Authorization
Authorize this connector by creating a connection to your Okta account. You can reuse this connection the next time that you build a flow with this connector.
A recommended best practice is to create a specific service account with super admin credentials for Okta Workflows. Then use that account to authorize the connection. Otherwise, the Okta user account that you use to set up the connection is associated with any actions performed by Okta Workflows.
Before you begin
-
The account must have super admin credentials.
In addition to the initial authorization of the connector, reauthenticating this connection requires an account with super admin privileges.
-
The necessary scopes must be granted in the Okta Workflows OAuth app. See Grant or revoke scopes.
-
A super admin must assign the Okta Workflows OAuth app to the account creating the connection.
-
Okta Identity Governance is required to use Okta Realms. See Identity Governance.
Procedure
Creating the Okta Realms connection consists of several tasks:
Record your domain name
Locate the Okta domain by clicking your username in the upper-right corner of the Okta Admin Console. The domain appears in the dropdown menu and looks like one of these examples:
-
example.okta.com
-
example.okta-emea.com
-
example.oktapreview.com
Record the app authentication values
You need the Client ID and Client Secret from the Okta Workflows OAuth application:
-
In the Admin Console, go to .
-
Open the Okta Workflows OAuth app.
-
Click the Sign On tab and copy the Client ID and Client secret values.
Grant scopes
While still in the Okta Workflows OAuth application, complete these steps:
-
Click the Okta API Scopes tab to see the list of available scopes.
-
Click Grant for each scope that you want to grant.
-
The Okta Realms connector requires the following scopes:
-
address*
-
email*
-
groups*
-
offline_access*
-
okta.realms.manage
-
okta.realms.read
-
okta.schemas.read
-
okta.users.manage
-
okta.users.read
-
openid*
-
phone*
-
profile*
Scopes designated with an asterisk (*) are automatically granted. You don't need to grant them through the Okta Workflows OAuth app.
The connection authorization fails if you revoke any of the automatically granted scopes or the okta.realms.read scope in the OAuth app.
-
For an existing connection, you must reauthorize the connection to pick up any scope changes.
Create a connection in Okta Workflows
-
In the Okta Workflows Console, go to Connections.
-
Click New Connection to see a list of all available connectors.
-
Select the Okta Realms connector.
-
In the New Connection window, enter a Connection Nickname. This is the display name that appears in your connections list.
-
Enter the Domain of your Okta org.
-
Enter the Client ID and Client Secret.
-
Click the Permissions tab and choose either Use default scopes or Customize scopes (advanced).
-
Use default scopes: This option includes the scopes necessary to run any of the Okta connector cards.
-
Customize scopes (advanced): Choose this option if you want to customize the scopes for this connection.
To grant scopes: Before you create the connection, grant those scopes in the Okta Workflows OAuth app and select the scopes here in the Permissions tab.
To revoke scopes: Before you create the connection, revoke those scopes from the OAuth app or clear the selected scopes in the Permissions tab.
If you don't grant the scopes in the OAuth app, you can create or reauthorize the connection, but it won't include those ungranted scopes.
Attempting to execute a card without the required scopes results in an Insufficient Scope error.
-
-
Click Create.
The new connection appears in the Connections list.
Reauthorize a connection
For an existing connection, you must reauthorize the connection to pick up any scope changes.
Reauthorizing any existing connection without changing scopes simply inherits the scopes of the previous authorization.