← All integrations
Live integration

Okta

Identity · OAuth 2.0 · Hourly

OAuth 2.0 + PKCE. Pulls active users (with MFA factor enrollment), password policies, and 30-day deprovisioning events for SOC 2 access-control evidence.

Authentication
OAuth 2.0
Sync cadence
Hourly
Stale threshold
Every 6 hours
Category
Identity

Evidence this connector produces

Every sync writes typed evidence rows linked to the controls below. Evidence is immutable once attached to an approved assessment, fingerprinted for de-dup, and surfaced in the control coverage calculation on your dashboard.

SOC 2 CC6.1CC6.2CC6.3

How to connect

Create an OAuth Web app in your Okta admin console with read scopes. We'll redirect you there to authorize after you submit.

  1. 1
    Create the OAuth app

    Okta admin → Applications → Create App Integration → 'OIDC - OpenID Connect' → 'Web Application'. Sign-in redirect URI: http://localhost:3000/api/integrations/okta/callback

  2. 2
    Grant the API scopes

    Under the new app's Okta API Scopes tab, grant: okta.users.read, okta.groups.read, okta.policies.read, okta.logs.read.

  3. 3
    Copy credentials

    From the General tab, copy the Client ID and Client Secret. Your Okta domain is shown in the upper-right of the admin console (e.g. acme.okta.com).

Security model

Every connector ships behind the same auditor-grade primitives — not just RBAC config, but architectural enforcement.

Credentials KMS-encrypted at rest

Tokens, client secrets, and service-account keys are encrypted under a per-tenant AWS KMS data key. The plaintext is never persisted, never logged, and never leaves the FastAPI process boundary.

Tenant-isolated by architecture

Every Connection, ConnectorRun, and emitted Evidence row carries an organization ObjectId. The scheduler never iterates without an org-scoped filter; cross-tenant evidence bleed is impossible at the data layer.

Audit log on every action

Connect, sync, sync-failure, re-auth, and revoke each write a row to the immutable AuditLog. The full lifecycle is reconstructable for any examiner.

Soft-delete on revoke

Revoking a connection sets deletedAt and clears the encrypted credential blob, but the historical evidence + sync log stays queryable for the retention window. Auditors can still trace what was attested when.

Stale-evidence degradation

If this connector hasn't synced in Every 6 hours, control coverage degrades automatically and an alert fires. Auditors don't trust stale evidence — neither do we.

Least-privilege scopes only

We request the minimum read-only scopes needed for the listed evidence. No write scopes, no admin scopes, no scopes outside the documented set.

Ready to connect Okta?

Connect from Settings → Integrations — typically under 5 minutes. Or talk to us first.

Request a demoSign in to connect