Okta Identity Management

the okta identity management connector enables seamless integration with okta's services, providing a suite of actions for user and application management okta identity management is a comprehensive identity and access management service that enables secure user authentication and lifecycle management this connector allows swimlane turbine users to automate user and application lifecycle processes, streamline group management, and enhance security operations with okta's robust api capabilities by integrating with okta, security teams can efficiently manage identities, enforce security policies, and respond to incidents with precision, all within the swimlane turbine platform prerequisites to utilize the okta identity management connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the necessary parameters url the endpoint url for the okta api api key a valid api key to authenticate requests to okta capabilities the okta connector has the following capabilities activate user deactivate user suspend user unsuspend user unlock user force user password reset clear user session get users list all, filter, get by id, search get events list all, filter by keyword, filter by query string get applications list all or filter get application by id activate application by id deactivate application by id delete application by id list groups and so on notes information for event actions including filter expressions, event types and correlations can be found at https //developer okta com/docs/reference/api/system log/#request parameters information for user actions including search examples, filter examples and name queries can be found at https //developer okta com/docs/reference/api/users/#get user with login shortname information for group actions including filtering expressions can be found at https //developer okta com/docs/reference/api/groups/#group rule operations the complete documentation for the api is found at https //developer okta com/docs/reference/ configurations okta api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions activate user by id activates an okta user account with the provided 'userid' path parameter endpoint url /api/v1/users/{{userid}}/lifecycle/activate method post input argument name type required description path parameters userid string required id of an existing okta user parameters sendemail boolean optional sends an activation email to the user if true input example {"path parameters" {"userid" "string"},"parameters" {"sendemail"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json json activationtoken string output field json activationtoken json activationurl string url endpoint for the request output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {"activationtoken" "xe6we17zmphl3kqapfxo","activationurl" "https //{youroktadomain}/welcome/xe6we17zmphl3kqapfxo"}} add user to group adds a specified user to a designated group in okta identity management by utilizing the provided groupid and userid endpoint url /api/v1/groups/{{groupid}}/users/{{userid}} method put input argument name type required description path parameters groupid string required group id path parameters userid string required user id input example {"path parameters" {"groupid" "string","userid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {}} activate application by id activates an inactive application within okta identity management using a specified application id endpoint url /api/v1/apps/{{appid}}/lifecycle/activate method post input argument name type required description path parameters appid string required application id input example {"path parameters" {"appid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} deactivate application by id deactivates an active application in okta identity management by using the provided application id endpoint url /api/v1/apps/{{appid}}/lifecycle/deactivate method post input argument name type required description path parameters appid string required application id input example {"path parameters" {"appid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} delete application by id removes an inactive application from okta identity management using the specified application id endpoint url /api/v1/apps/{{appid}} method delete input argument name type required description path parameters appid string required application id input example {"path parameters" {"appid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} get applications retrieves a paginated list of all applications in okta identity management, with optional query based filtering endpoint url /api/v1/apps method get input argument name type required description parameters q string optional searches for apps with name or label properties that starts with the q value using the startswith operation parameters after string optional specifies the pagination cursor for the next page of results treat this as an opaque value obtained through the next link relationship parameters useoptimization boolean optional specifies whether to use query optimization if you specify useoptimization=true in the request query, the response contains a subset of app instance properties parameters limit number optional it should be integer <= 200 specifies the number of results per page parameters filter string optional filters apps by status, user id, group id, credentials signing kid or name expression that supports the eq operator filter for active apps filter=status eq "active" filter for apps with okta org2org name filter=name eq "okta org2org" filter for apps using a specific key filter=credentials signing kid eq "simccqny3uwxow3y0vf6vxibb5n9pf8l2fk8d f1bm4" parameters expand string optional an optional parameter used for link expansion to embed more resources in the response only supports expand=user/{userid} and must be used with the user id eq "{userid}" filter query for the same user returns the assigned application user in the embedded property parameters includenondeleted boolean optional specifies whether to include non active, but not deleted apps in the results input example {"parameters" {"q" "okta","after" "16278919418571","useoptimization"\ false,"limit" 1,"filter" "credentials signing kid eq simccqny3uwxow3y0vf6vxibb5n9pf8l2fk8d f1bm4","expand" "user/0oa1gjh63g214q0hq0g4","includenondeleted"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers date string http headers for the request headers server string http headers for the request headers x request id string http headers for the request headers x runtime string http headers for the request headers x powered by string http headers for the request headers x frame options string http headers for the request headers x xss protection string http headers for the request headers x content type options string http headers for the request headers x download options string http headers for the request headers x permitted cross domain policies string http headers for the request headers referrer policy string http headers for the request headers strict transport security string http headers for the request headers x content security policy string http headers for the request response array output field response response id string unique identifier response name string name of the resource response label string output field response label response status string status value response lastupdated string output field response lastupdated output example {"status code" 200,"reason" "ok","headers" {"content type" "application/json; charset=utf 8","content length" "0","connection" "close","date" "tue, 10 mar 2020 15 00 00 gmt","server" "nginx","x request id" "a1b2c3d4e5f6g7h8i9j0","x runtime" "0 000000","x powered by" "phusion passenger 5 3 7","x frame options" "sameorigin","x xss protection" "1; mode=block","x content type options" "nosniff","x download options" "noopen","x permitted cross domain policies" "none","referrer policy" "strict origin get application by id retrieve details for a specific application in okta identity management using the unique application id endpoint url /api/v1/apps/{{appid}} method get input argument name type required description path parameters appid string required application id parameters expand string optional an optional query parameter to return the specified application user in the embedded property valid value expand=user/{userid} input example {"path parameters" {"appid" "string"},"parameters" {"expand" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request headers content type string http headers for the request headers content length string http headers for the request headers connection string http headers for the request headers date string http headers for the request headers server string http headers for the request headers x request id string http headers for the request headers x runtime string http headers for the request headers x powered by string http headers for the request headers x frame options string http headers for the request headers x xss protection string http headers for the request headers x content type options string http headers for the request headers x download options string http headers for the request headers x permitted cross domain policies string http headers for the request headers referrer policy string http headers for the request headers strict transport security string http headers for the request headers x content security policy string http headers for the request response object output field response response id string unique identifier response name string name of the resource response label string output field response label response status string status value response lastupdated string output field response lastupdated output example {"status code" 200,"reason" "ok","headers" {"content type" "application/json; charset=utf 8","content length" "0","connection" "close","date" "tue, 10 mar 2020 15 00 00 gmt","server" "nginx","x request id" "a1b2c3d4e5f6g7h8i9j0","x runtime" "0 000000","x powered by" "phusion passenger 5 3 7","x frame options" "sameorigin","x xss protection" "1; mode=block","x content type options" "nosniff","x download options" "noopen","x permitted cross domain policies" "none","referrer policy" "strict origin clear user session ends a specific user's session in okta identity management, targeting only the specified session without impacting other app sessions endpoint url /api/v1/users/{{userid}}/sessions method delete input argument name type required description path parameters userid string required user id parameters oauthtokens boolean optional revoke issued openid connect and oauth refresh and access tokens input example {"path parameters" {"userid" "string"},"parameters" {"oauthtokens"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 204,"reason" "ok","headers"\ null,"response" {}} deactivate user by id deactivates a specified okta user account using the 'userid' path parameter endpoint url /api/v1/users/{{userid}}/lifecycle/deactivate method post input argument name type required description path parameters userid string required user id parameters sendemail boolean optional sends a deactivation email to the admin if true headers object optional headers headers prefer string optional request asynchronous processing input example {"path parameters" {"userid" "string"},"parameters" {"sendemail"\ true},"headers" {"prefer" "respond async"}} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response output example {"status code" 200,"reason" "ok","headers"\ null,"response" {}} force password reset initiates a forced password reset for a specified user in okta identity management, with an option to send a notification email endpoint url /api/v1/users/{{userid}}/lifecycle/reset password method post input argument name type required description path parameters userid string required user id parameters sendemail boolean required when this is true, sends the reset link directly to the user's email, otherwise, the url will be returned here parameters revokesessions boolean optional revokes all user sessions, except for the current session, if set to true input example {"path parameters" {"userid" "string"},"parameters" {"sendemail"\ true,"revokesessions"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json json summary string output field json summary json resetpasswordurl string url endpoint for the request output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {"summary" "reset password without sending email","resetpasswordurl" "https //{youroktadomain}/reset password/xe6we17zmphl3kqapfxo"}} generic task executes a customizable task within okta identity management, providing full control over the request parameters input argument name type required description endpoint string optional path to the endpoint after url in asset use double brackets with path parameters for dynamic urls method string optional method of the request such as post, get, put, patch, delete (note, others are available to use) data body object optional body to send as data, this allows you to set the content type in the headers manually headers object optional request headers to send with the individual request input example {"endpoint" "api/v3/users"} output parameter type description status code number the http response status code data object the json response body response text string output field response text reason string the http reason, often times an error message can be here ok means success output example {"response text" "string"} get events retrieves a comprehensive list of system log events from okta identity management for effective monitoring or analysis endpoint url /api/v1/logs method get input argument name type required description parameters since string optional filters the lower time bound of the log events published property for bounded queries or persistence time for polling queries parameters until string optional filters the upper time bound of the log events published property for bounded queries or persistence time for polling queries parameters after string optional retrieves the next page of results okta returns a link in the http header (rel=next) that includes the after query parameter parameters filter string optional filter expression that filters the results all operators except \[ ] are supported parameters q string optional filters log events results by one or more case insensitive keywords url encoded string max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding parameters limit number optional sets the number of results that are returned in the response integer between 0 and 1000 parameters sortorder string optional the order of the returned events that are sorted by the published property input example {"parameters" {"since" "7 days prior to until","until" "current time","after" " ","filter" " ","q" " ","limit" 100,"sortorder" "ascending"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json json actor object output field json actor json actor id string unique identifier json actor type string type of the resource json actor alternateid string unique identifier json actor displayname string name of the resource json actor detailentry object output field json actor detailentry json client object output field json client json client useragent object output field json client useragent json client useragent rawuseragent string output field json client useragent rawuseragent json client useragent os string output field json client useragent os json client useragent browser string output field json client useragent browser json client zone object output field json client zone json client device string output field json client device json client id object unique identifier json client ipaddress string output field json client ipaddress json client geographicalcontext object output field json client geographicalcontext json client geographicalcontext city string output field json client geographicalcontext city json client geographicalcontext state string output field json client geographicalcontext state json client geographicalcontext country string output field json client geographicalcontext country json client geographicalcontext postalcode number output field json client geographicalcontext postalcode json client geographicalcontext geolocation object output field json client geographicalcontext geolocation json client geographicalcontext geolocation lat number output field json client geographicalcontext geolocation lat output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {"actor" {"id" "00uttidj01jql21am1d6","type" "user","alternateid" "john doe\@example com","displayname" "john doe","detailentry"\ null},"client" {"useragent" {},"zone"\ null,"device" "computer","id"\ null,"ipaddress" "10 0 0 1","geographicalcontext" {}},"device" {"id" "guofdhyjex1feogbn1d9","name" "mac15,6","os platform" "osx","os version" "14 6 get groups retrieves a comprehensive list of user groups from okta identity management without the need for additional parameters endpoint url /api/v1/groups method get input argument name type required description parameters q string optional finds a group that matches the name property paging and searching are currently mutually exclusive you can't page a query the default limit for a query is 300 results query is intended for an auto complete picker use case where users refine their search string to constrain the results parameters filter string optional all filters must be url encoded for example, filter=lastupdated gt "2013 06 01t00 00 00 000z" is encoded as filter=lastupdated%20gt%20%222013 06 01t00 00 00 000z%22 examples filter group with a specific id filter=id eq "00g1emakyztwryyrrtsk" filter groups that are of the type okta group filter=type eq "okta group" filter groups that are of the type okta group with profile updated after 11/11/2015 filter=type eq "okta group" and lastupdated gt "2016 11 11t00 00 00 000z" filter groups that are of the type okta group with profile or memberships updated before 11/11/2015 filter=type eq "okta group" and (lastupdated lt "2015 11 11t00 00 00 000z" or lastmembershipupdated lt "2015 11 11t00 00 00 000z") parameters after string optional specifies the pagination cursor for the next page of groups the after cursor should be treated as an opaque value and obtained through the next link relation parameters limit number optional specifies the number of group results in a page don't write code that depends on the default or maximum value, as it might change if you receive an http 500 status code, you likely exceeded the request timeout retry your request with a smaller limit and page the results the okta default everyone group isn't returned for users with a group admin role note we strongly encourage using a limit that's less than or equal to 200 any number greater than 200 affects performance and accuracy parameters expand string optional if specified, additional metadata is included in the response possible values are stats and app this additional metadata is listed in the embedded key of the response note you can use the stats value to return the number of users within a group this is listed as the embedded stats userscount value in the response parameters search string optional searches for groups with a supported filtering expression for all attributes except for embedded, links, and objectclass search currently performs a startswith match but it should be considered an implementation detail and might change without notice in the future this operation supports pagination using search requires url encoding, for example, search=type eq "okta group" is encoded as search=type+eq+%22okta group%22 this operation searches many properties any group profile property, including imported app group profile properties the top level properties id, created, lastmembershipupdated, lastupdated, and type the source of groups with type of app group, accessed as source id you can also use sortby and sortorder parameters parameters sortby string optional specifies field to sort by (for search queries only) sortby can be any single property, for example sortby=profile name parameters sortorder string optional specifies sort order asc or desc (for search queries only) this parameter is ignored if if sortby is not present groups with the same value for the sortby property will be ordered by id input example {"parameters" {"q" "west\&limit=10","filter" "lastupdated gt 2013 06 01t00 00 00 000z","after" " ","limit" 200,"expand" " ","search" "type eq app group","sortby" "lastupdated","sortorder" "asc"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json json id string unique identifier json created string output field json created json lastupdated string output field json lastupdated json lastmembershipupdated string output field json lastmembershipupdated json objectclass array output field json objectclass json type string type of the resource json profile object output field json profile json profile name string name of the resource json profile description string output field json profile description json links object output field json links json links logo array output field json links logo json links logo name string name of the resource json links logo href string output field json links logo href json links logo type string type of the resource json links users object output field json links users json links users href string output field json links users href json links apps object output field json links apps json links apps href string output field json links apps href output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {"id" "00g1emakyztwryyrrtsk","created" "2015 02 06t10 11 28 000z","lastupdated" "2015 10 05t19 16 43 000z","lastmembershipupdated" "2015 11 28t19 15 32 000z","objectclass" \["okta\ user group"],"type" "okta group","profile" {"name" "west coast users","description" "all users west of the rockies"}," links" {"logo" \[],"users" {},"apps" {}}}} get users retrieves a comprehensive list of user accounts from okta identity management for account management and analysis endpoint url /api/v1/users method get input argument name type required description parameters q string optional finds users who match the specified query this doesn't support pagination this might not deliver optimal performance for large orgs, and is deprecated for such use cases to ensure optimal performance, use a search parameter instead use the q parameter for a simple lookup of users by name, for example when creating a people picker the value of q is matched against firstname, lastname, or email this performs a startswith match, but this is an implementation detail and can change without notice you don't need to specify firstname, lastname, or email parameters filter string optional filters users with a supported expression for a subset of properties this requires url encoding for example, filter=lastupdated gt "2013 06 01t00 00 00 000z" is encoded as filter=lastupdated%20gt%20%222013 06 01t00 00 00 000z%22 filtering is case sensitive for attribute names and query values, while attribute operators are case insensitive filtering supports the following limited number of properties status, lastupdated, id, profile login, profile email, profile firstname, and profile lastname additionally, filtering supports only the equal eq operator from the standard okta api filtering semantics, except in the case of the lastupdated property this property can also use the inequality operators (gt, ge, lt, and le) for logical operators, only the logical operators and and or are supported the not operator isn't supported see filtering and operators for more information parameters after string optional specifies the pagination cursor for the next page of groups the after cursor should be treated as an opaque value and obtained through the next link relation parameters limit number optional specifies the number of results returned defaults to 10 if q is provided parameters expand string optional an optional parameter to include metadata in the embedded attribute valid value classification parameters search string optional searches for users with a supported filtering expression for most properties okta recommends using this parameter for search for best performance this operation supports pagination use an id lookup for records that you update to ensure your results contain the latest data property names in the search parameter are case sensitive, whereas operators (eq, sw, and so on) and string values are case insensitive unlike with user logins, diacritical marks are significant in search string values a search for isaac brock finds isaac brock, but doesn't find a property whose value is isáàc bröck this operation requires url encoding for example, search=profile department eq "engineering" is encoded as search=profile department%20eq%20%22engineering%22 parameters sortby string optional specifies field to sort by (for search queries only) this can be any single property, for example sortby=profile lastname users with the same value for the sortby property will be ordered by id parameters sortorder string optional specifies sort order asc or desc (for search queries only) sorting is done in ascii sort order (that is, by ascii character value), but isn't case sensitive sortorder is ignored if sortby is not present headers object optional http headers for the request headers content type string optional specifies the media type of the resource optional okta response value can be included for performance optimization complex delauth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck enum values for okta response omitcredentials omits the credentials subobject from the response omitcredentialslinks omits the following hal links from the response change password, change recovery question, forgot password, reset password, reset factors, unlock omittransitioningtostatus omits the transitioningtostatus field from the response input example {"parameters" {"q" "west\&limit=10","filter" "lastupdated gt 2013 06 01t00 00 00 000z","after" " ","limit" 200,"expand" " ","search" "type eq app group","sortby" "lastupdated","sortorder" "asc"},"headers" {"content type" "omitcredentials"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json json id string unique identifier json status string status value json created string output field json created json activated object output field json activated json statuschanged object status value json lastlogin string output field json lastlogin json lastupdated string output field json lastupdated json passwordchanged string output field json passwordchanged json type object type of the resource json type id string unique identifier json profile object output field json profile json profile firstname string name of the resource json profile lastname string name of the resource json profile mobilephone object output field json profile mobilephone json profile secondemail object output field json profile secondemail json profile login string output field json profile login json profile email string output field json profile email json realmid string unique identifier json credentials object output field json credentials json credentials password object output field json credentials password json credentials provider object unique identifier json credentials provider type string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {"id" "00u118oqyt4tbguay0g4","status" "active","created" "2022 04 04t15 56 05 000z","activated"\ null,"statuschanged"\ null,"lastlogin" "2022 05 04t19 50 52 000z","lastupdated" "2022 05 05t18 15 44 000z","passwordchanged" "2022 04 04t16 00 22 000z","type" {"id" "oty1162qar8hjjtaq0g4"},"profile" {"firstname" "alice","lastname" "smith","mobilepho remove user to group removes a user from a specified group in okta identity management using the unique groupid and userid endpoint url /api/v1/groups/{{groupid}}/users/{{userid}} method delete input argument name type required description path parameters groupid string required group id path parameters userid string required id of an existing okta user input example {"path parameters" {"groupid" "string","userid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {}} suspend user by id suspends an okta user account using the specified userid, essential for rapidly disabling access when necessary endpoint url /api/v1/users/{{userid}}/lifecycle/suspend method post input argument name type required description path parameters userid string required id of an existing okta user input example {"path parameters" {"userid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {}} unlock user by id unlocks an okta user account with locked out status or permits sign in from unknown devices for active users, requiring the userid endpoint url /api/v1/users/{{userid}}/lifecycle/unlock method post input argument name type required description path parameters userid string required id of an existing okta user input example {"path parameters" {"userid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {}} unsuspend user by id reactivates a suspended user in okta identity management, setting their status to active using the user's unique identifier (userid) endpoint url /api/v1/users/{{userid}}/lifecycle/unsuspend method post input argument name type required description path parameters userid string required id of an existing okta user input example {"path parameters" {"userid" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase json object output field json output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "wed, 8 jan 2025 20 37 23 gmt"},"reason" "ok","json" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 8 jan 2025 20 37 23 gmt