Skip to content

Okta Connector

The Okta connector pulls identity posture data from your Okta tenant and enriches the digital twin with verified user, MFA, and SSO intelligence.

What It Provides

Data Description
Users Full user inventory with status (active, suspended, deprovisioned)
MFA Factors MFA enrollment per user — factor type (push, TOTP, SMS, hardware key), enrollment status
SSO Applications Application catalog with assignment counts and sign-on modes
Security Logs Authentication events, failed logins, MFA challenges, admin actions, policy violations

Twin Enrichment

After a sync, the twin gains:

  • MFA coverage percentage with breakdown by factor type (verified confidence)
  • Privileged user identification based on admin roles and group memberships
  • SSO application inventory — what is federated vs. password-based
  • Security events created from Okta log entries (failed authentications, suspicious activity)
  • Gaps identified — users without MFA, stale accounts, weak factor types

Setup

Prerequisites

  • Okta admin access to create an API token
  • API token with okta.users.read, okta.apps.read, okta.logs.read scopes

3-Step Setup

Navigate to Integrations and click the Okta card.

Step 1 — Configure: 

Okta Domain: your-org.okta.com
API Token: 00abc...

Step 2 — Test: Click "Test Connection" to verify API access.

Step 3 — Sync: Click "Sync Now" to pull data.

okta_status()          # Check if configured
okta_sync(             # Pull data
  sync_logs=true,
  sync_users=true,
  sync_apps=true,
  hours_back=24
)

Sync Options

Parameter Default Description
sync_logs true Pull security event logs
sync_users true Pull user inventory with MFA factors
sync_apps true Pull SSO application catalog
hours_back 24 How many hours of logs to retrieve

First sync

On your first sync, consider setting hours_back to a larger value (e.g., 168 for one week) to establish a baseline of security events.

What Gets Created

After sync, the twin contains:

  • Twin facts: tool:okta (verified), mfa_coverage:87% (verified), sso_apps:40 (verified)
  • Security events: one per notable Okta log entry
  • Profile enrichment: identity posture section updated

The intelligence loop triggers automatically, reindexing the twin and making all new data queryable.

Entra ID · Connectors Overview