Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v17] Update Okta integration docs with resource sets details #49011

Merged
merged 1 commit into from
Nov 15, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 48 additions & 12 deletions docs/pages/includes/okta-permissions.mdx
Original file line number Diff line number Diff line change
@@ -1,30 +1,66 @@
Okta API tokens inherit the permissions of the user who created them. These can
be controlled by using [custom admin roles](https://help.okta.com/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm)
Okta API tokens inherit the permissions of the user who created them. These permissions can be
controlled by using [custom admin
roles](https://help.okta.com/en-us/Content/Topics/Security/custom-admin-role/about-creating-custom-admin-roles.htm)
and assigning them to a user who will then create the API token. We recommend
creating a user dedicated to the Teleport Okta API service to manage this token.

The permissions required are:
### Custom role

### User permissions
The user should have a [custom admin
role](https://help.okta.com/en-us/content/topics/security/custom-admin-role/create-role.htm)
assigned with those minimal permissions:

**User permissions**

- View users and their details
- Edit users' group membership
- Edit users' application assignments

### Group permissions
**Group permissions**

- Manage groups

### Application permissions
**Application permissions**

- Add and configure applications (only required for installation)
- View applications and their details
- Edit application's user assignments

Additionally, the resource set associated with the target user must have
unconstrained access to Users, Applications, and Groups.
### Group Membership Admin role

The user should also have built-in ["Group Membership
Admin"](https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm#APItokens)
role assigned to be able to create the API token. **Once API token is created this role can be
unassigned.**

### Resource sets (optional)

If it's desired to limit the Okta integration to a subset of Group and Application resources, [Okta
resource
sets](https://help.okta.com/en-us/content/topics/security/custom-admin-role/create-resource-set.htm)
can be used.

For the resource set to be effective **the user has to have "Group Membership Admin" role
unassigned** and the resource set should be associated with the custom role created earlier.

There is a set to rules that have to be followed when using Okta resource sets.

**Application resources rules:**

- During the integration enrolment "All applications" has to be selected. This is because Teleport
will try to create a new SAML application or validate the existing one.
- After the integration enrolment is complete, resource set can be limited to a subset of
Applications, but **extra care has to be taken that "Teleport $cluster" application is included**
in the subset. Otherwise Teleport won't be able to synchronize users.

**Groups resources rules:**

- If a subset of groups is selected Teleport won't be able to assign ["Everyone" built-in
group](https://support.okta.com/help/s/article/The-Everyone-Group-in-Okta?language=en_US) to the
"Teleport $cluster" application. **In this case "Everyone" built-in group has to be manually
assigned to "Teleport $cluster" SAML application.** Otherwise Teleport won't be able to
synchronize users.

**Users resource rules:**

One caveat here is that it's impossible to assign API token creation permissions to a
custom role. However, the Okta built in role "Group Membership Admin" has permissions
to create an API token. See more information about built in roles
[here](https://help.okta.com/en-us/Content/Topics/Security/administrators-admin-comparison.htm).
- Users resources must not be restricted by resource set. "All users" should be selected.
Loading