You can connect your Okta organization to Zscaler 3rd-Party App Governance to gain continuous visibility and governance for third-party apps installed in the Okta environment.

Okta integration consists of the following steps:

• Creating a dedicated read-only service account for 3rd-Party App Governance integration.
• Getting the Okta API Token and Okta Domain.
• Connecting Okta to 3rd-Party App Governance.

Prerequisites

• A user with Okta Admin privileges
• An Okta API token for an administrative account in your Okta organization

Zscaler recommends creating a dedicated service account for integration and assigning the minimum required privileges.

Creating a Dedicated Read-Only Service Account for 3rd-Party App Governance Integration

To create a dedicated read-only service account:

1. Sign in to your Okta organization as a user with administrator privileges.
2. In the Okta Admin console, go to Directory > People, and then click Add person.
3. In the Add Person window, enter the information for the 3rd-Party App Governance service account, set the password, and then click Save.
4. In the Okta Admin console, go to Security > Administrators, and then click Add administrator.
5. Select the 3rd-Party App Governance service account, set the role to Super Administrator, and click Save.
6. Sign out and sign in to your Okta Admin console with the newly created 3rd-Party App Governance service account.

Getting the Okta API Token and Okta Domain

To get your Okta API Token and Okta domain:

1. Sign in to the Okta Admin console.

Zscaler recommends that you sign in with the dedicated service account that you created for 3rd-Party App Governance integration.

2. Create an API token in Okta.
3. Note the API token you created. You will need it in the following steps.

For security reasons, you cannot view the API key in plain text. You must store the API key securely.

4. From your Okta organization URL (e.g., yourdomain.okta.com), copy and save your Okta domain "yourdomain". Do not copy the entire Okta Admin console URL, or you can also just remove "-admin" from the URL.

Connecting Okta to 3rd-Party App Governance

To connect Okta to 3rd-Party App Governance:

1. Click the Connect icon in the left-side navigation.

See image.

The Integrations window appears.

2. In the Integrations window, click Add next to Okta.

See image.

3. Enter the Okta domain and Okta API token.

See image.

4. Click Connect.

After connection is achieved, it might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. After integration is completed, a success message appears, and the number of domains is updated. You then receive an email from Zscaler when the domain is ready for further review. To learn more about the integration statuses of a domain, see Status.

Viewing and Managing Okta Integration

You can click Okta in the Integrations window to expand and view the list of added domains along with information such as Token, First connected, Last Synced, and Status.

• Domain: The name of the Okta domain you specified while adding the integration.
• Token: The token generated for the domain.
• First connected: The date and time the domain was added, and the person who added the domain.
• Last Synced: The date and time the domain was last synced with 3rd-Party App Governance. If the domain has yet to sync, N/A is displayed. If the duration of the sync is excessive, the last sync time is highlighted in red.

When there are multiple domains, 3rd-Party App Governance displays the last sync with the most excessive time duration to indicate an issue so you can expand, view the domain, and take the relevant actions.

• Status: The integration status of the domain. One of the following statuses is displayed:
  • Error: Failure to achieve a connection. The error message displays the reason for the failure. Contact Zscaler Support if you require further assistance.
  • In progress: Connection is achieved and 3rd-Party App Governance is ingesting the relevant data. It might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. You then receive an email from Zscaler when the domain is ready for further review.
  • Success: The integration is completed successfully and the last sync time is updated.

Updating the Okta Token

You can update an Okta token that is currently in use. To update the Okta token:

1. Click Okta in the Integrations window to expand and view the list of added domains.
2. Click the Edit icon next to the token for the relevant domain.
3. Update the token and click the check mark to save the changes.

A confirmation window appears.

4. Click Confirm if you want to override the connection.

The connection is updated.

Deleting an Okta Connection

You can delete an Okta connection to 3rd-Party App Governance. To delete an Okta connection:

1. Click Okta in the Integrations window to expand and view the list of added domains.
2. Click the Delete icon next to the relevant domain.

A confirmation window appears.

3. Click Confirm to continue.

The connection is successfully deleted.