Okta IAM

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Note: This integration should be used along with our ILM premium pack. For further details, visit our ILM pack documentation.

Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes. This integration was integrated and tested with version v1 of the Okta integration. For more information, refer to the Identity Lifecycle Management article.

Configure Okta IAM on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Okta IAM.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlOkta URL (https://<domain>.okta.com)True
apitokenAPI Token (see Detailed Instructions)True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
create-user-enablediam-create-user Command EnabledFalse
update-user-enablediam-update-user Command EnabledFalse
disable-user-enablediam-disable-user Command EnabledFalse
create-if-not-existsAutomatically create user if not found in update commandFalse
mapper-inIncoming MapperTrue
mapper-outOutgoing MapperTrue
max_fetchFetch Limit (recommended less than 200)False
isFetchFetch incidentsFalse
incidentFetchIntervalIncidents Fetch IntervalFalse
incidentTypeIncident typeFalse
auto_generate_query_filterQuery only application events configured in the IAM ConfigurationFalse
fetch_query_filterFetch Query Filter (Okta system log events)True
first_fetchFirst fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
  • To allow the integration to access the mapper from within the code, as required by the ILM pack, both mappers have to be configured in their proper respective fields and not in the "Mapper (outgoing)" dropdown list selector.
  1. Click Test to check that you are able to connect to the integration.

Fetch incidents using an "IAM - Configuration" incident#

When the "Query only application events configured in IAM Configuration" checkbox is selected, add or remove event types for the applications you configured in the IAM Configuration incident are retrieved. You must have at least one application configured in XSOAR to fetch incidents from Okta.

Fetch incidents using a manual query filter expression#

Note: Cortex XSOAR recommends you use the Query only application events configured in IAM Configuration option to generate the fetch-incidents query filter. The following following method should be used primarily for debugging purposes. Clear the "Query only application events configured in IAM Configuration" checkbox to use a custom fetch query filter expression. The expression must be in SCIM syntax, and include the add and remove event types, as well as the application ID. For example: (eventType eq "application.user_membership.add" or eventType eq "application.user_membership.remove") and target.id eq "0oar418fvkm67MWGd0h7" You may also use the advanced search in Okta's System Logs to generate the filter expression. For more details, visit Okta API reference.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

iam-create-user#


Creates a user.

Base Command#

iam-create-user

Input#

Argument NameDescriptionRequired
user-profileUser Profile indicator details.Required
allow-enableWhen set to true, after the command execution the status of the user in the 3rd-party integration will be active.Optional

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-create-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\", \"surname\":\"Test\",\"givenname\":\"Demisto\"}

Human Readable Output#

Create User Results (Okta IAM)#

brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truetrue00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:54:30.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto44@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}}

iam-update-user#


Updates an existing user with the data passed in the user-profile argument.

Base Command#

iam-update-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required
allow-enableWhen set to true, after the command execution the status of the user in the 3rd-party integration will be active.Optional

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-update-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\", \"givenname\":\"Demisto-Test\"}

Human Readable Output#

Update User Results (Okta IAM)#

brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truetrue00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:56:53.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}}

iam-get-user#


Retrieves a single user resource.

Base Command#

iam-get-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-get-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\"}

Human Readable Output#

Get User Results (Okta IAM)#

brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truetrue00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:56:53.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}}

iam-disable-user#


Disable an active user.

Base Command#

iam-disable-user

Input#

Argument NameDescriptionRequired
user-profileA User Profile indicator.Required

Context Output#

PathTypeDescription
IAM.Vendor.activeBooleanWhen true, indicates that the employee's status is active in the 3rd-party integration.
IAM.Vendor.brandStringName of the integration.
IAM.Vendor.detailsstringProvides the raw data from the 3rd-party integration.
IAM.Vendor.emailStringThe employee's email address.
IAM.Vendor.errorCodeNumberHTTP error response code.
IAM.Vendor.errorMessageStringReason why the API failed.
IAM.Vendor.idStringThe employee's user ID in the app.
IAM.Vendor.instanceNamestringName of the integration instance.
IAM.Vendor.successBooleanWhen true, indicates that the command was executed successfully.
IAM.Vendor.usernameStringThe employee's username in the app.

Command Example#

!iam-disable-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\"}

Human Readable Output#

Disable User Results (Okta IAM)#

brandinstanceNamesuccessactiveidusernameemaildetails
Okta IAMOkta IAM_instance_1truefalse00uujxnbh3uJw4tWA0h7testdemisto2@paloaltonetworks.comtestdemisto2@paloaltonetworks.comid: 00uujxnbh3uJw4tWA0h7
status: PROVISIONED
created: 2020-10-18T17:54:30.000Z
activated: 2020-10-18T17:54:30.000Z
statusChanged: 2020-10-18T17:54:30.000Z
lastLogin: null
lastUpdated: 2020-10-18T17:56:53.000Z
passwordChanged: null
type: {"id": "oty8zfz6plq7b0r830h7"}
profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"}
credentials: {"provider": {"type": "OKTA", "name": "OKTA"}}
_links: {"self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}}

okta-get-assigned-user-for-app#


Gets a specific user assignment for an application by id.

Base Command#

okta-get-app-user-assignment

Input#

Argument NameDescriptionRequired
user_idID of the user for which to get information.Required
application_idID of the application for which to get information.Required

Context Output#

PathTypeDescription
Okta.AppUserAssignment.UserIDstringID of the user.
Okta.AppUserAssignment.AppIDstringID of the application.
Okta.AppUserAssignment.IsAssignedbooleanWhen True, indicates that the user is assigned to the application.
Okta.AppUserAssignment.ProfileInAppunknownThe user profile data in the application.

Command Example#

!okta-get-app-user-assignment user_id=00uuv6y8t1iy8YXm94h7 application_id=0oae3ioe51sQ64Aui2h7

Human Readable Output#

App User Assignment#

App IDIs AssignedUser ID
0oae3ioe51sQ64Aui2h7true00uuv6y8t1iy8YXm94h7

okta-list-applications#


Returns a list of Okta applications data.

Base Command#

okta-iam-list-applications

Input#

Argument NameDescriptionRequired
querySearch for applications by their names.Optional
pagePage number (0-based). Default is 0.Optional
limitMaximum number of apps to retrieve (maximal value is 200). Default is 50.Optional

Context Output#

PathTypeDescription
Okta.Application.IDstringID of the application.
Okta.Application.NamestringName of the application.
Okta.Application.LabelstringLabel of the application.
Okta.Application.LogostringLogo of the application.

Command Example#

!okta-iam-list-applications limit=5 query="Workday"

Human Readable Output#

Okta Applications (1 - 3)#

IDNameLabelLogo
0ob8zlypk6GVPRr2T0h7workdayWorkday - Preview
0oabz0ozy5dDpEKyA0h7workdayWorkday - Prod - DryRun
0oae3ioe51sQ64Aui2h7workdayWorkday - Impl1

okta-iam-get-configuration#


Gets the IAM configuration data from the integration context.

Base Command#

okta-iam-get-configuration

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Okta.IAMConfiguration.ApplicationIDStringAn Okta application ID.
Okta.IAMConfiguration.NameStringName of the Okta application.
Okta.IAMConfiguration.LabelStringLabel of the Okta application.
Okta.IAMConfiguration.LogoStringLogo of the application.
Okta.IAMConfiguration.InstanceStringAn XSOAR IAM integration instance name.

Command Example#

!okta-iam-get-configuration using="Okta IAM_instance_1_copy"

Human Readable Output#

Okta IAM Configuration#

ApplicationIDInstanceLabelLogoName
0oc8zlypk6GVPRr2G0h7ServiceNow IAM_instance_1ServiceNowservicenow