Source: https://manu-tests-all-orgs.docs-staging.pageloop.ai/integrations/identity-access-management/okta

# Okta

# Okta

## Okta: Overview and capabilities

Integrate Atomicwork with Okta to streamline user authentication and access management, ensuring a secure and seamless login experience for your team. This integration enhances security protocols while simplifying access, allowing your team to focus on their work without worrying about credentials. This reduces the risk of unauthorized access by ensuring that only the right people have access to the right resources at all times.

Here are all the capabilities you can unlock with the Atomicwork - Okta integration:

- **[SSO access to Atomicwork](https://support.atomicwork.com/en/articles/12284147)**: Allow your employees and agents to login to Atomicwork with their Okta credentials.
- **Employee data sync:** All employee data from Okta will be synced with Atomicwork, enabling enabling the Assistant use these attributes to deliver personalized responses.
- **[Atom skill: Self-service password reset](https://support.atomicwork.com/en/articles/12284146)**: Enable your employees to reset their Okta passwords themselves without needing an administrator's intervention.
- **[Atom skill: Provision apps](https://support.atomicwork.com/en/articles/12284130)**: Your employees can request and obtain application access, without waiting for an administrator to intervene. The Assistant grants access by adding the employee to the right Okta group.
- **[Okta actions in journeys and workflows](https://support.atomicwork.com/en/articles/12284174)**: Automate actions in Okta, such as creating accounts, managing group memberships, and suspending or deactivating accounts, through workflows and journeys.

---

## Okta: Permissions and setup

### Permissions

To connect your Atomicwork and Okta accounts, you need:

1. **Atomicwork admin access:** You need to org admin access in Atomicwork.
2. **Okta admin access:** You need to have admin access in Okta that will allow you to create and manage your own API tokens. Only **super admins, org admins, and group admins** can create tokens.
   An **Okta API token carries the permissions of the user who creates it,** so it’s essential to have the necessary permissions for managing users and executing specific workflows within Atomicwork.
3. An Okta API token. [Follow the instructions here to create one](https://help.okta.com/en-us/content/topics/security/api.htm#create-okta-api-token).
4. To access the breadth of Okta-Atomicwork features, the admin creating the API token will need to have the following explicit permissions in Okta.

**User management permissions:** To manage users and execute user-related actions in workflows.

| **Permission**                     | **Purpose**                                                                                          |
| ---------------------------------- | ---------------------------------------------------------------------------------------------------- |
| **View users**                     | To sync user profiles and ensure workflows have access to the necessary user data.                   |
| **Create users**                   | To create new users automatically as part of workflows and journey actions.                          |
| **Delete users**                   | To remove users through workflows and journey actions.                                               |
| **Suspend users**                  | To temporarily suspend user accounts through workflows and journey actions.                          |
| **Deactivate users**               | To deactivate users through workflow and journey actions.                                            |
| **Activate users**                 | To reactivate users who need to regain access to your Okta applications.                             |
| **Edit users' profile attributes** | To update user attributes, ensuring the latest data is synced to Atomicwork and used in workflows.   |
| **Reset passwords**                | To support resetting passwords as part of skills.                                                    |
| **MFA resets**                     | To allow resetting multi-factor authentication as part of workflows.                                 |
| **Manage API tokens**              | To create an API token that will be shared with Atomicwork for setting up the integration with Okta. |
| **View API tokens**                | To view and access the API token shared with Atomicwork.                                             |

**Group management permissions:** To maintain access controls and assign users to the relevant groups.

| **Permission**              | **Purpose**                                                                                |
| --------------------------- | ------------------------------------------------------------------------------------------ |
| **View groups**             | To retrieve the list of groups and associated information for workflow actions and skills. |
| **Manage group membership** | To add or remove users from groups through workflows and journey actions.                  |
| **Create groups**           | To create groups through workflows and journey actions.                                    |

**Application management permissions:** To manage applications and assign user access based on group membership or direct assignments.

| **Permission**          | **Purpose**                                                                                                                                   |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| **Manage applications** | To view application details and client credentials, and to assign users to applications based on their group membership or direct assignment. |

**Identity and access management permissions:** To verify permissions during integration setup.

| **Permission**             | **Purpose**                                                                                          |
| -------------------------- | ---------------------------------------------------------------------------------------------------- |
| **View roles**             | To ensure workflows have visibility into user roles for proper access control and auditing.          |
| **View admin assignments** | To verify administrators who are responsible for specific roles, ensuring proper workflow execution. |

### Setup

[Video: vimeo 1127260181](https://vimeo.com/1127260181)

- Navigate to **Settings > App Store > Okta,** and click on **Connect.**
- Type in <https://your-Okta-URL> ([find out how to get your URL here](https://developer.okta.com/docs/guides/find-your-domain/main/)) and copy in your API token ([follow these instructions to create an API token](https://help.okta.com/en-us/content/topics/security/api.htm#create-okta-api-token)).
  The **Okta API token carries the permissions of the user who creates it** so please ensure you have all the permissions listed above before creating the token.
- Test connection.
- Click on **Connect**.

If an Okta action fails and you’re unsure if the problem is your connection, please check the token status first. Your token might have expired. Okta uses colors to show the token status.

#### Okta data sync

After an administrator connects an Okta account with Atomicwork, they have the option of enabling data sync so that Okta employee attributes are synced with Atomicwork.

This way, Atomicwork will be able to customize information access for employees based on their attributes

- Go to **Settings > App Store > Okta.**
- Click on **Enable**.
- Review the attribute map that Atomicwork generated for your account. If you want to map an Okta attribute to a different attribute, you can modify the mapping on this screen.

---

## Okta: Troubleshooting & errors

### Permission constraints

**Group management restrictions**: If a group contains **super admins**, a non-super admin user will not be able to add members to that group. This restriction ensures that only users with the highest level of access can modify groups containing super admins.

**Admin modification limitations**: A non-super admin user’s API token will not be permitted to modify any admin accounts with higher access levels. This includes actions such as adding these admins to a group, editing their properties, or any other modifications. This restriction is in place to maintain the security and integrity of high-level administrative roles.

### Reset password limitations

- The Reset password skill needs to be configured by the admin.
- The action works only for non-super admins.
- The action can be performed only for users who have **their Okta account status as Active or Password Expired** **AND have configured their self-service mechanism** in their Okta profile. If the user has been invited but has not yet joined the Okta account or their account status is anything other than Active/Password expired ([see the full list of Okta account statuses here](https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-end-user-states.htm)), they cannot reset their password.

---

## Okta: Employee data sync

When you integrate Atomicwork with Okta, you can also sync employee data into Atomicwork for use in workflows and other capabilities. Every 24 hours, Atomicwork syncs new users, suspended and deactivated users. Updates to users on Okta also sync every 24 hours.

Atomicwork does not delete users on the platform unless you set up inline hooks on Okta. You can also configure inline hooks if you want to sync users more frequently[.](https://developer.okta.com/docs/concepts/inline-hooks/?utm_source=google\&utm_campaign=apac_india_ind_all_ciam-all_dg-ao_a-ciam_search_google_pmax_site_ciam_utm2\&utm_medium=cpc\&utm_id=aNK4z000000UFGiGAO\&gad_source=1\&gclid=CjwKCAiAjeW6BhBAEiwAdKltMpHKOBx2sV7bNSrhlZ5ztYTkSQKwCbcIiKY8U0byDglYCUssOCNGwxoCB28QAvD_BwE)

When you configure inline hooks, you can set up events that need to be communicated to Atomicwork: this could include user updates, deactivations and suspensions. Whenever we receive an event about user suspensions or deactivations, those users are deleted on Atomicwork.

To sync Atomicwork with Okta, you need to [connect Okta and Atomicwork](https://support.atomicwork.com/en/articles/12289327).
​

### Sync employee attributes from Okta

- Navigate to **Settings > App Store** and click on **Settings** in the **Okta** card\*\*.\*\*
- Click on **Enable** next to **Sync employee data.**
- You can map Okta attributes to Atomicwork attributes.
  - If the **Manage Applications permission** is provided during setup, Atomicwork will automatically fetch all available fields from Okta (including custom attributes) and display them for easy mapping.
    ![Mapping Okta attributes to Atomicwork attributes.png](assets/12284100-okta-employee-data-sync-1-mapping-okta-attributes-to-atomicwork-attributes.png)
  - If this permission isn’t granted, you'll need to manually enter **the variable name from Okta** and select the corresponding Atomicwork attribute to map each custom field you want to sync.
    - To find the variable names for your Okta attributes, navigate to **your** **Okta dashboard > Directory > Profile Editor > Default Profile**.
    - Copy the **variable name** for the attribute you want to sync and paste it into the **Enter reference key** text box.
      ![Manually sync Okta attributes to Atomicwork.png](assets/12284100-okta-employee-data-sync-2-manually-sync-okta-attributes-to-atomicwork.png)
- Click on **Enable.** New users and updates to users will sync every 24 hours.
- To edit the attribute mapping, click on **Manage attributes** in the Okta settings page.
  ![Okta - Manage attributes.png](assets/12284100-okta-employee-data-sync-3-okta-manage-attributes.png)

### Configure Okta inline hooks

- Log into the **Atomicwork portal.** Navigate to **Settings > My Account > Public API Token**
- Create a new token and copy it into a safe place
- Go to **Okta admin console > Workflow nav item > Event hooks.** Click on **Create Event Hook**
- Here's the format for your webhook URL: [https://{youraccount}.](https://anish.atomicwork.com/api/v1/users/webhook/OKTA/receive)[atomicwork.com/api/v1/users/webhook/OKTA/receive.](http://atomicwork.com/api/v1/users/webhook/OKTA/receive) Give it a recognizable name to make it easy for your team to understand which event hooks are for what purpose.
- Enter _X-Api-Key_ as the **Authentication Field** under **Credentials**. Enter the Public API Token you created in step 1 as the **Authentication Secret**.
- Choose the user events you want to track. When we receive these events - "User deleted", "User suspended", "User deactivated", the user would be deleted on Atomicwork.
- Skip the filter application and preview steps.
- Click **Verify**. Once verified, Atomicwork will start listening to events from Okta and update user profiles accordingly.

---

## Okta: Single sign-on (SSO)

Make it easy for your end-users and agents to access Atomicwork by implementing Okta Single Sign-On (SSO). This allows users to sign in using their existing Okta credentials—either by going to your Atomicwork portal or by launching Atomicwork directly from their Okta dashboard.

You can choose how your users should access the platform:

- **Start from Atomicwork:** Users go to yourcompany.atomicwork.com and are redirected to Okta to sign in.
- **Start from Okta:** Users click the Atomicwork app in their Okta dashboard and are signed in automatically.

#### **Step 1: Setup an Okta application**

- Go to Applications > Create an App integration in your Okta admin portal
- Choose "SAML 2.0" as your sign-in method
  ​
  ![image](assets/12284147-okta-single-sign-on-sso-4-12284147-okta-single-sign-on-sso-image-4.png)
- Enter an app name ("Atomicwork" should do). The logo is optional, so feel free to skip uploading the Atomicwork logo and select "Do not display application icon to users"

#### Step 2: Configure SAML settings

- Switch to your Atomicwork account to fetch SAML settings. Go to Settings > Security > Okta SSO to find "Single sign-on URL" and "Audience URI" links. Copy these links into your Okta app settings.
  ​
  ​
  ![image](assets/12284147-okta-single-sign-on-sso-5-12284147-okta-single-sign-on-sso-image-5.png)
- Switch back to Okta admin portal. Leave the "Default RelayState" as blank.
- Choose "Email address" for "NameID format"
- Choose "Email" as "Application user name" and "Update application username on" setting as "Create and update".
- In the "Attribute Statements" section, please add
  - firstName
  - lastName
  - login
  - id

![image](assets/12284147-okta-single-sign-on-sso-6-12284147-okta-single-sign-on-sso-image-6.png)

- Click "Save" and mark this as an "internal app" in the "Feedback" section
  ​
  ![image](assets/12284147-okta-single-sign-on-sso-7-12284147-okta-single-sign-on-sso-image-7.png)
- Click "Finish" and copy the metadata URL. Paste it into the SAML metadata URL field in your Atomicwork account. Click "Connect".

---

## Okta: Using actions in journeys and workflows

When you integrate Atomicwork with identity access platforms like Okta, Azure AD, and Google Workspace, you can perform automated actions like creating a user, adding a user to a group, suspending a user, and deactivating a user.

When configuring an onboarding or offboarding journey (or even a team change journey), you can use these automated actions to automatically perform these operations instead of having to note it down on your to-do list and manually log into these platforms to perform these operations every single time.

To add Okta actions to a journey or a workflow, you must [connect Atomicwork to Okta](https://support.atomicwork.com/en/articles/12289327).

Anything defined in the Okta API can be accessed through Atomicwork.

### Add Okta actions to workflows

A workflow is triggered by an event in a request. Workflow trigger events can be service request, request, incident events (such as "incident is created" or "a reply is sent in an incident"), System events, or System or any person events. Okta actions are one type of many actions available to an IT admin to configure.

- Go to Settings > Workspace > Workflows. Create a workflow or click the workflow to which you want to add actions
- Click "Perform action" > "Okta actions".

### Add Okta actions to journeys

Journeys can be triggered by an agent, scheduled for a certain day or triggered by certain API events like BambooHR profile creation.

- Go to Settings > Journey templates. Click on the journey to which you want to add an action or create a new one from scratch.
- Choose the Stage > Okta actions.

### List of Okta actions

- [Create a user account](#create)
- [Add a user to a group](#add-to-group)
- [Remove a user from a group](#remove)
- [Suspend a user account](#suspend)
- [Deactivate a user account](#deactivate)

#### Create an Okta user

Tip: This action is most useful in onboarding workflows and journeys.

1. Enter an employee’s first name, last name, email, password, and phone number. We'd recommend you use dynamic placeholders from the request or service (in the case of a service request). For example, if it’s <firstname.lastname@yourcompany.com>, you could add [######{{employee.first\_name}}.######{{employee.last\_name}}@yourcompany.com](mailto:%23%23%23%23%23%23.#####{{employee.last_name}}@yourcompany.com) in the email field.
2. Password strength. While you will ask that new employees reset their password when they first log in (We’d strongly recommend it), it’s still crucial to follow information security best practices, even if it’s for temporary passwords. Use dynamic placeholders to create a unique, strong password for new employees.
3. In journeys, Okta actions are automated actions that do not need to be manually executed by an HR or IT manager. So, you only need to specify when you want the action to be executed. Your two options are the day the employee moves to the stage or a day relative to the day an employee moves to this stage.
4. In journeys, you also need to name the Okta action in a way that is easy to understand so your teammates know why you’ve set it up. Okta actions will be visible to journey collaborators but not to employees who have been assigned this journey.
5. Click “Add/Done” to add the action to your journey or workflow.

#### Add an Okta user to a group

Tip: This action is most useful in onboarding journeys and can only be executed for existing Okta users. So, please make sure to create a new employee as an Okta user first before adding this action.

1. Choose which Okta user needs to be added to a group
2. Choose the Okta group you want to add a new user to. You can’t create an Okta group from Atomicwork, so please make sure to create the group on the Okta console before you set up this action.
3. In journeys, Okta actions are automated actions that do not need to be manually executed by an HR or IT manager. So, you only need to specify when you want the action to be executed. Your two options are the day the employee moves to the stage or a day relative to the day an employee moves to this stage.
4. In journeys, you also need to name the Okta action in a way that is easy to understand so your teammates know why you’ve set it up. Okta actions will be visible to journey collaborators but not to employees who have been assigned this journey.
5. Click “Add/Done” to add the action to your journey or workflow.

#### Suspend an Okta user

Tip: Suspending people in your organization is useful if you have temporary and contract workers or when your employees are on leaves of absence. You may also want to suspend a user who has permanently left your organization so that you can review their group and app assignments before deactivating them. Suspended users' app and group memberships are maintained and are reinstated when the user is unsuspended.

1. To set up the action, choose the Okta user whose account needs to be suspended.
2. In journeys, you need to specify when you want the action to be executed. Your two options are the day the employee moves to the stage or a day relative to the day an employee moves to this stage.
3. In journeys, name the Okta action in a way that is easy to understand so your teammates know why you’ve set it up. Okta actions will be visible to journey collaborators but not to employees who have been assigned this journey. Okta actions are automated actions that can be executed by Atomicwork directly.
4. Click “Add/Done” to add the action to your journey or workflow.

#### Deactivate an Okta account

Tip: Deactivated users will not have access to any apps and may need to be reassigned apps when reactivated. However, deactivated users will not be removed from groups until they are deleted. Users can be deleted only on the Okta app and not Atomicwork.

1. To set up the action, choose the Okta user whose account needs to be deactivated.
2. In journeys, please specify when you want the action to be executed. You don’t have to specify an assignee because Okta actions are all automated actions. You can choose to execute it on the day an employee moves to a stage or a day relative to this date
3. In journeys, name the Okta action in a way that is easy to understand so your teammates know why you’ve set it up. Okta actions will be visible to journey collaborators in the configuration view but not to employees who have been assigned this journey.
4. Click “Add/Done” to add the action to your journey.

#### Remove a user from a group

1. To set up the action, choose the Okta user account and the group from which they need to be removed.
2. Click "Done" to add the action to your workflow.
   ​
   ​

---
