> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta

> Configure Okta identity integration with RAD Security for secure authentication and user management.

# Okta Integration Setup

This guide walks you through configuring Okta as an identity provider for RAD Security, giving you flexible authentication options.

You can authenticate using either:

* **API Service Integration** (Recommended) - Simpler setup, suitable for most use cases
* **App Integration** - Advanced option for granular permission control

## Prerequisites

Before you begin, ensure you have:

* Admin access to your Okta tenant
* Access to RAD Security workspace with integration permissions

***

## Option 1: API Service Integration (Recommended)

The API Service Integration provides the quickest setup path with all necessary permissions pre-configured.

### Step 1: Add the Synqly Identity Connector

<Steps>
  <Step title="Access Okta Admin Portal">
    Log in to Okta with admin privileges and navigate to the **Admin portal**.
  </Step>

  <Step title="Navigate to API Service Integrations">
    Go to **Applications > API Service Integrations**
  </Step>

  <Step title="Add the Integration">
    1. Click **Add Integration**
    2. Search for and select **Synqly Identity Connector**
    3. Click **Next**
  </Step>

  <Step title="Install and Authorize">
    Click **Install and Authorize** to complete the setup
  </Step>

  <Step title="Save Credentials">
    Once authorized, note down the following values in a secure location:

    * **Client ID**
    * **Client Secret**
    * **Okta Domain**
  </Step>
</Steps>

### Step 2: Configure in RAD Security

Navigate to your RAD Security workspace and enter the following integration parameters:

| Parameter         | Description                                             |
| ----------------- | ------------------------------------------------------- |
| **Client ID**     | The Client ID from Okta                                 |
| **Client Secret** | The Client Secret from Okta                             |
| **Base URL**      | Your Okta Domain (e.g., `https://your-domain.okta.com`) |

<Note>
  Keep your credentials secure. RAD Security encrypts and stores these values safely.
</Note>

***

## Option 2: App Integration (Advanced)

Use this method if you need fine-grained control over permissions assigned to the RAD Security integration. This is ideal for disabling features you don't plan to use.

<Warning>
  This setup is more complex and intended for advanced users. Use API Service Integration unless you have specific requirements for custom permission scopes.
</Warning>

### Step 1: Create Service App Integration

<Steps>
  <Step title="Create the App">
    Follow [Okta's documentation for creating a service app integration](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-integration).
  </Step>

  <Step title="Configure Client Credentials">
    1. Navigate to your app integration's main page
    2. Go to the **General** tab
    3. Note down the **Client ID**
    4. Edit **Client Credentials > Client authentication**
    5. Set to **Public key / Private key**
  </Step>

  <Step title="Generate Keys">
    1. Click **PUBLIC KEYS > Add**
    2. In the dialog, click **Generate new key**
    3. Click the **PEM** button under **Private key**
    4. Note down the **Private key** securely
    5. Click **Save**
  </Step>

  <Step title="Disable DPoP">
    Uncheck **General Settings > Proof of possession > Require Demonstrating Proof of Possession (DPoP) header in token requests**
  </Step>
</Steps>

### Step 2: Configure API Scopes

Navigate to the **Okta API Scopes** tab and grant the scopes you need:

<AccordionGroup>
  <Accordion title="Recommended Scopes" icon="list-check">
    * `okta.groups.read` - List groups and group members
    * `okta.users.manage` - Force password reset, expire sessions, enable/disable users
    * `okta.users.read` - List and read users (not required if `okta.users.manage` is granted)
    * `okta.roles.read` - Read individual users
    * `okta.logs.read` - Access audit logs
  </Accordion>
</AccordionGroup>

### Step 3: Assign Admin Roles

<Steps>
  <Step title="Navigate to Admin Roles">
    Go to the **Admin roles** tab
  </Step>

  <Step title="Edit Assignments">
    Click **Admin assignments granted to this app > Edit assignments**
  </Step>

  <Step title="Assign Roles">
    Assign the appropriate admin roles based on your needs:
  </Step>
</Steps>

<AccordionGroup>
  <Accordion title="Audit Log Access" icon="file-lines">
    Assign **Read-only Admin** or another standard role with **View System Log (system events)** permission.

    See [Okta's admin role comparison](https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm) for details.

    <Note>
      Custom admin roles cannot be assigned the **View System Log** permission. See [Okta's support article](https://support.okta.com/help/s/article/Can-custom-Admin-roles-view-system-logs?language=en_US) for more information.
    </Note>
  </Accordion>

  <Accordion title="User Management" icon="users">
    * **List users**: Role with **User > View users and their details** permission
    * **Read individual users**: Role with **Identity and Access Management > View roles, resources, and admin assignments** permission (requires [custom admin role](https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm))
  </Accordion>

  <Accordion title="Group Management" icon="users-rectangle">
    **List groups**: Role with **Group > View groups and their details** permission
  </Accordion>

  <Accordion title="Custom Roles & Resource Sets" icon="gear">
    For custom admin roles, consider [creating a resource set](https://help.okta.com/en-us/content/topics/security/custom-admin-role/create-resource-set.htm) for the role assignment.
  </Accordion>
</AccordionGroup>

Click **Save Changes** when complete.

### Step 4: Configure in RAD Security

Enter the following integration parameters in RAD Security:

| Parameter         | Description                                             |
| ----------------- | ------------------------------------------------------- |
| **Client ID**     | The Client ID from Step 1                               |
| **Client Secret** | The Private Key (PEM format) from Step 1                |
| **Base URL**      | Your Okta Domain (e.g., `https://your-domain.okta.com`) |

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Integrations** in your RAD Security workspace
2. Locate your Okta integration
3. Check the connection status shows as **Active**
4. Test authentication by signing in with an Okta user

<Check>
  Your Okta integration is now configured! Users can authenticate through Okta, and RAD Security can sync identity data based on your configured permissions.
</Check>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Connection Failed" icon="triangle-exclamation">
    * Verify your Client ID and Client Secret are correct
    * Ensure the Base URL includes the full domain (e.g., `https://your-domain.okta.com`)
    * Check that the integration is authorized in Okta
  </Accordion>

  <Accordion title="Insufficient Permissions" icon="shield-exclamation">
    * Review the API scopes granted in Okta
    * Verify admin roles are properly assigned
    * For App Integrations, ensure DPoP is disabled
  </Accordion>

  <Accordion title="Audit Logs Not Available" icon="file-excel">
    * Confirm you've assigned the **Read-only Admin** role or equivalent
    * Verify the `okta.logs.read` scope is granted
    * Note that custom admin roles may not support system log access
  </Accordion>
</AccordionGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Identity & Access Overview" icon="key" href="/rad-security/integrations/identity-and-access">
    Learn about other identity integration options
  </Card>

  <Card title="User Management" icon="users" href="/rad-security/platform/workspace">
    Configure RBAC and manage users in your workspace
  </Card>
</CardGroup>