Okta IAM
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Note: This integration should be used along with our ILM premium pack. For further details, visit our ILM pack documentation.
Integrate with Okta's Identity Access Management service to execute CRUD operations to employee lifecycle processes. This integration was integrated and tested with version v1 of the Okta integration. For more information, refer to the Identity Lifecycle Management article.
#
Configure Okta IAM on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for Okta IAM.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
url | Okta URL (https://<domain>.okta.com) | True |
apitoken | API Token (see Detailed Instructions) | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
create-user-enabled | iam-create-user Command Enabled | False |
update-user-enabled | iam-update-user Command Enabled | False |
disable-user-enabled | iam-disable-user Command Enabled | False |
create-if-not-exists | Automatically create user if not found in update command | False |
mapper-in | Incoming Mapper | True |
mapper-out | Outgoing Mapper | True |
max_fetch | Fetch Limit (recommended less than 200) | False |
isFetch | Fetch incidents | False |
incidentFetchInterval | Incidents Fetch Interval | False |
incidentType | Incident type | False |
auto_generate_query_filter | Query only application events configured in the IAM Configuration | False |
fetch_query_filter | Fetch Query Filter (Okta system log events) | True |
first_fetch | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False |
- To allow the integration to access the mapper from within the code, as required by the ILM pack, both mappers have to be configured in their proper respective fields and not in the "Mapper (outgoing)" dropdown list selector.
- Click Test to check that you are able to connect to the integration.
#
Fetch incidents using an "IAM - Configuration" incidentWhen the "Query only application events configured in IAM Configuration" checkbox is selected, add or remove event types for the applications you configured in the IAM Configuration incident are retrieved. You must have at least one application configured in XSOAR to fetch incidents from Okta.
#
Fetch incidents using a manual query filter expressionNote: Cortex XSOAR recommends you use the Query only application events configured in IAM Configuration option to generate the fetch-incidents query filter. The following following method should be used primarily for debugging purposes.
Clear the "Query only application events configured in IAM Configuration" checkbox to use a custom fetch query filter expression. The expression must be in SCIM syntax, and include the add and remove event types, as well as the application ID.
For example: (eventType eq "application.user_membership.add" or eventType eq "application.user_membership.remove") and target.id eq "0oar418fvkm67MWGd0h7"
You may also use the advanced search in Okta's System Logs to generate the filter expression.
For more details, visit Okta API reference.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
iam-create-userCreates a user.
#
Base Commandiam-create-user
#
InputArgument Name | Description | Required |
---|---|---|
user-profile | User Profile indicator details. | Required |
allow-enable | When set to true, after the command execution the status of the user in the 3rd-party integration will be active. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IAM.Vendor.active | Boolean | When true, indicates that the employee's status is active in the 3rd-party integration. |
IAM.Vendor.brand | String | Name of the integration. |
IAM.Vendor.details | string | Provides the raw data from the 3rd-party integration. |
IAM.Vendor.email | String | The employee's email address. |
IAM.Vendor.errorCode | Number | HTTP error response code. |
IAM.Vendor.errorMessage | String | Reason why the API failed. |
IAM.Vendor.id | String | The employee's user ID in the app. |
IAM.Vendor.instanceName | string | Name of the integration instance. |
IAM.Vendor.success | Boolean | When true, indicates that the command was executed successfully. |
IAM.Vendor.username | String | The employee's username in the app. |
#
Command Example!iam-create-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\", \"surname\":\"Test\",\"givenname\":\"Demisto\"}
#
Human Readable Output#
Create User Results (Okta IAM)brand | instanceName | success | active | id | username | details | |
---|---|---|---|---|---|---|---|
Okta IAM | Okta IAM_instance_1 | true | true | 00uujxnbh3uJw4tWA0h7 | testdemisto2@paloaltonetworks.com | testdemisto2@paloaltonetworks.com | id: 00uujxnbh3uJw4tWA0h7 status: PROVISIONED created: 2020-10-18T17:54:30.000Z activated: 2020-10-18T17:54:30.000Z statusChanged: 2020-10-18T17:54:30.000Z lastLogin: null lastUpdated: 2020-10-18T17:54:30.000Z passwordChanged: null type: {"id": "oty8zfz6plq7b0r830h7"} profile: {"firstName": "Demisto", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto44@paloaltonetworks.com"} credentials: {"provider": {"type": "OKTA", "name": "OKTA"}} _links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}} |
#
iam-update-userUpdates an existing user with the data passed in the user-profile argument.
#
Base Commandiam-update-user
#
InputArgument Name | Description | Required |
---|---|---|
user-profile | A User Profile indicator. | Required |
allow-enable | When set to true, after the command execution the status of the user in the 3rd-party integration will be active. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IAM.Vendor.active | Boolean | When true, indicates that the employee's status is active in the 3rd-party integration. |
IAM.Vendor.brand | String | Name of the integration. |
IAM.Vendor.details | string | Provides the raw data from the 3rd-party integration. |
IAM.Vendor.email | String | The employee's email address. |
IAM.Vendor.errorCode | Number | HTTP error response code. |
IAM.Vendor.errorMessage | String | Reason why the API failed. |
IAM.Vendor.id | String | The employee's user ID in the app. |
IAM.Vendor.instanceName | string | Name of the integration instance. |
IAM.Vendor.success | Boolean | When true, indicates that the command was executed successfully. |
IAM.Vendor.username | String | The employee's username in the app. |
#
Command Example!iam-update-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\", \"givenname\":\"Demisto-Test\"}
#
Human Readable Output#
Update User Results (Okta IAM)brand | instanceName | success | active | id | username | details | |
---|---|---|---|---|---|---|---|
Okta IAM | Okta IAM_instance_1 | true | true | 00uujxnbh3uJw4tWA0h7 | testdemisto2@paloaltonetworks.com | testdemisto2@paloaltonetworks.com | id: 00uujxnbh3uJw4tWA0h7 status: PROVISIONED created: 2020-10-18T17:54:30.000Z activated: 2020-10-18T17:54:30.000Z statusChanged: 2020-10-18T17:54:30.000Z lastLogin: null lastUpdated: 2020-10-18T17:56:53.000Z passwordChanged: null type: {"id": "oty8zfz6plq7b0r830h7"} profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"} credentials: {"provider": {"type": "OKTA", "name": "OKTA"}} _links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}} |
#
iam-get-userRetrieves a single user resource.
#
Base Commandiam-get-user
#
InputArgument Name | Description | Required |
---|---|---|
user-profile | A User Profile indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IAM.Vendor.active | Boolean | When true, indicates that the employee's status is active in the 3rd-party integration. |
IAM.Vendor.brand | String | Name of the integration. |
IAM.Vendor.details | string | Provides the raw data from the 3rd-party integration. |
IAM.Vendor.email | String | The employee's email address. |
IAM.Vendor.errorCode | Number | HTTP error response code. |
IAM.Vendor.errorMessage | String | Reason why the API failed. |
IAM.Vendor.id | String | The employee's user ID in the app. |
IAM.Vendor.instanceName | string | Name of the integration instance. |
IAM.Vendor.success | Boolean | When true, indicates that the command was executed successfully. |
IAM.Vendor.username | String | The employee's username in the app. |
#
Command Example!iam-get-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\"}
#
Human Readable Output#
Get User Results (Okta IAM)brand | instanceName | success | active | id | username | details | |
---|---|---|---|---|---|---|---|
Okta IAM | Okta IAM_instance_1 | true | true | 00uujxnbh3uJw4tWA0h7 | testdemisto2@paloaltonetworks.com | testdemisto2@paloaltonetworks.com | id: 00uujxnbh3uJw4tWA0h7 status: PROVISIONED created: 2020-10-18T17:54:30.000Z activated: 2020-10-18T17:54:30.000Z statusChanged: 2020-10-18T17:54:30.000Z lastLogin: null lastUpdated: 2020-10-18T17:56:53.000Z passwordChanged: null type: {"id": "oty8zfz6plq7b0r830h7"} profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"} credentials: {"provider": {"type": "OKTA", "name": "OKTA"}} _links: {"suspend": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/suspend", "method": "POST"}, "schema": {"href": "https://panw-test.oktapreview.com/api/v1/meta/schemas/user/osc8zfz6plq7b0r830h7"}, "resetPassword": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reset_password", "method": "POST"}, "reactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/reactivate", "method": "POST"}, "self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}, "type": {"href": "https://panw-test.oktapreview.com/api/v1/meta/types/user/oty8zfz6plq7b0r830h7"}, "deactivate": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7/lifecycle/deactivate", "method": "POST"}} |
#
iam-disable-userDisable an active user.
#
Base Commandiam-disable-user
#
InputArgument Name | Description | Required |
---|---|---|
user-profile | A User Profile indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
IAM.Vendor.active | Boolean | When true, indicates that the employee's status is active in the 3rd-party integration. |
IAM.Vendor.brand | String | Name of the integration. |
IAM.Vendor.details | string | Provides the raw data from the 3rd-party integration. |
IAM.Vendor.email | String | The employee's email address. |
IAM.Vendor.errorCode | Number | HTTP error response code. |
IAM.Vendor.errorMessage | String | Reason why the API failed. |
IAM.Vendor.id | String | The employee's user ID in the app. |
IAM.Vendor.instanceName | string | Name of the integration instance. |
IAM.Vendor.success | Boolean | When true, indicates that the command was executed successfully. |
IAM.Vendor.username | String | The employee's username in the app. |
#
Command Example!iam-disable-user user-profile={\"email\":\"testdemisto2@paloaltonetworks.com\"}
#
Human Readable Output#
Disable User Results (Okta IAM)brand | instanceName | success | active | id | username | details | |
---|---|---|---|---|---|---|---|
Okta IAM | Okta IAM_instance_1 | true | false | 00uujxnbh3uJw4tWA0h7 | testdemisto2@paloaltonetworks.com | testdemisto2@paloaltonetworks.com | id: 00uujxnbh3uJw4tWA0h7 status: PROVISIONED created: 2020-10-18T17:54:30.000Z activated: 2020-10-18T17:54:30.000Z statusChanged: 2020-10-18T17:54:30.000Z lastLogin: null lastUpdated: 2020-10-18T17:56:53.000Z passwordChanged: null type: {"id": "oty8zfz6plq7b0r830h7"} profile: {"firstName": "Demisto-Test", "lastName": "Test", "mobilePhone": null, "secondEmail": null, "login": "testdemisto2@paloaltonetworks.com", "email": "testdemisto2@paloaltonetworks.com"} credentials: {"provider": {"type": "OKTA", "name": "OKTA"}} _links: {"self": {"href": "https://panw-test.oktapreview.com/api/v1/users/00uujxnbh3uJw4tWA0h7"}} |
#
okta-get-assigned-user-for-appGets a specific user assignment for an application by id.
#
Base Commandokta-get-app-user-assignment
#
InputArgument Name | Description | Required |
---|---|---|
user_id | ID of the user for which to get information. | Required |
application_id | ID of the application for which to get information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.AppUserAssignment.UserID | string | ID of the user. |
Okta.AppUserAssignment.AppID | string | ID of the application. |
Okta.AppUserAssignment.IsAssigned | boolean | When True, indicates that the user is assigned to the application. |
Okta.AppUserAssignment.ProfileInApp | unknown | The user profile data in the application. |
#
Command Example!okta-get-app-user-assignment user_id=00uuv6y8t1iy8YXm94h7 application_id=0oae3ioe51sQ64Aui2h7
#
Human Readable Output#
App User AssignmentApp ID | Is Assigned | User ID |
---|---|---|
0oae3ioe51sQ64Aui2h7 | true | 00uuv6y8t1iy8YXm94h7 |
#
okta-list-applicationsReturns a list of Okta applications data.
#
Base Commandokta-iam-list-applications
#
InputArgument Name | Description | Required |
---|---|---|
query | Search for applications by their names. | Optional |
page | Page number (0-based). Default is 0. | Optional |
limit | Maximum number of apps to retrieve (maximal value is 200). Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Okta.Application.ID | string | ID of the application. |
Okta.Application.Name | string | Name of the application. |
Okta.Application.Label | string | Label of the application. |
Okta.Application.Logo | string | Logo of the application. |
#
Command Example!okta-iam-list-applications limit=5 query="Workday"
#
Human Readable Output#
Okta Applications (1 - 3)ID | Name | Label | Logo |
---|---|---|---|
0ob8zlypk6GVPRr2T0h7 | workday | Workday - Preview | |
0oabz0ozy5dDpEKyA0h7 | workday | Workday - Prod - DryRun | |
0oae3ioe51sQ64Aui2h7 | workday | Workday - Impl1 |
#
okta-iam-get-configurationGets the IAM configuration data from the integration context.
#
Base Commandokta-iam-get-configuration
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
Okta.IAMConfiguration.ApplicationID | String | An Okta application ID. |
Okta.IAMConfiguration.Name | String | Name of the Okta application. |
Okta.IAMConfiguration.Label | String | Label of the Okta application. |
Okta.IAMConfiguration.Logo | String | Logo of the application. |
Okta.IAMConfiguration.Instance | String | An XSOAR IAM integration instance name. |
#
Command Example!okta-iam-get-configuration using="Okta IAM_instance_1_copy"
#
Human Readable Output#
Okta IAM ConfigurationApplicationID | Instance | Label | Logo | Name |
---|---|---|---|---|
0oc8zlypk6GVPRr2G0h7 | ServiceNow IAM_instance_1 | ServiceNow | servicenow |