Configure imported AI agents

After you've imported AI agents, the next step is to complete the configuration and activate them in Okta. When you configure the AI agent, you can provide the following details:

• Owners: The admins who are responsible for the AI agent's governance and lifecycle management. If you assigned default owners when you configured the provider app, those owners are already populated on the AI agent. You can modify this ownership and add more owners. Okta recommends that you assign at least two owners to an AI agent to ensure that it always has an owner.
• Credentials: Okta uses a public key to verify that the AI agent is authorized to access your resources and to validate the digital signatures of its requests.
• User sign-on: When an AI agent is linked to an app, it can only access resources or perform actions on behalf of a user who is currently signed in to that app.
• Delegations (Early Access): The users, apps, and other AI agents that can authorize the AI agent to act on their behalf. When you delegate an AI agent to an app, it can only act on a user's behalf if the user is signed in to the app. When you delegate an AI agent to a non-human identity (like an app or another AI agent), it can act on behalf of the AI agent without a user. See Agent-to-agent connections.
  Note:

  When you delegate an AI agent to another AI agent, Okta automatically creates a resource connection between the two AI agents. For all other delegation types, you need to configure AI agent resource connections separately.

Before you begin

• You have the super admin role.
• You've imported AI agents into Okta. See Import AI agents from an app.
• If you want to link an AI agent to an OIDC app, integrate that app in your org. See Add existing app integrations.
• If you want to link an AI agent to a non-human identity, you've created a custom authorization server. See Create an authorization server. This is required to register the AI agent as a resource that other AI agents and services can call.
• You have a public JSON Web Key (JWK) for authentication with Okta. If you don't have one already, you can generate one when you register the AI agent.

Assign owners

1. In the Admin Console, go to Directory > AI Agents.

2. Select an imported AI agent.
3. Select the Owners tab and click Edit owners.
4. Select an option:
   • Assign individual owners: Select up to five users.
   • Assign a group owner: Select a group that has at least two members.
5. Click Save.
6. Link an app to the AI agent:
   1. Go to the User Sign-on tab.
   2. Click Link an application.
   3. Select an app from the Application list and click Link. If you link the AI agent to an app, the AI agent can only act on a user's behalf if the user is signed in to the app.

Add delegations

Early Access release. See Enable self-service features.

1. On the AI agent page, select the Delegations tab.
2. To allow users who are signed in to an app to delegate their identity to the AI agent, click Add caller next to User sign-on.
   1. Select an app from the Application dropdown list. The Confirm authorization server section appears with the Okta Org Authorization Server selected by default.
   2. Optional. If you don't want to use the default authorization server, select a custom authorization server from the Authorization server list.
   3. Click Add caller.
   4. Repeat these steps for each user sign-on app that you want to add.
3. To delegate the AI agent to a non-human identity, you need configure a custom authorization server. This is a one-time task - if you've already completed it, skip to step d. Otherwise, click Configure in the Non-human identity section (Early Access).
   1. Select an Authorization server from the dropdown list.
   2. Enter a unique Audience/resource URL to identify the resource agent. This is the URL that callers include in their token requests to validate the audience claim.
      Note:

      The audience URL is the identifier that callers use to request tokens from the AI agent. You can't edit this value later.

   3. Click Save.
   4. Click Add caller.
   5. To delegate the AI agent to another AI agent, click AI agent and select an AI agent from the dropdown list.
      1. Select Allow all to grant all available OAuth scopes to the AI agent. Or, select Only allow or Disallow and select the scopes that you want to grant or deny the AI agent.
      2. Click Add caller.
      3. The Delegation added dialog displays the delegation and resource connection details. Click Add another AI agent or Done. The AI agent that you just configured appears on the Resource connections tab for AI agent delegation.
   6. To delegate the AI agent to an app or service, click Application or service.
      1. Select an app or service from the dropdown list.
      2. Click Add caller.
      3. Repeat these steps for each app or service that you want to add.

Activate an AI agent

1. On the AI agent page, select Actions > Activate.
2. Click Confirm.
3. To deactivate the agent, select Actions > Deactivate.

Add credentials

To secure AI agents from Homegrown: Agent builder platforms that were built with custom code, configure a public key.

1. Go to the Credentials tab.
2. Click Add public key. The Add public key dialog opens.
3. Enter your public key, or click Generate new key. Okta creates a public key that's associated with a private key that you can view in JSON or PEM.
4. Click Copy to clipboard and store the private key safely.
5. Click Done.

After you've configured and activated your Homegrown: Fully custom or Homegrown: Agent builder platform AI agents that were built with custom code, connect them to resources through a resource connection. See Connect AI agents to resources.

For more details on securing Amazon Bedrock AgentCore AI agents, see Secure an Imported Amazon Bedrock AgentCore Agent.