Parsers and collectors / Collectors / Okta collectors / Okta collector

Okta collector

Service description

The Okta Resources API is used for gaining insights on content management of activities from your organization or company. Okta Resources APIs generate system logs and other events in real-time.

Data source description

You can use the Okta collector to send this information to your Devo domain. Once the gathered information arrives at Devo it will be categorized in different tables in your domain, as you can check in the following table.

Okta services

Listed in the table below are some service names, details, and how the Devo platform treats the data.

Services	Description	Devo data tables
Apps	Application API provides operations to manage applications and/or assignments to users or groups for your organization.	auth.okta.apps
Client Application	The Dynamic Client Registration API provides operations to register and manage client applications to be used with Okta's OAuth 2.0 and OpenID Connect endpoints.	auth.okta.clients
Groups	Groups API provides operations to manage Okta groups and their user members for your organization.	auth.okta.groups
IDPS	Identity Providers API provides operations to manage federations with external Identity Providers (IDP). For example, your app can support logging in with credentials from Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.	auth.okta.idps
System Logs	System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. Often the terms "event" and "log event" are used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system and "log" or "log event" is the recorded fact.	auth.okta.system
Users	User API provides operations to manage users in your organization.	auth.okta.users
Zones	Zones API provides operations to manage zones in your organization. Zones may be used to guide policy decisions.	auth.okta.zones

The System Log API will eventually replace the Events API. It contains much more structured data.

For more references about Okta Resources API, visit the Okta API Reference.

Setup

Getting Okta credentials

Visit Developer Okta to create an api_token and get the okta_url.
Log in with your company credentials (or sign up for a free developer account)
Click Dashboard and save the okta_url that is displayed on the top right corner (it will be used later in the config file).
On the top menu, go to API → Tokens.
Click Create Token and enter a name for your token in the window that appears, which will be used for tracking API calls. Click Create Token.
Copy your token and click OK, got it. Note that the token will be only displayed here, so don't forget to copy it. Save it as api_token (it will be used later in the config file).

Run the collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure will be required as part of the setup procedure (it can be created under any directory):

<any_directory>
└── devo-collectors/
    └── okta/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        └── config/
            └── config-okta.yaml

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <any directory>/devo-collectors/okta/certs. Learn more about security credentials in Devo here.

Editing the config-okta.yaml file

In the config-okta.yaml file, replace the <okta_url_value> and <api_token_value> values and enter the ones that you got in the previous steps. In the <short_unique_identifier> placeholder, enter the value that you choose.

config-okta.yaml

globals:
  debug: false                                                    # Setup as True or False for debugging mode
  id: not_used
  name: okta
  persistence:                                                    # Persistence setup filesystem
    type: filesystem
    config:
      directory_name: state                                       # Persistence directory
outputs:
  devo_1:
    type: devo_platform
    config:
      address: collector-eu.devo.io                               # Devo platform address EU (for US use: collector-us.devo.io)
      port: 443
      type: SSL
      chain: chain.crt
      cert: <your_domain>.crt
      key: <your_domain>.key
inputs:
  okta:
    id: <short_unique_identifier>                                 # The value of this field will be used internally for having independent persistence areas
    enabled: true
    requests_per_second: 4                                        # Setting up requests per second. 4 recommended.
    autoconfig:
      enabled: true
      refresh_interval_in_seconds: 600                            # Time wait in second between execution of autoconfig - 600s recommended.
    credentials:
      okta_url: <okta_url_value>                                  # Remove Http(s) protocol of the Okta url. i.e. okta.url.com                             
      api_token: <api_token_value>                                # Paste the Okta API Token got in the "okta credentials section"
    services:                                                      
      logs:
        request_period_in_seconds: 60                             # Setting up in second often requests
      apps:
        request_period_in_seconds: 3600
      idps:
        request_period_in_seconds: 600
      zones:
        request_period_in_seconds: 3600
      users:
        request_period_in_seconds: 3600
      groups:
        request_period_in_seconds: 3600
      clients:
        request_period_in_seconds: 3600

Download the Docker image

The collector should be deployed as a Docker container. Click here to download the Docker image of the collector as a .tgz file.

Use the following command to add the Docker image to the system:

gunzip -c collector-okta-docker-image-<version>.tgz | docker load

Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <version> with a proper value.

The Docker image can be deployed on the following services:

Docker
Docker Compose

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/okta/

docker run \
--name collector-okta \
--volume $PWD/certs:/devo-collector/certs \
--volume $PWD/config:/devo-collector/config \
--volume $PWD/state:/devo-collector/state \
--env CONFIG_FILE=config-okta.yaml \
--rm 837131528613.dkr.ecr.us-east-1.amazonaws.com/collectors/okta_if:${IMAGE_VERSION:-latest}

Replace <version> with the proper version.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/okta/ directory.

docker-compose.yaml

version: '3'
services:
  collector-okta:
    image: 837131528613.dkr.ecr.us-east-1.amazonaws.com/collectors/okta_if:${IMAGE_VERSION:-latest}
    container_name: collector-okta
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/okta/ directory:

IMAGE_VERSION=<version> docker-compose up -d

Replace <version> with the proper version.

Disclaimer

The number of API requests for an organization is limited for all APIs in order to protect the service for all users. The number of Okta-generated emails that can be sent also has rate limits.

Okta has two types of API rate limits:

Org-wide rate limits that vary by API endpoint. These limits are applied on a per-minute or per-second basis, and some are also applied on a per-user basis. For example, if your org sends a request to list applications more than one hundred times in a minute, the org-wide rate limit is exceeded. These limits protect against denial-of-service attacks and help ensure that adequate resources are available for all customers.
Concurrent rate limits on the number of simultaneous transactions. For example, if you sent 77 very long-lasting requests to any API endpoint simultaneously, you might exceed the concurrent rate limit.

Okta has one type of email rate limit:

Okta-Generated Email Message Rate Limits that vary by email type. Okta enforces rate limits on the number of Okta-generated email messages that are sent to customers and customer users. For example, if the number of emails sent to a given user exceeds the per-minute limit for a given email type, subsequent emails of that type are dropped for that user until that minute elapses.

Rate limits may be changed to protect customers. We provide advance warning of changes when possible. See more information on Okta Rate Limits Page.

Activeboards

A number of predefined Activeboards that make use of the configured collectors can be downloaded here. Click here to download a preconfigured Activeboard that you can try in your Devo domain.

To instantiate them, follow these instructions:

Create a new Activeboard in your domain. Learn how to do it here.
In Edit mode, click the ellipsis button and select Edit raw configuration.
Open the downloaded file, select all the text, and copy it into the clipboard.
Paste the contents of the file in the raw editor. Make sure you replace the existing configuration completely.
Click Save changes. The Activeboard should show up immediately.

Download as PDF