Targeting the Okta system
For each Okta system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):
Type is Okta .
Address uses the following options:
Table 1. Okta address configurationOption
Description
Options marked with a
are required.
Server
The DNS domain name of the web server for the Okta instance.
(key: server)
Port
Default is 443.
(key: port)
Connection over SSL
Select to enforce SSL connections. Default is "true".
(key: ssl)
Validate the server’s certificate when connecting
Determines whether to validate the server’s security certificate for SSL connections. Default is "true".
(key: checkCert)
HTTP Network Proxy
Specifies a proxy URL to use for connecting.
(key: proxy)
Timeout for connection (in seconds)
Amount of time the connector will wait for a response. Default: 60.
(key: timeout)
Authentication methods order
Specify the order for the list of the multifactor authentication method s that are presented to an Okta user for challenge response authentication.
(key: authorder)
Groups to list users from
List only those users who exist in one or more groups .
(key: listGroups)
Records per page
Affects the number of records returned during listing. Default: 200.
(key: pagesize)
Filter for listing users
List all users that match the filter criteria.
(key: filter)
The Okta target system address syntax is as follows:
{server=(<the web server for the Okta instance>); [port=<port number>;] [proxy=<proxy server>;] [ssl=<true|false>;] [checkCert=<true|false>;] [filter=<filter|search>=<search criteria>;] }
The full list of target system parameters is explained here.
Setting the administrator credentials
Bravura Security Fabric uses designated accounts configured for the Okta server to perform Bravura Security Fabric operations.
Set the Administrator ID and Password to the credentials for the Okta API Token as configured for the Okta server.
Setting the order for the Okta authentication methods
The Authentication methods order option may be used to specify the order for the list of the multifactor authentication methods that are presented to an Okta user for challenge response authentication.
The order may be specified by either a list on the target address configuration page or from a file.
When choosing the list option and specifying the multifactor authentication methods, these fields allow multiple values. To fill in multiple values, select List
from the drop-down list box displaying in front of these fields, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:
token:okta
push:okta
sms:okta
call:okta
token:google
token:yubico
question:okta
These values represent the following multifactor authentication methods:
Passcode from the Okta Verify mobile app
Push notification to accept or deny from the Okta Verify mobile app
SMS text message for a passcode
Phone call to authenticate from a key press
Passcode from the Google Authenticator mobile app
Yubikey token via Okta
Okta security questions
There is also an option to specify the authentication order in a file. To use the file, select File option from the drop-down list and specify the file name in the field.
The file must be located in the \<instance>\script\ directory and contain a list of the authentication order for the Okta multifactor authentication methods.
To specify the authentication order:
# KVGROUP-V2.0 authorder = { "token:okta"; "push:okta"; "sms:okta"; "call:okta"; "token:google"; "token:yubico"; "question:okta"; };
The list of the multifactor authentication methods may be modified to re-order how they are presented to a user for challenge response authentication.
If the user has more multifactor authentication methods than what is provided for the authentication methods order, the methods provided in the list will be the first ones that are shown to the user and the remaining methods will be directly underneath in the provided list to the user.
Targeting groups
You can restrict Bravura Security Fabric to list only those users who exist in one or more named groups.
To do this, on the Groups to list users from.
page, specifyThis field allows multiple values. To fill in multiple values, select List
from the drop-down list box displaying in front of this field, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:
00gsgzwclwX8C0N8y0h7
00gsgzrb307bEbLSk0h7
00gsh14zcacEBVtVV0h7
00gsh18jnnIx8sIlS0h7
Note
The value to specify in these fields is the long id value of an Okta group.
If there are many groups to list, there is an option to include all groups in a file. To use the file, select File option from the drop-down list and specify the file name in the field.
This files must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of groups to list from.
For listing users from groups:
# KVGROUP-V2.0 listGroups = { "00gsgzwclwX8C0N8y0h7"; "00gsgzrb307bEbLSk0h7"; "00gsh14zcacEBVtVV0h7"; "00gsh18jnnIx8sIlS0h7"; }
Filter for listing users
You can restrict Bravura Security Fabric to list only those users who match the search criteria defined in the Filter for listing users field.
The search criteria can be defined with Okta supported account attributes (properties) which are outlined in following documentations:
https://developer.okta.com/docs/reference/api/users/#list-users-with-a-filter
https://developer.okta.com/docs/reference/api/users/#list-users-with-search .
Start the search criteria with a keyword of either "filter=" or "search=". For example, setting Filter for listing users to filter=status eq "ACTIVE"
or search=status eq "ACTIVE"
. will result in same set of users listed from Okta target system.
Note
Ensure to use Okta supported account attributes (properties) to define search criteria and follow the syntax, an invalid statement may result in no users listed.
Custom search expression for filtering groups
You can restrict Bravura Security Fabric to list only those groups who match the search criteria defined in the Custom search expression for filtering groups field.
The search criteria can be defined with Okta supported group attributes (properties) which are outlined in the following:
Start the search criteria with a keyword of "type". For example, setting Custom search expression for filtering groups to the following:
type eq "OKTA_GROUP"
will result in groups that were created within Okta to be listed from the Okta target system.
Note
Ensure to use Okta supported group attributes (properties) to define search criteria and follow the syntax, an invalid statement may result in no groups listed.