SaaS Security
Onboard an Okta App to SSPM
Table of Contents
Onboard an Okta App to SSPM
Connect an Okta instance to SSPM to detect posture risks.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Data Security license:
|
For SSPM to detect posture risks in your Okta instance, you must onboard your Okta
instance to SSPM. Through the onboarding process, SSPM connects to an Okta API by
using an API token that you generate from Okta's administrator console. After
connecting to the Okta API, SSPM scans your Okta instance for misconfigured
settings. If there are misconfigured settings, SSPM suggests a remediation action
based on best practices.
During onboarding, SSPM gives you an option to connect with read-only permissions or
with read and write permissions. Onboarding Okta with read-only permissions enables
SSPM to perform read-only scans. Connecting with read and write permissions enables
additional actions, such as automated remediation. The onboarding screen also lists
the API scopes that SSPM requires for its read-only and its read and write actions.
After SSPM establishes a connection to your Okta instance, SSPM will notify you if
it was unable to access certain API scopes. SSPM might not be able to access certain
scopes if the user who created the API token lacked the required permissions.
To onboard your Okta instance, you complete the following actions:
Create an API Token for Connecting to Your Okta Instance
To access your Okta instance, SSPM requires the following information, which you
will specify during the onboarding process.
| Item | Description |
|---|---|
|
API Token
|
A generated character string that identifies an Okta
administrator to the Okta API. SSPM requires this API token
to authenticate to the API. The token will inherit the
permissions of the administrator who creates the token.
Required permissions: To give SSPM read and write
access to your Okta instance, the API token must be created
by a Super Administrator. To give SSPM read-only access, the
API token can be created by a read-only administrator.
|
|
Admin Instance URL
|
The URL for your administrator console.
|
As you complete the following steps, make note of the values of the items
described in the preceding table. You will enter these values during onboarding
to enable SSPM to access your Okta instance.
- Identify the Okta administrator account that you will use to create your API Token.The API token will inherit the permissions of the administrator who creates the token. For read and write access, create the token as a Super Administrator. For read-only access, create the token as a read-only administrator.Using the administrator account that you identified, log in to your Okta administrator console.Identify your administrator instance URL, which appears in the browser's address bar.Your administrator instance URL is your subdomain plus -admin.okta.com (https:// <subdomain>-admin.okta.com).Before you continue to the next step, make note of your administrator instance URL. You will provide this information to SSPM during the onboarding process.In the left navigation pane, select .On the API page, select the Tokens tab.Create token.
![]()
A dialog opens prompting you to name your token.Specify a name for your token and Create token.Okta generates and displays your token.![]()
Copy the generated token and paste it into a text file.Don’t continue to the next step unless you have copied the API token. You will provide this token to SSPM during the onboarding process.Connect SSPM to Your Okta Instance
By adding an Okta app in SSPM, you enable SSPM to connect to your Okta instance.- Log in to Strata Cloud Manager.Select and click the Okta tile.On the Posture Security tab, Add New instance.Enter your API token and your administrator instance URL.Specify whether you want SSPM to connect with Read Permissions only or with Read and Write permissions.The onboarding page lists the API scopes that SSPM will access to complete its various scans and to perform remediation.Connect with Okta.
