Okta Workforce Identity Cloud Integration

11 min. readlast update: 06.20.2024

Please Note: Okta requires an active SAML integration. For help setting up a SAML integration, please see our associated KB article SAML Integration | ThreatLocker Help Center (kb.help)

The purpose of this Okta Workforce Identity Cloud Integration is to streamline the user provisioning process by mapping Okta user groups to ThreatLocker User Roles, automatically creating users in ThreatLocker with the specified ThreatLocker User Roles according to their group designation in Okta.

When this integration is configured, any user that is contained in an Okta group which has been mapped to ThreatLocker User Roles will be created in ThreatLocker the next time the integration syncs. If a user is removed from Okta, ThreatLocker will remove all that user’s permissions within the ThreatLocker portal.

Opening two separate browser windows, one for ThreatLocker and one for Okta, will make configuring this integration easier.


Creating an App Integration in Okta for SAML

In the Okta portal, navigate to Applications > Applications. Select "Create App Integration'.

In the popup window, select SAML 2.0 and press the 'Next' button.

Provide a name for the App and press 'Next'.

  1. In the Configure SAML tab, insert: https://portalapi.*.threatlocker.com/portalAPI/AuthenticationSAML/AssertionConsumerService into the Single sign-on URL textbox. The should be replaced with the ThreatLocker instance of the organization the integration is being set up for. This can be located in the ThreatLocker portal by managing the organization and pressing the 'Help' button. Next to the header 'ThreatLocker Access' the alphanumeric characters located in the  parentheses need to be placed into the URL above instead of the wildcard (*). Leave the checkbox next to 'Use this for Recipient URL and Destination URL' selected.
  2. Insert: https://threatlocker.com into the Audience URI texbox.

The other options can be configured as desired or left at their default settings.  Click the 'Next' button.

Answer the required question from Okta and click 'Finish'. 


Creating an App Integration in Okta for ThreatLocker

In the Okta portal, navigate to Applications > Applications.

Select 'Create App Integration'.

Select 'API Services' and then press 'Next'.

Provide a name for the app integration and then click 'Save'.

Using this App integration, the next steps will vary depending on the Authentication Type being used in the ThreatLocker - Okta integration sidebar. The options are:

  1. Okta API Token - This is the least secure method of authentication and is not recommended. The API tokens that are created in Okta will inherit the same permissions as the user that created the token, which means that if a super admin creates the token, then the API token will have super admin permissions.
  2. Scoped Okta Token - This is a more secure method of authentication that uses OAuth 2.0. A public/private key pair will be generated and specific permissions can be assigned to the token.
  3. Scoped DPoP Okta Token - This is the most secure method of authentication that uses OAuth 2.0. Two separate public/private key pairs will be generated and specific permissions can be assigned to this token. This is the default setting in Okta, and the recommended selection.

Configuration to Use an Okta API Token as the Authentication Type in ThreatLocker - Least Secure and Not Recommended

In the Okta portal, navigate to Security > API > Tokens.

Press the ‘Create Token’ button at the top left side of the grid.

 

Enter the name for the token and then press the ‘Create token’ button.


 

A ‘Token Value’ will be presented. *Important* this token will ONLY be shown once.  Copy the token value and store it in a secure location.


 

After the ‘Token Value’ has been copied and securely stored, click the ‘OK, got it’ button to close the window.

The active token name will be listed at the top of the grid. This token will inherit the permissions of the user that created it.

You will need this API key when setting up the integration within the ThreatLocker portal.


Configuration to use a Scoped Okta Token as the Authentication Type in ThreatLocker

In the Okta portal, navigate to Applications > Application and select the app you created for the ThreatLocker integration.

In the 'General' tab, select 'Edit' in the Client Credentials section.

Select 'Public key / Private key' next to Client authentication.

Next to Configuration, leave 'Save keys in Okta' selected.

Select 'Add key' then select 'Generate new key'.

A key pair will be generated.  The public key can be retrieved at any time. You can choose to copy it now and store it securely, or come back to it. The private key will only be visible once. Select 'Copy to clipboard' and store the private key securely before pressing the 'Done' button. These keys will need to be input into the ThreatLocker portal Okta integration sidebar.

In the 'General Settings' section, click 'Edit' and then deselect the checkbox next to 'Require Demonstrating Proof of Possession (DPoP)' to use 'Scoped Okta Token' Authentication Type. 

Now that the key pair is generated, the next step is to assign Okta API Scopes to dictate the resources this integration can access.

Select the 'Okta API Scopes' tab.  The minimum scope the ThreatLocker - Okta integration requires is okta.groups.read.  This will permit ThreatLocker to read the Okta user groups and members. Scroll down to okta.groups.read and select 'Grant'.

You will need to confirm that you wish to grant the scope.

After pressing 'Grant Access' navigate to the 'Admin roles' tab.

Press 'Edit assignments' to provide a role for the integration.  The least permissive role that provides the necessary access is 'Read-only Administrator'. Select it from the first dropdown box and then press 'Save Changes'.

The app integration setup in the Okta portal is complete. You will need the Client ID and key pairs from Okta when completing the setup within the ThreatLocker portal.


Configuration to use a Scoped DPoP Okta Token as the Authentication Type in ThreatLocker

In the Okta portal, navigate to Applications > Application and select the app you created for the ThreatLocker integration.

In the 'General' tab, select 'Edit' in the Client Credentials section.

Select 'Public key / Private key' next to Client authentication.

Next to Configuration, leave 'Save keys in Okta' selected.

Select 'Add key' then select 'Generate new key'.

A key pair will be generated.  The public key can be retrieved at any time. You can choose to copy it now and store it securely, or come back to it. The private key will only be visible once. Select 'Copy to clipboard' and store the private key securely before pressing the 'Done' button. These keys will need to be input into the ThreatLocker portal Okta integration sidebar.

Under the PUBLIC KEYS heading, press the 'Add' button to generate a second public / private key pair. Both key pairs will need to be pasted into the ThreatLocker Okta integration sidebar when using 'Scoped Okta Token' Authentication Type.

 

By default Require Demonstrating Proof of Possession (DPoP) will be selected. Leave this setting as it is.

Now that two key pairs have been generated, the next step is to assign Okta API Scopes to dictate the resources this integration can access.

Select the 'Okta API Scopes' tab.  The minimum scope the ThreatLocker - Okta integration requires is okta.groups.read.  This will permit ThreatLocker to read the Okta user groups and members. Scroll down to okta.groups.read and select 'Grant'.

You will need to confirm that you wish to grant the scope.

After pressing 'Grant Access' navigate to the 'Admin roles' tab.

Press 'Edit assignments' to provide a role for the integration.  The least permissive role that provides the necessary access is 'Read-only Administrator'. Select it from the first dropdown box and then press 'Save Changes'.

The app integration setup in the Okta portal is complete. You will need the Client ID and key pairs from Okta when completing the setup within the ThreatLocker portal.


 

Configuring the ThreatLocker - Okta Integration

In the ThreatLocker portal, navigate to the Integrations page.

Enter Okta in the search bar and select Okta from the dropdown menu.

 

  1. Enter the organization’s full domain name in the ‘Domain’ textbox. For example https://mycompanyname.com
  2. Select 'Okta Workforce' in the Configuration section.

You will see three different Authentication Types listed.

  1. Okta API Token - This is the least secure method of authentication and is not recommended. The API tokens that are created in Okta will inherit the same permissions as the user that created the token, which means that if a super admin creates the token, then the API token will have super admin permissions.
  2. Scoped Okta Token - This is a more secure method of authentication that uses OAuth 2.0. A public/private key pair will be generated and specific permissions can be assigned to the token.
  3. Scoped DPoP Okta Token - This is the most secure method of authentication that uses OAuth 2.0. Two separate public/private key pairs will be generated and specific permissions can be assigned to this token. This is the default setting in Okta.

 

Depending on the authentication method selected, different fields will populate in the ThreatLocker Okta integration sidebar.

Configuration Using Okta API Token

After selecting 'Okta API Token', copy and paste the API key created in Okta into the Api Token textbox.

Select the desired Okta sycn interval. This will dicatate how often ThreatLocker calls the API to check for changes.

Next, a Settings area will populate where you will map Okta Groups to ThreatLocker User Roles.

The ‘Okta Group’ dropdown contains all the user groups the organization has configured in Okta. Select the desired ‘Okta Group’ from the first dropdown. 

The ‘ThreatLocker User Roles’ dropdown contains all the user roles that have been configured in ThreatLocker. Select the ‘ThreatLocker User Roles’ to assign that role to all users in the specified Okta group.

By selecting the green plus button, another Okta group can be mapped to ThreatLocker User Roles.

Continue selecting the green plus button until all desired groups in Okta are mapped to User Roles in ThreatLocker.

Click the blue ‘Save’ button in the bottom left corner to save and close the Okta Integration sidebar.

The mapped users will now be created in ThreatLocker with the specified roles and can log into the ThreatLocker portal using SAML.

Configuration Using Scoped Okta Token

  1. Paste the Client ID located in the Okta Application 'General' tab into the Client Id textbox.
  2. Paste the Public key generated in Okta into the JWT Public Key textbox.
  3. Paste the Private key generated in Okta (and copied to the clipboard) into the JWT Private Key textbox.

Select the desired Okta sycn interval. This will dicatate how often ThreatLocker calls the API to check for changes.

Next, a Settings area will populate where you will map Okta Groups to ThreatLocker User Roles.

The ‘Okta Group’ dropdown contains all the user groups the organization has configured in Okta. Select the desired ‘Okta Group’ from the first dropdown. 

The ‘ThreatLocker User Roles’ dropdown contains all the user roles that have been configured in ThreatLocker. Select the ‘ThreatLocker User Roles’ to assign that role to all users in the specified Okta group.

By selecting the green plus button, another Okta group can be mapped to ThreatLocker User Roles.

Continue selecting the green plus button until all desired groups in Okta are mapped to User Roles in ThreatLocker.

Click the blue ‘Save’ button in the bottom left corner to save and close the Okta Integration sidebar.

The mapped users will now be created in ThreatLocker with the specified roles and can log into the ThreatLocker portal using SAML.

Configuration Using Scoped SPoP Okta Token

  1. Paste the Client ID located in the Okta Application 'General' tab into the Client Id textbox.
  2. Paste the Public key generated in Okta into the JWT Public Key textbox.
  3. Paste the Private key generated in Okta into the JWT Private Key textbox.
  4. Paste the Public key generated in Okta into the JWT DPoP Public Key textbox.
  5. Paste the Private key generated in Okta into the JWT DPoP Private Key textbox.

Select the desired Okta sycn interval. This will dicatate how often ThreatLocker calls the API to check for changes.

Next, a Settings area will populate where you will map Okta Groups to ThreatLocker User Roles.

 

The ‘Okta Group’ dropdown contains all the user groups the organization has configured in Okta. Select the desired ‘Okta Group’ from the first dropdown. 

The ‘ThreatLocker User Roles’ dropdown contains all the user roles that have been configured in ThreatLocker. Select the ‘ThreatLocker User Roles’ to assign that role to all users in the specified Okta group.

By selecting the green plus button, another Okta group can be mapped to ThreatLocker User Roles.

Continue selecting the green plus button until all desired groups in Okta are mapped to User Roles in ThreatLocker.

Click the blue ‘Save’ button in the bottom left corner to save and close the Okta Integration sidebar.

The mapped users will now be created in ThreatLocker with the specified roles and can log into the ThreatLocker portal using SAML.

 

Was this article helpful?