
image_name="ghcr.io/port-labs/port-ocean-${integration_type}:${version}"
docker run -i --rm --platform=linux/amd64 \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN=$OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN \
-e OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN=$OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN \
-e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
-e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$image_name
exit $?
''')
}
}
}
}
}
}
Your Azure DevOps agent should be able to run docker commands.
Make sure to configure the following Azure DevOps Variables as secret variables:
| Parameter | Description | Required |
|---|---|---|
OCEAN__PORT__CLIENT_ID | Your Port client id | โ |
OCEAN__PORT__CLIENT_SECRET | Your Port client secret | โ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | โ |
OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN | Your Okta domain. For example dev-123456.okta.com | โ |
OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN | The Okta API token. Generate it from Okta Admin Console under Security > API > Tokens | โ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration; if not set, a default identifier will be used | โ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true. When set to false, the integration will not create default blueprints and mapping | โ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Default true. When set to false, raw data examples will not be sent to Port | โ |
Here is an example for okta-integration.yml pipeline file:
trigger:
- main
pool:
vmImage: "ubuntu-latest"
variables:
- group: port-ocean-credentials
steps:
- script: |
# Set Docker image and run the container
integration_type="okta"
version="latest"
image_name="ghcr.io/port-labs/port-ocean-$integration_type:$version"
docker run -i --rm \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN=$(OCEAN__INTEGRATION__CONFIG__OKTA_DOMAIN) \
-e OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN=$(OCEAN__INTEGRATION__SECRETS__OKTA_API_TOKEN) \
-e OCEAN__PORT__CLIENT_ID=$(OCEAN__PORT__CLIENT_ID) \
-e OCEAN__PORT__CLIENT_SECRET=$(OCEAN__PORT__CLIENT_SECRET) \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$image_name
exit $?
displayName: 'Ingest Data into Port'
For advanced configuration such as proxies or self-signed certificates, click here.
Configurationโ
Port integrations use a YAML mapping block to ingest data from the third-party api into Port.
The mapping makes use of the JQ JSON processor to select, modify, concatenate, transform and perform other operations on existing fields and values from the integration API.
Default mapping configurationโ
This is the default mapping configuration for this integration:
Default mapping configuration (click to expand)
resources:
- kind: okta-user
selector:
query: 'true'
include_groups: true
include_applications: true
fields: "id,status,created,activated,lastLogin,lastUpdated,profile:(login,firstName,lastName,displayName,email,title,department,employeeNumber,mobilePhone,primaryPhone,streetAddress,city,state,zipCode,countryCode)"
port:
entity:
mappings:
identifier: .id
title: .profile.displayName // .profile.firstName + " " + .profile.lastName // .profile.login
blueprint: '"okta-user"'
properties:
login: .profile.login
email: .profile.email
firstName: .profile.firstName
lastName: .profile.lastName
displayName: .profile.displayName
title: .profile.title
department: .profile.department
employeeNumber: .profile.employeeNumber
mobilePhone: .profile.mobilePhone
primaryPhone: .profile.primaryPhone
streetAddress: .profile.streetAddress
city: .profile.city
state: .profile.state
zipCode: .profile.zipCode
countryCode: .profile.countryCode
status: .status
created: .created
activated: .activated
lastLogin: .lastLogin
lastUpdated: .lastUpdated
relations:
groups: .groups[]?.id
- kind: okta-group
selector:
query: 'true'
port:
entity:
mappings:
identifier: .id
title: .profile.name
blueprint: '"okta-group"'
properties:
name: .profile.name
description: .profile.description
type: .type
created: .created
lastUpdated: .lastUpdated
relations:
members: .users[]?.id
Examplesโ
To view and test the integration's mapping against examples of the third-party API responses, use the jq playground in your data sources page. Find the integration in the list of data sources and click on it to open the playground.
Additional examples of blueprints and the relevant integration configurations:
Userโ
User blueprint (click to expand)
{
"identifier": "okta-user",
"title": "Okta User",
"icon": "Okta",
"schema": {
"properties": {
"login": {
"title": "Login",
"type": "string"
},
"email": {
"title": "Email",
"type": "string",
"format": "email"
},
"firstName": {
"title": "First Name",
"type": "string"
},
"lastName": {
"title": "Last Name",
"type": "string"
},
"displayName": {
"title": "Display Name",
"type": "string"
},
"title": {
"title": "Job Title",
"type": "string"
},
"department": {
"title": "Department",
"type": "string"
},
"employeeNumber": {
"title": "Employee Number",
"type": "string"
},
"mobilePhone": {
"title": "Mobile Phone",
"type": "string"
},
"primaryPhone": {
"title": "Primary Phone",
"type": "string"
},
"streetAddress": {
"title": "Street Address",
"type": "string"
},
"city": {
"title": "City",
"type": "string"
},
"state": {
"title": "State",
"type": "string"
},
"zipCode": {
"title": "ZIP Code",
"type": "string"
},
"countryCode": {
"title": "Country Code",
"type": "string"
},
"status": {
"title": "Status",
"type": "string",
"enum": ["ACTIVE", "INACTIVE", "PASSWORD_EXPIRED", "LOCKED_OUT", "SUSPENDED", "DEPROVISIONED"]
},
"created": {
"title": "Created Date",
"type": "string",
"format": "date-time"
},
"activated": {
"title": "Activated Date",
"type": "string",
"format": "date-time"
},
"lastLogin": {
"title": "Last Login",
"type": "string",
"format": "date-time"
},
"lastUpdated": {
"title": "Last Updated",
"type": "string",
"format": "date-time"
}
},
"required": ["login", "email"]
},
"calculationProperties": {},
"relations": {
"groups": {
"title": "Groups",
"target": "okta-group",
"required": false,
"many": true
}
}
}
Mapping configuration (click to expand)
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: okta-user
selector:
query: "true"
include_groups: true
include_applications: true
port:
entity:
mappings:
identifier: .id
title: .profile.displayName // .profile.firstName + " " + .profile.lastName // .profile.login
blueprint: '"okta-user"'
properties:
login: .profile.login
email: .profile.email
firstName: .profile.firstName
lastName: .profile.lastName
displayName: .profile.displayName
title: .profile.title
department: .profile.department
employeeNumber: .profile.employeeNumber
mobilePhone: .profile.mobilePhone
primaryPhone: .profile.primaryPhone
streetAddress: .profile.streetAddress
city: .profile.city
state: .profile.state
zipCode: .profile.zipCode
countryCode: .profile.countryCode
status: .status
created: .created
activated: .activated
lastLogin: .lastLogin
lastUpdated: .lastUpdated
relations:
groups: .groups[]?.id
Groupโ
Group blueprint (click to expand)
{
"identifier": "okta-group",
"title": "Okta Group",
"icon": "Okta",
"schema": {
"properties": {
"name": {
"title": "Name",
"type": "string"
},
"description": {
"title": "Description",
"type": "string"
},
"type": {
"title": "Type",
"type": "string",
"enum": ["BUILT_IN", "OKTA_GROUP", "APP_GROUP"]
},
"created": {
"title": "Created Date",
"type": "string",
"format": "date-time"
},
"lastUpdated": {
"title": "Last Updated",
"type": "string",
"format": "date-time"
}
},
"required": ["name"]
},
"calculationProperties": {},
"relations": {
"members": {
"title": "Members",
"target": "okta-user",
"required": false,
"many": true
}
}
}
Mapping configuration (click to expand)
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: okta-group
selector:
query: 'true'
port:
entity:
mappings:
identifier: .id
title: .profile.name
blueprint: '"okta-group"'
properties:
name: .profile.name
description: .profile.description
type: .type
created: .created
lastUpdated: .lastUpdated
relations:
members: .users[]?.id
Webhook configurationโ
The Okta integration supports real-time updates through webhooks. When using the self-hosted installation method, the integration will automatically:
- Create an Event Hook in your Okta organization
- Configure the webhook to send user and group change events
- Process incoming webhook events to update Port entities in real-time
Webhook eventsโ
The integration listens for the following Okta events:
user.lifecycle.createuser.lifecycle.activateuser.lifecycle.deactivateuser.lifecycle.suspenduser.lifecycle.unsuspenduser.lifecycle.deleteuser.account.update_profilegroup.user_membership.addgroup.user_membership.removegroup.lifecycle.creategroup.lifecycle.deletegroup.lifecycle.update
Limitationsโ
- The integration currently supports users and groups only
- Custom Okta attributes are not automatically mapped but can be added to the configuration
- Webhook verification is optional but recommended for production environments
Troubleshootingโ
Common Issuesโ
- Authentication Errors: Verify your Okta API token has the correct permissions and is not expired
- Domain Issues: Ensure your Okta domain is correctly formatted (e.g.,
dev-123456.okta.com) - Webhook Failures: Check that your self-hosted integration is accessible from the internet for webhook delivery
- Rate Limiting: Okta has API rate limits; the integration handles this automatically with retries