Ctrlk
Help centerAPI referenceChangelogWebsiteLoginBook a demo

Okta

Connect Okta to Siit to sync your users, groups, and application assignments, and expose the full set of Okta actions directly inside Siit workflows, request side panels, and the IT Agent.

What you get

  • Live directory — Okta users, groups, and app assignments sync into Siit with full attribute coverage.

  • One-click actions from any request — provision, revoke, add to group, reset password, reset MFA, directly from the request side panel.

  • Workflow-driven automation — use Okta actions in any workflow: approvals, Day-1 onboarding, access requests, offboarding, SLA escalations.

  • IT Agent native support — Okta actions are first-class in IT Agent playbooks, with optional approval gating on every action.

  • Audit trail — every action triggered from Siit is logged on the request timeline.

What syncs from Okta

Category
Fields

Identity

Display name, email, login, Okta user ID, employee number

Profile

Job title, department, manager, location (city, country), custom attributes

Groups

Okta groups, memberships, types (built-in, custom, app-assigned)

Applications

App assignments per user, including SAML, OIDC, and SWA apps

Status

Active, provisioned, staged, suspended, deprovisioned

Work email is the canonical identifier.

Actions available

Siit exposes the following Okta actions — available in the request side panel, in workflows, and in IT Agent playbooks. Each can be gated behind an approval.

User actions

  • Activate user

  • Suspend user

  • Deprovision user

  • Reset password (sends reset email or sets temp password)

  • Reset MFA (clears enrolled factors, forces re-enrollment)

  • Revoke sessions (force sign-out everywhere)

  • Restore sessions

Group actions

  • Add user to group

  • Remove user from group

Application actions

  • Assign application to user

  • Remove application from user

Before you connect

  • You'll need an Okta Super Admin (or an admin with Read + Manage permissions for Users, Groups, and Applications) to authorize the connection.

  • Decide whether Siit should use OAuth (recommended — managed via an Okta service app) or an API token (legacy — tied to an individual admin account).

  • Make sure Siit's requested scopes are allowed by your Okta tenant's API token / OAuth policy.

Connect Okta

Option A — OAuth (recommended)

  1. In Siit, go to Settings → Integrations.

  2. Find Okta in the IAM section and click Connect.

  3. Enter your Okta domain (e.g., yourcompany.okta.com).

  4. You'll be redirected to Okta to sign in and consent. Sign in with a Super Admin account.

  5. Review the requested scopes:

    • okta.users.read, okta.users.manage

    • okta.groups.read, okta.groups.manage

    • okta.apps.read, okta.apps.manage

    • okta.sessions.manage

  6. Accept and you'll be redirected back to Siit.

  7. Siit runs an initial import of users, groups, and apps.

  8. Review the imported data and click Finish setup.

Option B — API token (legacy)

Use this only if OAuth isn't an option in your tenant.

  1. In Okta, go to Security → API → Tokens → Create Token. Name it "Siit integration" and copy the token.

  2. In Siit → Settings → Integrations → Okta → Connect, choose API token and paste the token plus your Okta domain.

  3. Click Authorize and follow the initial import flow.

Tip — API tokens inherit the permissions of the admin who created them, and they expire after 30 days of inactivity. OAuth is less fragile and survives admin changes — we recommend it for all new installs.

After the connection

  • Check your People list — confirm user counts match Okta's active users.

  • Scope the groups and apps — by default everything is synced. In Settings → Integrations → Okta, you can scope to specific groups, apps, or user types if you don't want the entire tenant.

  • Try one-click actions — open any request, and use the side panel Apps section to run Okta actions on the requester.

  • Build your first workflow — the classic starter: access request → manager approval → Okta assign application → DM requester.

Sync frequency

Okta data refreshes automatically every few hours. Trigger an immediate refresh from Settings → Integrations → Okta → Sync now. Actions run on demand, immediately, when triggered.

Common workflows

App access request. Trigger: Request submitted (service = "Request app access"). Actions: manager approval → Okta assign application → DM requester.

Group access request. Trigger: Request submitted. Actions: approval → Okta add to group → confirmation.

Password reset (self-service). Trigger: Request submitted (service = "Reset password"). Actions: identity verification → Okta reset password (emails user) → close request.

MFA reset with manager approval. Trigger: Request submitted (service = "Reset MFA"). Actions: manager approval → Okta reset MFA → DM requester with re-enrollment instructions.

Day-1 onboarding (with HRIS). Trigger: Start date. Actions: Okta activate user → add to baseline groups → assign department app bundle → notify manager.

Offboarding on end date. Trigger: End date. Actions: Okta revoke sessions → remove from all groups → deprovision user → equipment pickup request.

Suspicious activity response. Trigger: Request submitted (service = "Report lost device"). Actions: Okta revoke sessions → suspend user → create incident for security team.

IT Agent integration

Okta actions are available inside IT Agent playbooks via slash commands:

  • /okta reset multi-factor (approval available)

  • /okta reset password (approval available)

  • /okta add to group (approval available)

  • /okta add applications (approval available)

This means an IT Agent playbook can resolve a full password reset or access request end-to-end, with approval gates where you need them. See IT Agent.

Troubleshooting

Connection fails on authorize. The admin doesn't have Super Admin rights, or the tenant blocks the requested scopes. Try with a Super Admin, or check Security → API → Authorization Servers for scope restrictions.

Users missing from Siit. Check whether suspended, deactivated, and staged users are excluded (they are by default). Adjust the status filter in Settings → Integrations → Okta if needed.

Action fails with "insufficient scope". The OAuth grant is missing a scope. Reconnect Okta and accept the full scope set.

Action fails silently in a workflow. Open the workflow run in Workflows → [workflow] → Runs — errors from Okta are shown inline with the Okta response code.

API token expired. If you're on API token auth, rotate the token (Okta → Security → API → Tokens) and update it in Siit. Consider migrating to OAuth to avoid future expirations.

Group/app not visible in the action picker. It's likely scoped out. Review scoping in Settings → Integrations → Okta, or confirm the object is actually an Okta group / app and not an Okta Workflows object.

Rate limits. Large tenants may occasionally hit Okta rate limits during initial sync. Siit retries automatically; contact support if syncs are consistently slow.

PreviousMicrosoft Entra IDNextJumpCloud

Last updated