# Okta ### What you get * **Live directory** — Okta users, groups, and app assignments sync into Siit with full attribute coverage. * **One-click actions from any request** — provision, revoke, add to group, reset password, reset MFA, directly from the request side panel. * **Workflow-driven automation** — use Okta actions in any workflow: approvals, Day-1 onboarding, access requests, offboarding, SLA escalations. * **IT Agent native support** — Okta actions are first-class in IT Agent playbooks, with optional approval gating on every action. * **Audit trail** — every action triggered from Siit is logged on the request timeline. ### What syncs from Okta | Category | Fields | | ------------ | --------------------------------------------------------------------------- | | Identity | Display name, email, login, Okta user ID, employee number | | Profile | Job title, department, manager, location (city, country), custom attributes | | Groups | Okta groups, memberships, types (built-in, custom, app-assigned) | | Applications | App assignments per user, including SAML, OIDC, and SWA apps | | Status | Active, provisioned, staged, suspended, deprovisioned | Work email is the canonical identifier. ### Actions available Siit exposes the following Okta actions — available in the request side panel, in workflows, and in IT Agent playbooks. Each can be gated behind an approval. **User actions** * Activate user * Suspend user * Deprovision user * Reset password (sends reset email or sets temp password) * Reset MFA (clears enrolled factors, forces re-enrollment) * Revoke sessions (force sign-out everywhere) * Restore sessions **Group actions** * Add user to group * Remove user from group **Application actions** * Assign application to user * Remove application from user ### Before you connect * You'll need an Okta **Super Admin** (or an admin with Read + Manage permissions for Users, Groups, and Applications) to authorize the connection. * Decide whether Siit should use **OAuth** (recommended — managed via an Okta service app) or an **API token** (legacy — tied to an individual admin account). * Make sure Siit's requested scopes are allowed by your Okta tenant's API token / OAuth policy. ### Connect Okta #### Option A — OAuth (recommended) 1. In Siit, go to **Settings → Integrations**. 2. Find **Okta** in the IAM section and click **Connect**. 3. Enter your Okta **domain** (e.g., `yourcompany.okta.com`). 4. You'll be redirected to Okta to sign in and consent. Sign in with a Super Admin account. 5. Review the requested scopes: * `okta.users.read`, `okta.users.manage` * `okta.groups.read`, `okta.groups.manage` * `okta.apps.read`, `okta.apps.manage` * `okta.sessions.manage` 6. Accept and you'll be redirected back to Siit. 7. Siit runs an initial import of users, groups, and apps. 8. Review the imported data and click **Finish setup**. #### Option B — API token (legacy) Use this only if OAuth isn't an option in your tenant. 1. In Okta, go to **Security → API → Tokens → Create Token**. Name it "Siit integration" and copy the token. 2. In Siit → **Settings → Integrations → Okta → Connect**, choose **API token** and paste the token plus your Okta domain. 3. Click **Authorize** and follow the initial import flow. > **Tip** — API tokens inherit the permissions of the admin who created them, and they expire after 30 days of inactivity. OAuth is less fragile and survives admin changes — we recommend it for all new installs. ### After the connection * **Check your People list** — confirm user counts match Okta's active users. * **Scope the groups and apps** — by default everything is synced. In **Settings → Integrations → Okta**, you can scope to specific groups, apps, or user types if you don't want the entire tenant. * **Try one-click actions** — open any request, and use the side panel Apps section to run Okta actions on the requester. * **Build your first workflow** — the classic starter: access request → manager approval → Okta assign application → DM requester. ### Sync frequency Okta data refreshes automatically every few hours. Trigger an immediate refresh from **Settings → Integrations → Okta → Sync now**. Actions run on demand, immediately, when triggered. ### Common workflows **App access request.** *Trigger: Request submitted (service = "Request app access"). Actions: manager approval → Okta assign application → DM requester.* **Group access request.** *Trigger: Request submitted. Actions: approval → Okta add to group → confirmation.* **Password reset (self-service).** *Trigger: Request submitted (service = "Reset password"). Actions: identity verification → Okta reset password (emails user) → close request.* **MFA reset with manager approval.** *Trigger: Request submitted (service = "Reset MFA"). Actions: manager approval → Okta reset MFA → DM requester with re-enrollment instructions.* **Day-1 onboarding (with HRIS).** *Trigger: Start date. Actions: Okta activate user → add to baseline groups → assign department app bundle → notify manager.* **Offboarding on end date.** *Trigger: End date. Actions: Okta revoke sessions → remove from all groups → deprovision user → equipment pickup request.* **Suspicious activity response.** *Trigger: Request submitted (service = "Report lost device"). Actions: Okta revoke sessions → suspend user → create incident for security team.* ### IT Agent integration Okta actions are available inside IT Agent playbooks via slash commands: * `/okta reset multi-factor` *(approval available)* * `/okta reset password` *(approval available)* * `/okta add to group` *(approval available)* * `/okta add applications` *(approval available)* This means an IT Agent playbook can resolve a full password reset or access request end-to-end, with approval gates where you need them. See IT Agent. ### Troubleshooting **Connection fails on authorize.** The admin doesn't have Super Admin rights, or the tenant blocks the requested scopes. Try with a Super Admin, or check Security → API → Authorization Servers for scope restrictions. **Users missing from Siit.** Check whether suspended, deactivated, and staged users are excluded (they are by default). Adjust the status filter in **Settings → Integrations → Okta** if needed. **Action fails with "insufficient scope".** The OAuth grant is missing a scope. Reconnect Okta and accept the full scope set. **Action fails silently in a workflow.** Open the workflow run in **Workflows → \[workflow] → Runs** — errors from Okta are shown inline with the Okta response code. **API token expired.** If you're on API token auth, rotate the token (Okta → Security → API → Tokens) and update it in Siit. Consider migrating to OAuth to avoid future expirations. **Group/app not visible in the action picker.** It's likely scoped out. Review scoping in **Settings → Integrations → Okta**, or confirm the object is actually an Okta group / app and not an Okta Workflows object. **Rate limits.** Large tenants may occasionally hit Okta rate limits during initial sync. Siit retries automatically; contact support if syncs are consistently slow. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.siit.io/integrations/iam/okta.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.