SSPM Administration
  • SSPM Administration
  • SaaS Security Documentation
  • All Documentation
>
Onboard an Okta App to SSPM
Focus
Download PDF
Focus
  1. Home
  2. SaaS Security
  3. Onboard SaaS Apps Supported by SSPM
  4. Onboard an Okta App to SSPM
Download PDF
SaaS Security

Onboard an Okta App to SSPM

Table of Contents

Onboard an Okta App to SSPM

Connect an Okta instance to SSPM to detect posture risks.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • SaaS Security Posture Management license
Or any of the following licenses that include the Data Security license:
  • CASB-X
  • CASB-PA
For SSPM to detect posture risks in your Okta instance, you must onboard your Okta instance to SSPM. Through the onboarding process, SSPM connects to an Okta API by using an API token that you generate from Okta's administrator console. After connecting to the Okta API, SSPM scans your Okta instance for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
During onboarding, SSPM gives you an option to connect with read-only permissions or with read and write permissions. Onboarding Okta with read-only permissions enables SSPM to perform read-only scans. Connecting with read and write permissions enables additional actions, such as automated remediation. The onboarding screen also lists the API scopes that SSPM requires for its read-only and its read and write actions. After SSPM establishes a connection to your Okta instance, SSPM will notify you if it was unable to access certain API scopes. SSPM might not be able to access certain scopes if the user who created the API token lacked the required permissions.
To onboard your Okta instance, you complete the following actions:
  • Create an API Token for Connecting to Your Okta Instance
  • Connect SSPM to Your Okta Instance

Create an API Token for Connecting to Your Okta Instance

To access your Okta instance, SSPM requires the following information, which you will specify during the onboarding process.
ItemDescription
API Token
A generated character string that identifies an Okta administrator to the Okta API. SSPM requires this API token to authenticate to the API. The token will inherit the permissions of the administrator who creates the token.
Required permissions: To give SSPM read and write access to your Okta instance, the API token must be created by a Super Administrator. To give SSPM read-only access, the API token can be created by a read-only administrator.
Admin Instance URL
The URL for your administrator console.
As you complete the following steps, make note of the values of the items described in the preceding table. You will enter these values during onboarding to enable SSPM to access your Okta instance.
  1. Identify the Okta administrator account that you will use to create your API Token.
    The API token will inherit the permissions of the administrator who creates the token. For read and write access, create the token as a Super Administrator. For read-only access, create the token as a read-only administrator.
  2. Using the administrator account that you identified, log in to your Okta administrator console.
  3. Identify your administrator instance URL, which appears in the browser's address bar.
    Your administrator instance URL is your subdomain plus -admin.okta.com (https:// <subdomain>-admin.okta.com).
    Before you continue to the next step, make note of your administrator instance URL. You will provide this information to SSPM during the onboarding process.
  4. In the left navigation pane, select SecurityAPI.
  5. On the API page, select the Tokens tab.
  6. Create token.
    A dialog opens prompting you to name your token.
  7. Specify a name for your token and Create token.
    Okta generates and displays your token.
  8. Copy the generated token and paste it into a text file.
    Don’t continue to the next step unless you have copied the API token. You will provide this token to SSPM during the onboarding process.

Connect SSPM to Your Okta Instance

By adding an Okta app in SSPM, you enable SSPM to connect to your Okta instance.
  1. From the Add Application page ( Posture SecurityApplicationsAdd Application), click the Okta tile.
  2. On the Posture Security tab, Add New instance.
  3. Enter your API token and your administrator instance URL.
  4. Specify whether you want SSPM to connect with Read Permissions only or with Read and Write permissions.
    The onboarding page lists the API scopes that SSPM will access to complete its various scans and to perform remediation.
  5. Connect with Okta.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.