Integrate Okta Org2Org with Okta
There are two ways to secure the provisioning connection for the Org2Org spoke to hub org model:
With OAuth 2.0: You can configure the connection between orgs with OAuth 2.0 by using the Okta API. See Securing API connections between orgs with OAuth 2.0 for instructions.
With an API token: The following steps to integrate the Okta Org2Org for provisioning uses an API token to secure the org to org connection.
Okta Super Admin permissions are required to create the API token. If you do not have Okta Super Admin permissions, you can't define the provisioning settings.
This procedure assumes the Okta Org2Org app is being installed on the Okta connected org. A connected org is an org that is connected to a central Okta org. You can use Okta Org2Org to connect multiple orgs to a central Okta org. This methodology is also known as hub and spoke. The hub is the central Okta org and each connected org is a spoke.
- If you haven't added the Okta Org2Org app to the connected Okta org, add it now:
- In the Admin Console, go to Applications > Applications.
- Click Add Application.
- In the Search field, enter Org2Org, and select Okta Org2Org.
- Click Add.
- Complete the fields on the General Settings page and click Next.
- In the Sign on methods section of the Sign-On Options pane, select a sign on option.
- Click Done.
- If you selected SAML 2.0 as your sign on method, click the Sign On tab, click View SAML setup Instructions and follow the instructions to complete the set up.
- Create the API token on the central Okta org:
- In the Admin Console of the central Okta org, go to Security > API.
- Click the Tokens tab and click Create Token.
- Enter a descriptive name for the token and click Create Token.
- Copy the token value to your clipboard or a text editor.
- Click OK, got it.
- In the connected Okta org, go to Applications > Applications and select Okta Org2Org in the list of applications.
- Click the Provisioning tab, click Configure API Integration, and select the Enable API Integration check box.
- Complete these fields:
- Security token: Paste the security token you copied in step 2 d.
- Prefer Username Over Email: Optional. Select this option if you don't want to use an email address as the username.
- Import Groups: Optional. Clear the check box if you do not want to import groups from the connected org.
- Optional. Click Test API Credentials to test the API integration.
Optional. Change the provisioning settings from the central Okta org to the connected org:
- Click the Provisioning tab and select To App in the SETTINGS list.
- Click Edit.
- Select the Create Users, Update User Attributes, Deactivate Users, or Sync Password check boxes to enable the functionality.
- Click Save.
- Optional. Change the provisioning settings from the connected org to the central Okta org:
- Click the Provisioning tab and select To Okta in the SETTINGS list.
- Click Edit in the General, User Creation & Matching, Profile & Lifecycle Sourcing, or Import Safeguard areas to edit the settings.
When you select Allow Okta Org2Org to source Okta users in the Profile & Lifecycle Sourcing area, the connected org is the source for user profile data. When you import Okta users into your connected org, updates made to user properties in the connected org are applied to other apps that the user is assigned.
- Click Save.
- Optional. Assign users or groups to the connected Okta Org2Org app:
- Click the Assignments tab, click Assign, and select Assign to People or Assign to Groups.
- Click Assign next to the user or group name or enter the user or group name in the Search field and click Assign.
- Complete the mandatory and optional fields.
- Click Save and Go Back and Done.
You must select an option in the Initial status list. This attribute determines the status of the user in the connected org when they are created, linked, or reactivated. When active_with_pass or pending_with pass is selected, a temporary password is generated for the user. When Okta Password Sync is enabled, the temporary user password is overwritten when the user signs in.
- Optional. Push new Okta groups to the connected org. See Manage Group Push.