Okta Workforce Identity Cloud Integration

Table of Contents

Creating an App Integration in Okta for SAML
Creating an App Integration in Okta for ThreatLocker
Okta API Token Method
- Configuration to Use an Okta API Token as the Authentication Type in ThreatLocker - Least Secure and Not Recommended
- Configuration Using Okta API Token
Scoped Okta Token
- Configuration to use a Scoped Okta Token as the Authentication Type in ThreatLocker
- Configuration Using Scoped Okta Token
Scoped DPoP Okta Token
- Configuration to use a Scoped DPoP Okta Token as the Authentication Type in ThreatLocker
- Configuration Using Scoped DPoP Okta Token

Please Note: Okta requires an active SAML integration. For information on setting up a SAML integration in your ThreatLocker Portal, please refer to the following article:

SAML Integration | ThreatLocker Help Center

The purpose of this Okta Workforce Identity Cloud Integration is to streamline the user provisioning process by mapping Okta user groups to ThreatLocker User Roles, automatically creating ThreatLocker users with the specified ThreatLocker User Roles based on their Okta group designation.

When this integration is configured, any user who is a member of an Okta group mapped to ThreatLocker User Roles will be created in ThreatLocker during the next sync. If a user is removed from Okta, ThreatLocker will remove all that user’s permissions within the ThreatLocker portal.

Important Note: ThreatLocker admins who are not members of any synced Okta groups will have their portal permissions revoked.

Opening two separate browser windows, one for ThreatLocker and one for Okta, will make configuring this integration easier.

Creating an App Integration in Okta for SAML

First, sign in to your Okta portal. From here, using the left-hand side of the page, navigate to the 'Applications' dropdown and select 'Applications' from the list.

Now, within the 'Applications' page, select the 'Create App Integration' button.

Selecting this button will open a dialogue window titled 'Create a new app integration', which provides you with several sign-in methods. Select 'SAML 2.0' from the list of methods, then select 'Next' at the bottom of the dialogue window.

After this, you will be redirected to the 'Create SAML Integration' page. Within the 'General Settings' section, the only required field is to enter an 'App name'. You can also optionally add a logo or turn off the app visibility by selecting the provided checkbox. Once you have entered your information, select the 'Next' button.

Now, you will be directed to the 'Configure SAML' section. The first field is titled 'SAML Settings', which is where you will use resources from your already set up SAML Integration in ThreatLocker.

In the 'SAML Settings' section, insert the following information in the 'Single sign-on URL' field:

https://portalapi.*.threatlocker.com/portalApi/AuthenticationSAML/AssertionConsumerService

The wildcard (*) should be replaced by the instance of the organization for which this Okta integration is being set up.

To locate the instance for your organization, in your ThreatLocker portal, select the 'Help' button in the top-right corner of your page. Once selected, find the field titled 'ThreatLocker Access'. The alphanumeric character(s) located in parentheses should be placed in the 'Single sign-on URL' in place of the wildcard.

Example: https://portalapi.d.threatlocker.com

Additionally, you can find your full 'Single sign-on URL' by navigating to your SAML integration, selecting it to open the 'Edit SAML Integration' sidebar, and copying the information provided in the 'Assertion' field.

In the 'Audience URI (SP Entity ID)' field, insert the following information into the field.

https://threatlocker.com

The 'Default RelayState', 'Name ID format', 'Application username', and 'Update application username on' fields can all be configured as desired for your organization or left at their default settings.

In the section titled 'Preview the SAML assertion generated from the information above', you can select the button to view the XML that will be used in the SAML assertion to verify your inserted information.

Once you have verified that all information is correct, select the 'Next' button at the bottom of the page.

Now in the 'Feedback' section, you can fill out the questions before selecting 'Finish' at the bottom of the page.

Creating an App Integration in Okta for ThreatLocker

Now that you have created an App Integration in Okta for SAML, you need to make an App Integration for ThreatLocker. To do this, in your Okta portal, using the left-hand side of the page, select the 'Applications' dropdown and select 'Applications'.

Within the 'Applications' page, select the 'Create App Integration' button.

Selecting this button will open a dialogue window titled 'Create a new app integration', where you will be asked to select your integration's sign-in method. From the list of available options, select 'API Services', then select 'Next'.

Selecting 'Next' will bring you to a page titled 'New API Services App Integration'. From here, create a name for your App Integration, then select the 'Save' button.

Once done, the next steps will vary depending on the Authentication Type that you use when setting up your Okta integration. For the Okta Workforce integration, the options are as follows:

Okta API Token - This is the least secure method of authentication and is not recommended. API tokens created in Okta inherit the same permissions as the user who created them, so if a super admin creates a token, it will have super admin permissions.
Scoped Okta Token - This is a more secure authentication method that uses OAuth 2.0. A public/private key pair will be generated, and specific permissions can be assigned to the token.
Scoped DPoP Okta Token - This is the most secure authentication method, using OAuth 2.0. Two separate public/private key pairs will be generated, and specific permissions can be assigned to this token. This is the default setting in Okta and the recommended selection.

Configuration to Use an Okta API Token as the Authentication Type in ThreatLocker - Least Secure and Not Recommended

To configure the use of an Okta API Token as the authentication type in ThreatLocker, from within your Okta portal, on the left-hand side of the page, select the 'Security' dropdown. From here, select 'API' from the list of options.

Within the 'API' page, navigate to the tabs and select 'Tokens'.

Now, in the 'Tokens' tab, select the 'Create Token' button.

Selecting this button will open the 'Create token' dialogue window. From here, give your token a name. Then, select where the API calls made with that token must originate. Okta gives users several options for this:

Any IP
- Please note that this option is not recommended, as it allows API calls to originate from anywhere.
In any network zone defined in Okta
In any of the following zones:
Not in any network zone defined in Okta
Not in any of the following zones:

Once you have entered the information that best suits your organization, select the 'Create token' button at the bottom of the dialogue window.

Selecting this button will require you to re-enter your login credentials. Once this is done, you will be presented with a Token Value.

Important: This token will only be shown once. Copy the token value and store it in a secure location.

Once you have securely stored your token value, select the 'OK, got it' button to close this window. The active token name will appear at the top of the token grid and inherit the permissions of the user who created it.

This API key will be required when setting up your integration in the ThreatLocker Portal.

Configuration to use a Scoped Okta Token as the Authentication Type in ThreatLocker

From the Okta portal, start by navigating to the 'Applications' dropdown, then select 'Applications' from the list of options.

From the 'Applications' page, locate and select the application you created initially for your ThreatLocker integration. In this example, that application was called 'My ThreatLocker Integration'.

Selecting this application will open the 'General' tab. From here, select the 'Edit' button within the 'Client Credentials' section, then change the 'Client authentication' to Public key / Private key.

Before selecting the 'Save' button, navigate to the 'Public keys' section and select the 'Edit' button.

Keep 'Save keys in Okta' selected in the 'Configuration' section, then select 'Add Key'.

Once selected, a new dialogue window will open titled 'Add a public key'. From here, select the 'Generate new key' button.

Selecting this button generates two keys: a public and a private one. The public key can be retrieved at any time, so you can choose to store it securely now or revisit it later. The private key will only be visible ONCE. Ensure that it is saved securely before selecting the 'Done' button. Both of these keys will be needed to enable your Okta integration from the ThreatLocker Portal.

You can now select the 'Save' button under the 'Public keys' and 'Client Credentials' sections.

Now, navigating to the section titled 'General Settings', select the 'Edit' button.

Once selected, uncheck the checkbox labeled 'Require Demonstrating Proof of Possession (DPoP) header in token requests'. Then, select the 'Save' button.

Once these steps have been taken and the key pair has been generated, the next step is to assign Okta API Scopes to determine which resources this integration can access.

Navigate to the top of your page and select the 'Okta API Scopes' tab found to the right of the 'General' tab.

The minimum scope that the ThreatLocker Okta integration requires is okta.groups.read. This scope allows ThreatLocker to read Okta user groups and their members. On this page, scroll down to the okta.groups.read scope and select 'Grant'.

Selecting the 'Grant' button will open the 'Grant Okta API Scope' dialogue window. From here, select 'Grant Access'.

After selecting 'Grant Access', navigate to the 'Admin roles' tab, which is found to the right of the 'Okta API Scopes' tab.

In this page, select the 'Edit assignments' button found to the right to provide a role for the Okta integration

Selecting this button opens a page titled 'Administrator assignment by admin'. Here, navigate to the dropdown titled 'Role' and search for Read-only Administrator, which is the least-permissive role that still provides necessary access.

Select the role, then select 'Save Changes' to apply the role assignment.

After selecting 'Save Changes', you will be prompted to enter your account credentials. Once these have been entered, you will be brought back to the 'Admin roles' page to see that the role has been added to your application.

Once done, your application integration setup in the Okta portal is complete. You will need the Client ID and key pairs from Okta when setting up the integration in your ThreatLocker portal.

Configuration to use a Scoped DPoP Okta Token as the Authentication Type in ThreatLocker

From the Okta portal, start by navigating to the 'Applications' dropdown, then select 'Applications' from the list of options.

From the 'Applications' page, locate and select the application you created initially for your ThreatLocker integration. In this example, that application was called 'My ThreatLocker Integration'.

Before selecting the 'Save' button, navigate to the 'Public keys' section and select the 'Edit' button.

Keep 'Save keys in Okta' selected in the 'Configuration' section, then select 'Add Key'.

Once selected, a new dialogue window will open titled 'Add a public key'. From here, select the 'Generate new key' button.

Now, select the 'Add' button again to generate a second Public / Private key pair. Both of these keys will be needed to complete the ThreatLocker Okta Integration.

Select 'Generate new key' when the 'Add a public key' dialogue option appears, then ensure you save at least the private key securely, as it can only appear once. When the information has been saved, select the 'Save' button.

You can now select the 'Save' button under the 'Client Credentials' section.

By default, in the 'General Settings' section, the 'Require Demonstrating Proof of Possession (DPop) header in token requests' option will be checked. Ensure this option is checked and leave this setting as is.

Once these steps have been taken and the two key pairs have been generated, the next step is to assign Okta API Scopes to determine which resources this integration can access.

Navigate to the top of your page and select the 'Okta API Scopes' tab found to the right of the 'General' tab.

Selecting the 'Grant' button will open the 'Grant Okta API Scope' dialogue window. From here, select 'Grant Access'.

After selecting 'Grant Access', navigate to the 'Admin roles' tab, which is found to the right of the 'Okta API Scopes' tab.

In this page, select the 'Edit assignments' button found to the right to provide a role for the Okta integration

Select the role, then select 'Save Changes' to apply the role assignment.

Once done, your application integration setup in the Okta portal is complete. You will need the Client ID and both sets of key pairs from Okta when setting up the integration in your ThreatLocker portal.

Configuring the Okta Integration From Your ThreatLocker Portal

In your ThreatLocker Portal, hover over the 'Manage' icon on the left-hand side of the page. Then select 'Integrations' from the dropdown window.

In the 'Integrations' page, using the search bar, enter 'Okta' and select it from the dropdown menu.

Selecting this will open the 'Edit OTKA Integration' sidebar. Within the 'Okta Details' section, start by entering your organization's Okta domain. Be sure to include https:// before the domain name.

In the 'Configuration' section, change 'Okta OAuth2' to 'Okta Workforce'. This will remove the 'Audience' field, so entering information here is not necessary.

The 'Authentication Type' section will now display three options. These options correspond to the Authentication Type methods we covered above. Depending on which instructions you followed, select that authentication type:

Okta API Token - This is the least secure method of authentication and is not recommended. API tokens created in Okta inherit the same permissions as the user who created them, so if a super admin creates a token, it will have super admin permissions.
Scoped Okta Token - This is a more secure authentication method that uses OAuth 2.0. A public/private key pair will be generated, and specific permissions can be assigned to the token.
Scoped DPoP Okta Token - This is the most secure authentication method, using OAuth 2.0. Two separate public/private key pairs will be generated, and specific permissions can be assigned to this token. This is the default setting in Okta and the recommended selection.

Each Authentication Type is different and will populate different fields in the ThreatLocker Okta integration sidebar.

Configuration Using Okta API Token

After selecting 'Okta Workforce' and then 'Okta API Token', two new fields will populate.

API Token - Copy and paste the API Key you created in Okta into this field.
OKTA Sync Interval - This field determines how often ThreatLocker will call the API to check for changes. ThreatLocker will set this field to 15 minutes by default, but the following options are available:
- 5 Minutes
- 15 Minutes
- 30 Minutes
- 1 Hour
- 2 Hours
- 4 Hours
- 6 Hours
- 12 Hours

Once this information has been entered, select the 'Add' button at the bottom of the sidebar. After this has been selected, a new section titled 'Settings' will populate, which will allow you to map Okta Groups to ThreatLocker User Roles.

The 'OKTA Group' dropdown provides a list of all user groups that this organization has configured in Okta. Select the dropdown, then choose your desired group.

The 'ThreatLocker User Roles' dropdown contains all User Roles that have been configured in ThreatLocker. Select the 'ThreatLocker User Roles' dropdown to assign roles to your selected Okta group. Using the checkboxes next to User Roles lets you assign multiple roles to a user group.

The green 'plus' button to the right of these fields allows you to map another Okta group to ThreatLocker User Roles. The red 'minus' button will remove that field from the Okta Integration.

Once you have mapped all desired groups, select the 'Save' button at the bottom of the page to save your changes and close the Okta Integration sidebar. Mapped users will now be created in ThreatLocker with the specified roles and can log in to the ThreatLocker portal using SAML.

Configuration Using Scoped Okta Token

After selecting 'Okta Workforce' and then 'Scoped Okta Token', four new fields will populate.

Client ID - Enter the Client ID here, which is located in Okta by navigating to 'Applications' > 'Applications', then selecting the Application Integration you created earlier. The Client ID can be copied from the 'Client Credentials' section on the 'General' tab.
JWT Public Key - Paste the Public Key that was generated in Okta here.
JWT Private Key - Paste the Private Key that was generated in Okta here.
OKTA Sync Interval - This field determines how often ThreatLocker will call the API to check for changes. ThreatLocker will set this field to 15 minutes by default, but the following options are available:
- 5 Minutes
- 15 Minutes
- 30 Minutes
- 1 Hour
- 2 Hours
- 4 Hours
- 6 Hours
- 12 Hours

After inserting this information, select the 'Add' button at the bottom of the sidebar. This will populate a new area titled 'Settings', which will allow you to map Okta Groups to ThreatLocker User Roles.

The 'OKTA Group' dropdown provides a list of all user groups that this organization has configured in Okta. Select the dropdown, then choose your desired group.

The green 'plus' button to the right of these fields allows you to map another Okta group to ThreatLocker User Roles. The red 'minus' button will remove that field from the Okta Integration.

Configuration Using Scoped DPoP Okta Token

After selecting 'Okta Workforce' and then 'Scoped DPoP Okta Token', six new fields will populate.

Client ID - Enter the Client ID here, which is located in Okta by navigating to 'Applications' > 'Applications', then selecting the Application Integration you created earlier. The Client ID can be copied from the 'Client Credentials' section on the 'General' tab.
JWT Public Key - Paste the Public Key that was generated in Okta here.
JWT Private Key - Paste the Private Key that was generated in Okta here.
JWT DPoP Public Key - Paste the second Public Key that was generated in Okta here.
JWT DPoP Private Key - Paste the second Private Key that was generated in Okta here.
OKTA Sync Interval - This field determines how often ThreatLocker will call the API to check for changes. ThreatLocker will set this field to 15 minutes by default, but the following options are available:
- - 5 Minutes
  - 15 Minutes
  - 30 Minutes
  - 1 Hour
  - 2 Hours
  - 4 Hours
  - 6 Hours
  - 12 Hours
After inserting this information, select the 'Add' button at the bottom of the sidebar. This will populate a new area titled 'Settings', which will allow you to map Okta Groups to ThreatLocker User Roles.

The 'OKTA Group' dropdown provides a list of all user groups that this organization has configured in Okta. Select the dropdown, then choose your desired group.

The 'ThreatLocker User Roles' dropdown contains all User Roles that have been configured in ThreatLocker. Select the 'ThreatLocker User Roles' dropdown to assign roles to your selected Okta group. Using the checkboxes next to User Roles lets you assign multiple roles to a user group.

The green 'plus' button to the right of these fields allows you to map another Okta group to ThreatLocker User Roles. The red 'minus' button will remove that field from the Okta Integration.

Once you have mapped all desired groups, select the 'Save' button at the bottom of the page to save your changes and close the Okta Integration sidebar. Mapped users will now be created in ThreatLocker with the specified roles and can log in to the ThreatLocker portal using SAML.