Secure Internet and SaaS Access (ZIA)
Integrating with Okta
You can connect your Okta organization to Zscaler 3rd-Party App Governance to gain continuous visibility and governance for third-party apps installed in the Okta environment.
Okta integration consists of the following steps:
- Creating a dedicated read-only service account for 3rd-Party App Governance integration.
- Getting the Okta API Token and Okta Domain.
- Connecting Okta to 3rd-Party App Governance.
Prerequisites
- A user with Okta Admin privileges
- An Okta API token for an administrative account in your Okta organization
Zscaler recommends creating a dedicated service account for integration and assigning the minimum required privileges.
Creating a Dedicated Read-Only Service Account for 3rd-Party App Governance Integration
To create a dedicated read-only service account:
- Sign in to your Okta organization as a user with administrator privileges.
- In the Okta Admin console, go to Directory > People, and then click Add person.
- In the Add Person window, enter the information for the 3rd-Party App Governance service account, set the password, and then click Save.
- In the Okta Admin console, go to Security > Administrators, and then click Add administrator.
- Select the 3rd-Party App Governance service account, set the role to Super Administrator, and click Save.
- Sign out and sign in to your Okta Admin console with the newly created 3rd-Party App Governance service account.
Getting the Okta API Token and Okta Domain
To get your Okta API Token and Okta domain:
- Sign in to the Okta Admin console.
Zscaler recommends that you sign in with the dedicated service account that you created for 3rd-Party App Governance integration.
- Create an API token in Okta.
- Note the API token you created. You will need it in the following steps.
For security reasons, you cannot view the API key in plain text. You must store the API key securely.
- From your Okta organization URL (e.g., yourdomain.okta.com), copy and save your Okta domain "yourdomain". Do not copy the entire Okta Admin console URL, or you can also just remove "-admin" from the URL.
Connecting Okta to 3rd-Party App Governance
To connect Okta to 3rd-Party App Governance:
- Click the Connect icon in the left-side navigation.
The Integrations window appears.
- In the Integrations window, click Add next to Okta.
- Enter the Okta domain and Okta API token.
- Click Connect.
After connection is achieved, it might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. After integration is completed, a success message appears, and the number of domains is updated. You then receive an email from Zscaler when the domain is ready for further review. To learn more about the integration statuses of a domain, see Status.
Viewing and Managing Okta Integration
You can click Okta in the Integrations window to expand and view the list of added domains along with information such as Token, First connected, Last Synced, and Status.
- Domain: The name of the Okta domain you specified while adding the integration.
- Token: The token generated for the domain.
- First connected: The date and time the domain was added, and the person who added the domain.
- Last Synced: The date and time the domain was last synced with 3rd-Party App Governance. If the domain has yet to sync, N/A is displayed. If the duration of the sync is excessive, the last sync time is highlighted in red.
When there are multiple domains, 3rd-Party App Governance displays the last sync with the most excessive time duration to indicate an issue so you can expand, view the domain, and take the relevant actions.
- Status: The integration status of the domain. One of the following statuses is displayed:
- Error: Failure to achieve a connection. The error message displays the reason for the failure. Contact Zscaler Support if you require further assistance.
- In progress: Connection is achieved and 3rd-Party App Governance is ingesting the relevant data. It might take a while to pull and ingest all relevant application data depending on the size of your tenant. During this time, a message is displayed that the domain is still being processed. You then receive an email from Zscaler when the domain is ready for further review.
- Success: The integration is completed successfully and the last sync time is updated.
Updating the Okta Token
You can update an Okta token that is currently in use. To update the Okta token:
- Click Okta in the Integrations window to expand and view the list of added domains.
- Click the Edit icon next to the token for the relevant domain.
- Update the token and click the check mark to save the changes.
A confirmation window appears.
- Click Confirm if you want to override the connection.
The connection is updated.
Deleting an Okta Connection
You can delete an Okta connection to 3rd-Party App Governance. To delete an Okta connection:
- Click Okta in the Integrations window to expand and view the list of added domains.
- Click the Delete icon next to the relevant domain.
A confirmation window appears.
- Click Confirm to continue.
The connection is successfully deleted.
APIs and Data Collected
The following table lists the APIs used and the data collected after integration.
Which APIs do we use? | What data do we collect? |
/users | List of users and their profile attributes, such as name, email, status, and time of last login |
/users/…/roles | User role assignments (e.g., admin, super admin, user, etc.) |
/groups | List of user groups which are configured in the tenant (e.g., “All employees”, “Accounting”, etc.) |
/groups/…/users | The list of users associated with each of the above groups |
/groups/…/apps | The list of apps associated with each of the above groups (e.g., “Salesforce” for the “Sales” group) |
/apps | List of apps available in the tenant along with their metadata |
/apps/…/users | List of users associated with each application |
/apps/…/grants | For some types of applications, a list of permission scopes granted to the application |
/api-tokens | List of API tokens that have been generated in the tenant, along with their metadata, such as token name, the user who generated it, and its creation and expiration dates |