Skip to main content

Targeting the Okta system

For each Okta system, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):

  • Type is Okta .

  • Address uses the following options:

    Table 1. Okta address configuration

    Option

    Description

    Options marked with a redstar.png are required.

    Server redstar.png

    The DNS domain name of the web server for the Okta instance.

    (key: server)

    Port

    Default is 443.

    (key: port)

    Connection over SSL

    Select to enforce SSL connections. Default is "true".

    (key: ssl)

    Validate the server’s certificate when connecting

    Determines whether to validate the server’s security certificate for SSL connections. Default is "true".

    (key: checkCert)

    HTTP Network Proxy

    Specifies a proxy URL to use for connecting.

    (key: proxy)

    Timeout for connection (in seconds)

    Amount of time the connector will wait for a response. Default: 60.

    (key: timeout)

    Authentication methods order

    Specify the order for the list of the multifactor authentication method s that are presented to an Okta user for challenge response authentication.

    (key: authorder)

    Groups to list users from

    List only those users who exist in one or more groups .

    (key: listGroups)

    Records per page

    Affects the number of records returned during listing. Default: 200.

    (key: pagesize)

    Filter for listing users

    List all users that match the filter criteria.

    (key: filter)



The Okta target system address syntax is as follows:

 {server=(<the web server for the Okta instance>);
 [port=<port number>;]
 [proxy=<proxy server>;]
 [ssl=<true|false>;]
 [checkCert=<true|false>;]
 [filter=<filter|search>=<search criteria>;]
 }

The full list of target system parameters is explained here.

Setting the administrator credentials

Bravura Security Fabric uses designated accounts configured for the Okta server to perform Bravura Security Fabric operations.

Set the Administrator ID and Password to the credentials for the Okta API Token as configured for the Okta server.

Setting the order for the Okta authentication methods

The Authentication methods order option may be used to specify the order for the list of the multifactor authentication methods that are presented to an Okta user for challenge response authentication.

The order may be specified by either a list on the target address configuration page or from a file.

When choosing the list option and specifying the multifactor authentication methods, these fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:

  • token:okta

  • push:okta

  • sms:okta

  • call:okta

  • token:google

  • token:yubico

  • question:okta

These values represent the following multifactor authentication methods:

  • Passcode from the Okta Verify mobile app

  • Push notification to accept or deny from the Okta Verify mobile app

  • SMS text message for a passcode

  • Phone call to authenticate from a key press

  • Passcode from the Google Authenticator mobile app

  • Yubikey token via Okta

  • Okta security questions

There is also an option to specify the authentication order in a file. To use the file, select File option from the drop-down list and specify the file name in the field.

The file must be located in the \<instance>\script\ directory and contain a list of the authentication order for the Okta multifactor authentication methods.

To specify the authentication order:

   # KVGROUP-V2.0
   authorder = {
      "token:okta";
      "push:okta";
      "sms:okta";
      "call:okta";
      "token:google";
      "token:yubico";
      "question:okta";
   };

The list of the multifactor authentication methods may be modified to re-order how they are presented to a user for challenge response authentication.

If the user has more multifactor authentication methods than what is provided for the authentication methods order, the methods provided in the list will be the first ones that are shown to the user and the remaining methods will be directly underneath in the provided list to the user.

Targeting groups

You can restrict Bravura Security Fabric to list only those users who exist in one or more named groups.

To do this, on the Target system address configuration page, specify Groups to list users from.

This field allows multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of this field, and use the More button to add additional input boxes when more than one value is given. The value in each input box is treated as a single value, for example:

  • 00gsgzwclwX8C0N8y0h7

  • 00gsgzrb307bEbLSk0h7

  • 00gsh14zcacEBVtVV0h7

  • 00gsh18jnnIx8sIlS0h7

    Note

    The value to specify in these fields is the long id value of an Okta group.

If there are many groups to list, there is an option to include all groups in a file. To use the file, select File option from the drop-down list and specify the file name in the field.

This files must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of groups to list from.

For listing users from groups:

   # KVGROUP-V2.0
   listGroups = {
     "00gsgzwclwX8C0N8y0h7";
     "00gsgzrb307bEbLSk0h7";
     "00gsh14zcacEBVtVV0h7";
     "00gsh18jnnIx8sIlS0h7";
   }

Filter for listing users

You can restrict Bravura Security Fabric to list only those users who match the search criteria defined in the Filter for listing users field.

The search criteria can be defined with Okta supported account attributes (properties) which are outlined in following documentations:

https://developer.okta.com/docs/reference/api/users/#list-users-with-a-filter

https://developer.okta.com/docs/reference/api/users/#list-users-with-search .

Start the search criteria with a keyword of either "filter=" or "search=". For example, setting Filter for listing users to filter=status eq "ACTIVE" or search=status eq "ACTIVE". will result in same set of users listed from Okta target system.

Note

Ensure to use Okta supported account attributes (properties) to define search criteria and follow the syntax, an invalid statement may result in no users listed.

Custom search expression for filtering groups

You can restrict Bravura Security Fabric to list only those groups who match the search criteria defined in the Custom search expression for filtering groups field.

The search criteria can be defined with Okta supported group attributes (properties) which are outlined in the following:

Start the search criteria with a keyword of "type". For example, setting Custom search expression for filtering groups to the following:

type eq "OKTA_GROUP"

will result in groups that were created within Okta to be listed from the Okta target system.

Note

Ensure to use Okta supported group attributes (properties) to define search criteria and follow the syntax, an invalid statement may result in no groups listed.