Okta Identity Management

the okta identity management connector enables seamless integration with okta's services, providing a suite of actions for user and application management okta identity management is a comprehensive identity and access management service that enables secure user authentication and lifecycle management this connector allows swimlane turbine users to automate user and application lifecycle processes, streamline group management, and enhance security operations with okta's robust api capabilities by integrating with okta, security teams can efficiently manage identities, enforce security policies, and respond to incidents with precision, all within the swimlane turbine platform prerequisites to utilize the okta identity management connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the necessary parameters url the endpoint url for the okta api api key a valid api key to authenticate requests to okta capabilities the okta connector has the following capabilities activate user deactivate user suspend user unsuspend user unlock user force user password reset clear user session get users list all, filter, get by id, search get events list all, filter by keyword, filter by query string get applications list all or filter get application by id activate application by id deactivate application by id delete application by id list groups and so on configurations okta api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions activate user by id activates an okta user account with the provided 'userid' path parameter endpoint url /api/v1/users/{{userid}}/lifecycle/activate method post input argument name type required description userid string required id of an existing okta user sendemail boolean optional sends an activation email to the user if true output parameter type description status code number http status code of the response reason string response reason phrase json object output field json activationtoken string output field activationtoken activationurl string url endpoint for the request example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" { "activationtoken" "xe6we17zmphl3kqapfxo", "activationurl" "https //{youroktadomain}/welcome/xe6we17zmphl3kqapfxo" } } ] add user to group adds a specified user to a designated group in okta identity management by utilizing the provided groupid and userid endpoint url /api/v1/groups/{{groupid}}/users/{{userid}} method put input argument name type required description groupid string required group id userid string required user id output parameter type description status code number http status code of the response reason string response reason phrase json object output field json example \[ { "status code" 204, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" {} } ] activate application by id activates an inactive application within okta identity management using a specified application id endpoint url /api/v1/apps/{{appid}}/lifecycle/activate method post input argument name type required description appid string required application id output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] deactivate application by id deactivates an active application in okta identity management by using the provided application id endpoint url /api/v1/apps/{{appid}}/lifecycle/deactivate method post input argument name type required description appid string required application id output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] delete application by id removes an inactive application from okta identity management using the specified application id endpoint url /api/v1/apps/{{appid}} method delete input argument name type required description appid string required application id output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] get applications retrieves a paginated list of all applications in okta identity management, with optional query based filtering endpoint url /api/v1/apps method get input argument name type required description q string optional searches for apps with name or label properties that starts with the q value using the startswith operation after string optional specifies the pagination cursor for the next page of results treat this as an opaque value obtained through the next link relationship useoptimization boolean optional specifies whether to use query optimization if you specify useoptimization=true in the request query, the response contains a subset of app instance properties limit number optional it should be integer <= 200 specifies the number of results per page filter string optional filters apps by status, user id, group id, credentials signing kid or name expression that supports the eq operator filter for active apps filter=status eq "active" filter for apps with okta org2org name filter=name eq "okta org2org" filter for apps using a specific key filter=credentials signing kid eq "simccqny3uwxow3y0vf6vxibb5n9pf8l2fk8d f1bm4" expand string optional an optional parameter used for link expansion to embed more resources in the response only supports expand=user/{userid} and must be used with the user id eq "{userid}" filter query for the same user returns the assigned application user in the embedded property includenondeleted boolean optional specifies whether to include non active, but not deleted apps in the results output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request content type string type of the resource content length string response content connection string output field connection date string date value server string output field server x request id string unique identifier x runtime string time value x powered by string output field x powered by x frame options string output field x frame options x xss protection string output field x xss protection x content type options string type of the resource x download options string output field x download options x permitted cross domain policies string output field x permitted cross domain policies referrer policy string output field referrer policy strict transport security string output field strict transport security x content security policy string response content response array output field response id string unique identifier name string name of the resource label string output field label status string status value lastupdated string output field lastupdated example \[ { "status code" 200, "reason" "ok", "headers" { "content type" "application/json; charset=utf 8", "content length" "0", "connection" "close", "date" "tue, 10 mar 2020 15 00 00 gmt", "server" "nginx", "x request id" "a1b2c3d4e5f6g7h8i9j0", "x runtime" "0 000000", "x powered by" "phusion passenger 5 3 7", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "x content type options" "nosniff", "x download options" "noopen", "x permitted cross domain policies" "none", "referrer policy" "strict origin when cross origin", "strict transport security" "max age=31536000; includesubdomains" }, "response" \[ {}, {} ] } ] get application by id retrieve details for a specific application in okta identity management using the unique application id endpoint url /api/v1/apps/{{appid}} method get input argument name type required description appid string required application id expand string optional an optional query parameter to return the specified application user in the embedded property valid value expand=user/{userid} output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request content type string type of the resource content length string response content connection string output field connection date string date value server string output field server x request id string unique identifier x runtime string time value x powered by string output field x powered by x frame options string output field x frame options x xss protection string output field x xss protection x content type options string type of the resource x download options string output field x download options x permitted cross domain policies string output field x permitted cross domain policies referrer policy string output field referrer policy strict transport security string output field strict transport security x content security policy string response content response object output field response id string unique identifier name string name of the resource label string output field label status string status value lastupdated string output field lastupdated example \[ { "status code" 200, "reason" "ok", "headers" { "content type" "application/json; charset=utf 8", "content length" "0", "connection" "close", "date" "tue, 10 mar 2020 15 00 00 gmt", "server" "nginx", "x request id" "a1b2c3d4e5f6g7h8i9j0", "x runtime" "0 000000", "x powered by" "phusion passenger 5 3 7", "x frame options" "sameorigin", "x xss protection" "1; mode=block", "x content type options" "nosniff", "x download options" "noopen", "x permitted cross domain policies" "none", "referrer policy" "strict origin when cross origin", "strict transport security" "max age=31536000; includesubdomains" }, "response" { "id" "0oa1gjh63g214q0hq0g4", "name" "testorgone customsaml20app 1", "label" "custom saml 2 0 app", "status" "active", "lastupdated" "2016 08 09t20 12 19 000z", "created" "2016 08 09t20 12 19 000z", "accessibility" {}, "visibility" {}, "features" \[], "signonmode" "saml 2 0", "credentials" {}, "settings" {}, " links" {} } } ] clear user session ends a specific user's session in okta identity management, targeting only the specified session without impacting other app sessions endpoint url /api/v1/users/{{userid}}/sessions method delete input argument name type required description userid string required user id oauthtokens boolean optional revoke issued openid connect and oauth refresh and access tokens output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 204, "reason" "ok", "headers" null, "response" {} } ] deactivate user by id deactivates a specified okta user account using the 'userid' path parameter endpoint url /api/v1/users/{{userid}}/lifecycle/deactivate method post input argument name type required description userid string required user id sendemail boolean optional sends a deactivation email to the admin if true headers object optional headers prefer string optional request asynchronous processing output parameter type description status code number http status code of the response reason string response reason phrase headers object http headers for the request response object output field response example \[ { "status code" 200, "reason" "ok", "headers" null, "response" {} } ] force password reset initiates a forced password reset for a specified user in okta identity management, with an option to send a notification email endpoint url /api/v1/users/{{userid}}/lifecycle/reset password method post input argument name type required description userid string required user id sendemail boolean required when this is true, sends the reset link directly to the user's email, otherwise, the url will be returned here revokesessions boolean optional revokes all user sessions, except for the current session, if set to true output parameter type description status code number http status code of the response reason string response reason phrase json object output field json summary string output field summary resetpasswordurl string url endpoint for the request example \[ { "status code" 204, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" { "summary" "reset password without sending email", "resetpasswordurl" "https //{youroktadomain}/reset password/xe6we17zmphl3kqapfxo" } } ] generic task executes a customizable task within okta identity management, providing full control over the request parameters input argument name type required description endpoint string optional path to the endpoint after url in asset use double brackets with path parameters for dynamic urls method string optional method of the request such as post, get, put, patch, delete (note, others are available to use) data body object optional body to send as data, this allows you to set the content type in the headers manually headers object optional request headers to send with the individual request output parameter type description status code number the http response status code data object the json response body response text string output field response text reason string the http reason, often times an error message can be here ok means success example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "response text" "string" } ] get events retrieves a comprehensive list of system log events from okta identity management for effective monitoring or analysis endpoint url /api/v1/logs method get input argument name type required description since string optional filters the lower time bound of the log events published property for bounded queries or persistence time for polling queries until string optional filters the upper time bound of the log events published property for bounded queries or persistence time for polling queries after string optional retrieves the next page of results okta returns a link in the http header (rel=next) that includes the after query parameter filter string optional filter expression that filters the results all operators except \[ ] are supported q string optional filters log events results by one or more case insensitive keywords url encoded string max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding limit number optional sets the number of results that are returned in the response integer between 0 and 1000 sortorder string optional the order of the returned events that are sorted by the published property output parameter type description status code number http status code of the response reason string response reason phrase json object output field json actor object output field actor id string unique identifier type string type of the resource alternateid string unique identifier displayname string name of the resource detailentry object output field detailentry client object output field client useragent object output field useragent rawuseragent string output field rawuseragent os string output field os browser string output field browser zone object output field zone device string output field device id object unique identifier ipaddress string output field ipaddress geographicalcontext object output field geographicalcontext city string output field city state string output field state country string output field country postalcode number output field postalcode geolocation object output field geolocation lat number output field lat example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" { "actor" {}, "client" {}, "device" {}, "authenticationcontext" {}, "displaymessage" "user login to okta", "eventtype" "user session start", "outcome" {}, "published" "2024 08 13t15 58 20 353z", "securitycontext" {}, "severity" "info", "debugcontext" {}, "legacyeventtype" "core user auth login success", "transaction" {}, "uuid" "dc9fd3c0 598c 11ef 8478 2b7584bf8d5a", "version" 0 } } ] get groups retrieves a comprehensive list of user groups from okta identity management without the need for additional parameters endpoint url /api/v1/groups method get input argument name type required description q string optional finds a group that matches the name property paging and searching are currently mutually exclusive you can't page a query the default limit for a query is 300 results query is intended for an auto complete picker use case where users refine their search string to constrain the results filter string optional all filters must be url encoded for example, filter=lastupdated gt "2013 06 01t00 00 00 000z" is encoded as filter=lastupdated%20gt%20%222013 06 01t00 00 00 000z%22 examples filter group with a specific id filter=id eq "00g1emakyztwryyrrtsk" filter groups that are of the type okta group filter=type eq "okta group" filter groups that are of the type okta group with profile updated after 11/11/2015 filter=type eq "okta group" and lastupdated gt "2016 11 11t00 00 00 000z" filter groups that are of the type okta group with profile or memberships updated before 11/11/2015 filter=type eq "okta group" and (lastupdated lt "2015 11 11t00 00 00 000z" or lastmembershipupdated lt "2015 11 11t00 00 00 000z") after string optional specifies the pagination cursor for the next page of groups the after cursor should be treated as an opaque value and obtained through the next link relation limit number optional specifies the number of group results in a page don't write code that depends on the default or maximum value, as it might change if you receive an http 500 status code, you likely exceeded the request timeout retry your request with a smaller limit and page the results the okta default everyone group isn't returned for users with a group admin role note we strongly encourage using a limit that's less than or equal to 200 any number greater than 200 affects performance and accuracy expand string optional if specified, additional metadata is included in the response possible values are stats and app this additional metadata is listed in the embedded key of the response note you can use the stats value to return the number of users within a group this is listed as the embedded stats userscount value in the response search string optional searches for groups with a supported filtering expression for all attributes except for embedded, links, and objectclass search currently performs a startswith match but it should be considered an implementation detail and might change without notice in the future this operation supports pagination using search requires url encoding, for example, search=type eq "okta group" is encoded as search=type+eq+%22okta group%22 this operation searches many properties any group profile property, including imported app group profile properties the top level properties id, created, lastmembershipupdated, lastupdated, and type the source of groups with type of app group, accessed as source id you can also use sortby and sortorder parameters sortby string optional specifies field to sort by (for search queries only) sortby can be any single property, for example sortby=profile name sortorder string optional specifies sort order asc or desc (for search queries only) this parameter is ignored if if sortby is not present groups with the same value for the sortby property will be ordered by id output parameter type description status code number http status code of the response reason string response reason phrase json object output field json id string unique identifier created string output field created lastupdated string output field lastupdated lastmembershipupdated string output field lastmembershipupdated objectclass array output field objectclass type string type of the resource profile object output field profile name string name of the resource description string output field description links object output field links logo array output field logo name string name of the resource href string output field href type string type of the resource users object output field users href string output field href apps object output field apps href string output field href example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" { "id" "00g1emakyztwryyrrtsk", "created" "2015 02 06t10 11 28 000z", "lastupdated" "2015 10 05t19 16 43 000z", "lastmembershipupdated" "2015 11 28t19 15 32 000z", "objectclass" \[], "type" "okta group", "profile" {}, " links" {} } } ] get users retrieves a comprehensive list of user accounts from okta identity management for account management and analysis endpoint url /api/v1/users method get input argument name type required description q string optional finds users who match the specified query this doesn't support pagination this might not deliver optimal performance for large orgs, and is deprecated for such use cases to ensure optimal performance, use a search parameter instead use the q parameter for a simple lookup of users by name, for example when creating a people picker the value of q is matched against firstname, lastname, or email this performs a startswith match, but this is an implementation detail and can change without notice you don't need to specify firstname, lastname, or email filter string optional filters users with a supported expression for a subset of properties this requires url encoding for example, filter=lastupdated gt "2013 06 01t00 00 00 000z" is encoded as filter=lastupdated%20gt%20%222013 06 01t00 00 00 000z%22 filtering is case sensitive for attribute names and query values, while attribute operators are case insensitive filtering supports the following limited number of properties status, lastupdated, id, profile login, profile email, profile firstname, and profile lastname additionally, filtering supports only the equal eq operator from the standard okta api filtering semantics, except in the case of the lastupdated property this property can also use the inequality operators (gt, ge, lt, and le) for logical operators, only the logical operators and and or are supported the not operator isn't supported see filtering and operators for more information after string optional specifies the pagination cursor for the next page of groups the after cursor should be treated as an opaque value and obtained through the next link relation limit number optional specifies the number of results returned defaults to 10 if q is provided expand string optional an optional parameter to include metadata in the embedded attribute valid value classification search string optional searches for users with a supported filtering expression for most properties okta recommends using this parameter for search for best performance this operation supports pagination use an id lookup for records that you update to ensure your results contain the latest data property names in the search parameter are case sensitive, whereas operators (eq, sw, and so on) and string values are case insensitive unlike with user logins, diacritical marks are significant in search string values a search for isaac brock finds isaac brock, but doesn't find a property whose value is isáàc bröck this operation requires url encoding for example, search=profile department eq "engineering" is encoded as search=profile department%20eq%20%22engineering%22 sortby string optional specifies field to sort by (for search queries only) this can be any single property, for example sortby=profile lastname users with the same value for the sortby property will be ordered by id sortorder string optional specifies sort order asc or desc (for search queries only) sorting is done in ascii sort order (that is, by ascii character value), but isn't case sensitive sortorder is ignored if sortby is not present headers object optional http headers for the request content type string optional specifies the media type of the resource optional okta response value can be included for performance optimization complex delauth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck enum values for okta response omitcredentials omits the credentials subobject from the response omitcredentialslinks omits the following hal links from the response change password, change recovery question, forgot password, reset password, reset factors, unlock omittransitioningtostatus omits the transitioningtostatus field from the response output parameter type description status code number http status code of the response reason string response reason phrase json object output field json id string unique identifier status string status value created string output field created activated object output field activated statuschanged object status value lastlogin string output field lastlogin lastupdated string output field lastupdated passwordchanged string output field passwordchanged type object type of the resource id string unique identifier profile object output field profile firstname string name of the resource lastname string name of the resource mobilephone object output field mobilephone secondemail object output field secondemail login string output field login email string output field email realmid string unique identifier credentials object output field credentials password object output field password provider object unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" { "id" "00u118oqyt4tbguay0g4", "status" "active", "created" "2022 04 04t15 56 05 000z", "activated" null, "statuschanged" null, "lastlogin" "2022 05 04t19 50 52 000z", "lastupdated" "2022 05 05t18 15 44 000z", "passwordchanged" "2022 04 04t16 00 22 000z", "type" {}, "profile" {}, "realmid" "guo1afintsnzyilxo0g4", "credentials" {}, " links" {} } } ] remove user to group removes a user from a specified group in okta identity management using the unique groupid and userid endpoint url /api/v1/groups/{{groupid}}/users/{{userid}} method delete input argument name type required description groupid string required group id userid string required id of an existing okta user output parameter type description status code number http status code of the response reason string response reason phrase json object output field json example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" {} } ] suspend user by id suspends an okta user account using the specified userid, essential for rapidly disabling access when necessary endpoint url /api/v1/users/{{userid}}/lifecycle/suspend method post input argument name type required description userid string required id of an existing okta user output parameter type description status code number http status code of the response reason string response reason phrase json object output field json example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" {} } ] unlock user by id unlocks an okta user account with locked out status or permits sign in from unknown devices for active users, requiring the userid endpoint url /api/v1/users/{{userid}}/lifecycle/unlock method post input argument name type required description userid string required id of an existing okta user output parameter type description status code number http status code of the response reason string response reason phrase json object output field json example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" {} } ] unsuspend user by id reactivates a suspended user in okta identity management, setting their status to active using the user's unique identifier (userid) endpoint url /api/v1/users/{{userid}}/lifecycle/unsuspend method post input argument name type required description userid string required id of an existing okta user output parameter type description status code number http status code of the response reason string response reason phrase json object output field json example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "wed, 8 jan 2025 20 37 23 gmt" }, "reason" "ok", "json" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated wed, 8 jan 2025 20 37 23 gmt notes information for event actions including filter expressions, event types and correlations can be found at https //developer okta com/docs/reference/api/system log/#request parameters https //developer okta com/docs/reference/api/system log/#request parameters information for user actions including search examples, filter examples and name queries can be found at https //developer okta com/docs/reference/api/users/#get user with login shortname https //developer okta com/docs/reference/api/users/#get user with login shortname information for group actions including filtering expressions can be found at https //developer okta com/docs/reference/api/groups/#group rule operations https //developer okta com/docs/reference/api/groups/#group rule operations the complete documentation for the api is found at https //developer okta com/docs/reference/ https //developer okta com/docs/reference/