-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update Okta integration docs with resource sets details (#48935)
- Loading branch information
Showing
1 changed file
with
48 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,66 @@ | ||
Okta API tokens inherit the permissions of the user who created them. These can | ||
be controlled by using [custom admin roles](https://help.okta.com/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm) | ||
Okta API tokens inherit the permissions of the user who created them. These permissions can be | ||
controlled by using [custom admin | ||
roles](https://help.okta.com/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm) | ||
and assigning them to a user who will then create the API token. We recommend | ||
creating a user dedicated to the Teleport Okta API service to manage this token. | ||
|
||
The permissions required are: | ||
### Custom role | ||
|
||
### User permissions | ||
The user should have a [custom admin | ||
role](https://help.okta.com/en-us/content/topics/security/custom-admin-role/create-role.htm) | ||
assigned with those minimal permissions: | ||
|
||
**User permissions** | ||
|
||
- View users and their details | ||
- Edit users' group membership | ||
- Edit users' application assignments | ||
|
||
### Group permissions | ||
**Group permissions** | ||
|
||
- Manage groups | ||
|
||
### Application permissions | ||
**Application permissions** | ||
|
||
- Add and configure applications (only required for installation) | ||
- View applications and their details | ||
- Edit application's user assignments | ||
|
||
Additionally, the resource set associated with the target user must have | ||
unconstrained access to Users, Applications, and Groups. | ||
### Group Membership Admin role | ||
|
||
The user should also have built-in ["Group Membership | ||
Admin"](https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm#APItokens) | ||
role assigned to be able to create the API token. **Once API token is created this role can be | ||
unassigned.** | ||
|
||
### Resource sets (optional) | ||
|
||
If it's desired to limit the Okta integration to a subset of Group and Application resources, [Okta | ||
resource | ||
sets](https://help.okta.com/en-us/content/topics/security/custom-admin-role/create-resource-set.htm) | ||
can be used. | ||
|
||
For the resource set to be effective **the user has to have "Group Membership Admin" role | ||
unassigned** and the resource set should be associated with the custom role created earlier. | ||
|
||
There is a set to rules that have to be followed when using Okta resource sets. | ||
|
||
**Application resources rules:** | ||
|
||
- During the integration enrolment "All applications" has to be selected. This is because Teleport | ||
will try to create a new SAML application or validate the existing one. | ||
- After the integration enrolment is complete, resource set can be limited to a subset of | ||
Applications, but **extra care has to be taken that "Teleport $cluster" application is included** | ||
in the subset. Otherwise Teleport won't be able to synchronize users. | ||
|
||
**Groups resources rules:** | ||
|
||
- If a subset of groups is selected Teleport won't be able to assign ["Everyone" built-in | ||
group](https://support.okta.com/help/s/article/The-Everyone-Group-in-Okta?language=en_US) to the | ||
"Teleport $cluster" application. **In this case "Everyone" built-in group has to be manually | ||
assigned to "Teleport $cluster" SAML application.** Otherwise Teleport won't be able to | ||
synchronize users. | ||
|
||
**Users resource rules:** | ||
|
||
One caveat here is that it's impossible to assign API token creation permissions to a | ||
custom role. However, the Okta built in role "Group Membership Admin" has permissions | ||
to create an API token. See more information about built in roles | ||
[here](https://help.okta.com/en-us/Content/Topics/Security/administrators-admin-comparison.htm). | ||
- Users resources must not be restricted by resource set. "All users" should be selected. |