Okta Integration Requirements

Background

This article provides background on the required roles and permissions for the Lumos Okta integration.

Required plan

There's no minimum plan or subscription required to connect the Okta integration. Super Administrator is recommend for full functionality, with options to configure with restricted access. Read-Only is not supported for this integration.

(API Token) Required roles & permissions

If you choose to connect to Okta via an API token, it's important to note that an Okta API token inherits the permissions of the Okta user account that creates it. We recommend creating a dedicated Okta user account to connect the integration to Lumos, so that permissions aren't tied to a specific employee.

Using a Super Administrator role in Okta for the integration user will get you up + running in Lumos as quickly as possible!

Custom roles

If you want to limit scopes, you can create a custom Okta admin role for your integration.

However, it's worth noting that custom admin roles currently don't allow you to modify group memberships of Okta users who are super administrators. Any attempt to add or remove Super Administrators from Okta groups via Lumos will fail if you use a custom admin role. A Super Administrator role is also needed to list Admin roles in Okta. This is required if you want to view Okta admin roles in Lumos, which you might do during an Access Review. See 📄 Using Lumos for Access Reviews

To unlock the full functionality of Lumos, we need the following Okta roles:

• Group Membership Administrator with the following options

  • Can administer all groups: Manage users, their profiles, and their credentials

    • Note: You can specify individual groups after selecting this role, but will need to maintain the list.

• Application Administrator with the following options:

  • Can administer all applications: View and manage user permissions in an application.

    • Note: You can specify individual apps after selecting this role, but will need to maintain the list.

• Report Administrator

It is possible to configure this with a custom role, combined with 1 standard role. The custom role needs the following permissions to unlock as much Lumos functionality as possible:

• User Permissions

  • Edit users' lifecycle states

  • View users and their details

  • Edit users’ application assignments

  • Edit users' group membership

• Group Permissions

  • View groups and their details

  • Manage group membership

• App Permissions

  • Manage applications

  • View applications and their details

  • Edit application's user assignments

• The user also needs to be paired with Application Administrator or API Access Management Admin or Org Admin Role in order to fetch custom attributes

(OAuth API Services) Required Roles and Permissions

The following scopes are requested via the OAuth integration. The user completing the OAuth connection must have the authorization (role + permissions) to grant the scopes being requested. This version can be connected to by selecting the API Services version of the integration.

More context on the scopes in Okta can be found here.

(API Services Integration) Required Scopes

The following scopes are requested via the API Services integration. The user completing the API Services connection must have the authorization (role + permissions) to grant the scopes being requested. In order to allow full syncing and provisioning capabilities, Super Administrator is required.

Custom roles

If you want to limit scopes, you can create a custom Okta admin role for your integration.

However, it's worth noting that custom admin roles currently don't allow you to modify group memberships of Okta users who are super administrators. Any attempt to add or remove Super Administrators from Okta groups via Lumos will fail if you use a custom admin role. A Super Administrator role is also needed to list Admin roles in Okta. This is required if you want to view Okta admin roles in Lumos, which you might do during an Access Review. See 📄 Using Lumos for Access Reviews

To unlock connect without to Lumos without Super Admin, we need the following Okta roles:

• Group Membership Administrator with the following options

  • Can administer all groups: Manage users, their profiles, and their credentials

    • Note: You can specify individual groups after selecting this role, but will need to maintain the list.

• Application Administrator with the following options:

  • Can administer all applications: View and manage user permissions in an application.

    • Note: You can specify individual apps after selecting this role, but will need to maintain the list.

• Report Administrator

It is possible to configure this with a custom role, combined with 1 standard role. The custom role needs the following permissions to unlock as much Lumos functionality as possible:

• User Permissions

  • Edit users' lifecycle states

  • View users and their details

  • Edit users’ application assignments

  • Edit users' group membership

• Group Permissions

  • View groups and their details

  • Manage group membership

• App Permissions

  • Manage applications

  • View applications and their details

  • Edit application's user assignments

• It also needs to be paired with "Application Administrator or API Access Management Admin or Org Admin " role in order to fetch custom attributes

More context on the scopes in Okta can be found here. The following are scopes automatically requested by Lumos, and need to be provided: