Links

Okta

Trelica connects to Okta using an Okta API token.
This is used to:
  • List your Okta users, and which groups they are in.
  • List the applications your users are assigned to.
  • Read the date/time that users last logged in to applications through Okta from the Okta audit log.
If you enable Provisioning or Deprovisioning then you can also:
  • Assign and unassign users to and from applications in Okta
  • Create and suspend users in Okta
Okta API tokens are granted the permissions of the user who issued them.
We always recommend limiting the permissions of access tokens to the minimum required and these instructions describe how to create a specific Trelica API user with the minimal permissions needed.

Creating an Okta user with limited permissions

Log in to Okta as a full administrator.

Create a new custom role

  • Go to Security > Administrators and click the Roles tab.
  • Click Create new role
  • Enter the name Trelica
  • Enter an appropriate description, e.g. if the role is going to allow provisioning and deprovisioning, then enter something like Trelica usage, provisioning & deprovisioning
  • Click the User, Group and Application type checkboxes.
Add the following permissions:
Permission to include
Required for...
User permissions
​
Create users
Provisioning
Deactivate users
Deprovisioning
Suspend users
Deprovisioning
Clean users' sessions
Deprovisioning
Edit users' group membership
Provisioning
Edit user's application assignments
Deprovisioning via Okta
Group permissions
​
Manage group membership
Provisioning
Edit users' group membership
Provisioning
Edit groups' application assignments
Deprovisioning via Okta
Applications permissions
​
Edit application's user assignments
Deprovisioning via Okta
Click Save role
Creating the Trelica role in Okta

Create a new resource set

  • Go to Security > Administrators and click the Resources tab
  • Click Create new resource set
  • Enter the name All resources and an appropriate description.
  • Add all three resource types by clicking Add another resource type for each type.
  • Tick Constrain to all for each
  • Click Save resource set
Creating a new resource set in Okta

Create a new person

Okta API tokens are linked to a user account so we need to create a new user account which can be used to issue the API token.
  • Go to Directory > People
  • Click Add person
  • Enter details
    • First name: Trelica
    • Last name: API
    • Username & Primary email: (your choice)
    • Choose Set by admin for the password, and untick User must change password on first login
    • Enter a strong password
    • Click Save
Creating a new person in Okta

Assign the new person administrative rights

  • Go to Security > Administrators and click the Admins tab
  • Click Add administrator
  • Search for and select the Trelica API person you just created
Now we need to add the required roles. For each role click Add assignment.
Role
Usage
Read-only Administrator
Read-only access to Okta data. This is required because the assignable permissions don't include access to the Okta audit log which is needed to analyze last usage data.
Trelica
Specific permissions to modify users and groups
Organization Administrator
Only assigned temporarily, but this is needed to issue the API token. Once the token is issued you will be shown how to remove this role assignment.
When you add the Trelica role, then you will need to choose a resource set. Use the All resources set that you created earlier.
Once you're done, don't forget to scroll to the top of the page and click Save changes.

Creating an Okta API token

Log in as the person we just created, using the credentials that you entered for them.
Go to Security > API > click the Tokens tab, and then click Create Token:
Enter a name for the token, e.g. Trelica and click Create Token:
The token will now be shown:
Click the Clipboard icon to copy it to the clipboard, click OK, got it and then paste the token into Trelica when you connect to Okta.

Removing the Organization Administrator role

The Organization Administrator role is only required to issue the API token. Once the token has been issued you should remove this role.
  • Login to Okta as a full administrator.
  • Go to Security > Administrators and click the Admins tab
  • Find the Trelica role in the list, click Edit and choose Edit assignments
  • Click the trash icon by the Organization Administrator role
  • Click Save Changes (at the top of the page)
  • Confirm the assignment deletion in the dialog box that appears.

People directory profile fields retrieved by Trelica

By default Trelica pulls the following default fields from Okta People directory profiles:
  • Title
  • User type
  • Employee number
  • Cost center
  • Department
  • Manager email
If you need support for mapping custom schema items, or other changes, please contact [email protected].
Trelica also extracts the Okta groups that each person is a member of.
Last modified 2mo ago