Skip to main content

Okta

Overview

Before logs can be pulled from your Okta account, an API Token with the appropriate permissions will need to be created and provided for integration setup. This requires that a "service account" user needs to be created and granted rights to read the logs. This document describes the Okta recommended best practice for least-privilege event log collection.

Prerequisites

A service account will be created that will be dedicated for event log retrieval. An email address that is unique within the Okta administration console will be required. This email address does not need to receive emails to complete the process below. However it may be helpful to use one that maps either to a shared email account or is forwarded to an actual administration user. See the following section for details and recommendations.

Create an Okta User

An Okta user account will need to be created that will be used for extracting the event log information.

  1. First sign in to the Okta administration console using a user with either the Super Administrator or Organizational Administrator role.
  2. From the menu, select "Directory", "People". Choose "Add Person".
  • First name - ActiveEye
  • Last name - Security Monitor
  • Username - an email address, must be unique within your Okta account and dedicated to security event log collection
  • Primary email - same as Username
  • Secondary email - optional, possibily could be an Okta administrator's email
  • Group - leave blank
  • Password - Set by Admin (now). For the purposes of a service account, using set by admin to set a temporary or permanent password may be easier
  • Unchecking the must change password on first login box will allow you to set the password without doing the change password dialogue. Recommended only for service accounts
note

Remember the password created. You will need it in another step below.

  1. Click "Save".

Assign Okta User to Role

The service account user must now be created a read-only administrative role to be able to pull the event logs. For more information on the capabilities of this role, refer to the following Okta knowledgebase article:

Administrator Role Permissions

  1. With the Okta service account user created, select "Security", "Administrators" from the menu.
  2. Click the "Add Administrator" button. Start typing "ActiveEye" and select the service account user created previously.
  3. Check the "Read Only Administrator" box and click "Add Administrator".

Retrieve API Token

The final step will be to create an API token for the service account and copy this token for reference.

  1. Signout of the Okta administration console
  2. Signin to the Okta administration console using the service account username and password from the previous steps
  3. You will need to set a challenge question and answer on first login
  4. Select "Security", "API" from the menu
  5. Click on the "Tokens" tab
  6. Click the "Create Token" button
  7. Name the token. A suggested name would be ActiveEye with a date. An example token name: ActiveEye 20180714
  8. You should see a message that the token has been created successfully. Copy the token and save for future reference
  9. Click "Ok, got it"
  10. Sign out from the administration console

Determine domain name

The domain name to be used in the Service Connector setup is the organization's sign-in page and not the administration console page. For example, activeeye.okta.com would be used instead of activeeye-admin.okta.com. If the '-admin' portion of the administration console information is removed then that would provide the correct domain name to use.

Provide Token Information

The API Token and domain name should now be collected and available to complete the setup and start log collection. Provide these value to your service representative or use them for self service configuration following the "Configuring a new Service Connector for log collection" guide.