Okta OAuth 2.0 Authorization Grant Flow

Configure app integration in Okta

To create Zilla integration with Okta, login as admin to your Okta account. Navigate to, Applications / Applications in the left-hand menu.

Next, click Create App Integration.

Configure the New Web App Integration as shown below:

  • Give an App integration name such as “Zilla Connector”

  • Grant type of “Client acting on behalf of a user”

    • Authorization Code

    • Refresh Token

  • Sign-in redirect URIs - https://app.zillasecurity.com/api/auth/callback/okta

  • Sign-out redirect URI - none

  • Assignments - “Limit access to selected groups”, enter group name in the text box

 

Click Save, the application will be created in Okta. The "Client ID" and "Client secret" on this screen will be used in Zilla. Copy both and keep them handy for a future step.

Notes

  • While assigning, ensure that the user who is accessing Zilla is a member of that particular group. Or else go to Assignments tab and assign that user to the application and also make sure that user has Application Administrator role to sync Okta into Zilla. To assign roles follow the steps below: Assign Role to a user.

  • Also, make sure the refresh token behavior is specified as Use persistent token.

Grant this application the following API Scopes:

  • okta.apps.read

  • okta.factors.read

  • okta.groups.read

  • okta.policies.read

  • okta.roles.read

  • okta.users.read

  • okta.groups.manage (optional)

  • okta.roles.manage (optional)

  • okta.apps.manage (optional)

  • okta.users.manage (optional)

Note: The four manage scopes are only required with ‘enable account modifications’. These scopes enable Zilla to auto-revoke/provision permissions from Okta.

After granting the API scopes your list of Granted scopes should look like this:

Configure the Okta integration in Zilla

The configuration screen will need “Client ID” and “Client secret” from above as well as the following attributes:

Okta Domain - your organization's domain, for example yourcompany.okta.com. To find this URL sign into Okta, and open the drop-down menu on the right side of the page. (The circled URL in the screenshot below is where your organization's domain URL is).

Attribute that identifies manager’s email addresses - Specify the attribute which contains the manager’s email address. If no manager email address is to be synced, leave this field blank.

Comma separated attributes that identify additional email addresses - If users have additional email addresses, list the attributes here for Zilla to sync. If no additional email addresses are available, leave this field blank.

Comma separated attributes that identify users - Provide an Okta-specific attribute (e.g., title, department, secondEmail etc) for which you want to sync Okta users. For example, if you specify department, title, only accounts that have either department or title OR both will be marked as USER accounts and the rest will be SERVICE accounts. If the Okta application instance is marked as the directory, then only accounts of type USER will be added to the directory. SERVICE accounts will not be added to the directory.

Note: Attributes should match those specified in Okta.

Enable account modifications - provides the ability to automatically revoke group memberships and permissions that have been flagged for revocation after an access review or to provision users. NOTE: This feature requires additional scopes, please see the section above for details about which scopes need to be granted.

Treat app assignments as permissions? (Yes/No) - If set to Yes, it would treat all app assignments as permissions

Sync roles assigned to applications? (Yes/No) If set to Yes, Zilla will be able to identify applications with specific roles (in addition to scopes) and display them as accounts in Accounts tab in Okta application instance with the assigned roles and as resources in Resources tab.
If set to No, these applications will be shown as resources in Resources tab in Zilla for Okta application instance.

 

Once the configuration is complete, click Sync Now to sync with Okta.

Assign a Role to a user

  • In the Assignments Tab > User for whom you want to assign role > Admin roles > Edit individual assignments > Add assignment > from the dropdown select the role > Save changes.