Okta Integration

Written By Dan Crawford

Last updated 6 days ago

The Okta integration in PGP connects with Okta to provide comprehensive visibility and risk management for Single Sign-On (SSO) applications, enabling automated detection of SSO coverage gaps and potential MFA exposures.

Note: This document describes the integration with Okta that allows PGP to discover and confirm logins that are protected by Okta. This is not documentation on setting up SSO with Okta.

Key Features

  • Automated Asset Discovery: Fetches and inventories all Okta-managed applications, adding unknown assets to the attack surface.
  • Correlation and Flagging: Correlates PGP-discovered login portals with Okta apps, flags unmanaged or MFA-lacking portals as risks.
  • MFA Assurance: Analyzes Okta policies to identify applications lacking enforced MFA and surfaces status in the UI.
  • Real-time Updates: Performs scheduled and manual syncs to keep inventory up to date.
  • Filtering and Visibility: Allows filtering of Okta-derived assets and displays SSO coverage in the asset drawer.

Prerequisites

  • Active Okta account with administrative access.
  • Okta API credentials (Client ID, Private Key, Okta URL).
  • Access to PGP instance.

Setup Instructions

  1. Create App Integration in Okta
    • Navigate to Okta Admin Console.
    • Click CREATE APP INTEGRATION.
    • Select API Services option and click Next.
    • Provide application name (e.g., "PGP Security Integration") and click Save.
  2. Configure Client Credentials
    • Click Client Credentials β†’ Edit.
    • Select Public key / Private key.
    • Click ADD KEY in the PUBLIC KEYS section.
    • Click GENERATE NEW KEY in the popup modal.
    • After key generation: Select PEM format, click Copy to clipboard.
    • Important: Save the PEM key securely (this will be needed for authentication).
    • Click Done.
    • Click Save in the Public Key section.
    • Click Save again in the confirmation popup.
  3. General Settings Configuration
    • Click Edit in General Settings.
    • Uncheck "Require Demonstrating Proof of Possession (DPoP) header in token requests".
    • Click Save in the section.
  4. Grant API Scopes
    • Navigate to Okta API Scopes tab.
    • Find okta.apps.read entry.
    • Click Grant for this scope.
    • Click Grant Access in the confirmation popup.
  5. Assign Admin Role
    • Navigate to Admin Roles tab.
    • Click Edit Assignment.
    • Click the role dropdown.
    • Search for and select Read-only Administrator.
    • Click Save Changes.

  6. Configure PGP Integration

    • Log in to PGP, navigate to Integrations, click Add Integration.
    • Find Okta under Single Sign-On, click Connect.
  • Enter: Okta URL, Client ID, Private Key and click connect
  • PGP validates credentials and permissions, then fetches and inventories Okta applications.
  • Integration supports scheduled syncs and displays health on the Integrations page.
  • For support, contact support@praetorian.com.

Notes

  • The API token is used for read-only operations and stored securely.
  • Ensure the Okta app has the required scopes and roles for fetching application inventory and policies.

References

https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/

https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/