Overview

Okta is a leading identity and access management (IAM) platform used to secure workforce access to applications. Persona’s Okta marketplace integration connects to your Okta tenant so you can look up rich user profile data and take direct account actions from within Persona Workflows.

This integration helps Compliance, IT, and People Ops teams move faster by syncing key attributes (including custom profile fields) and automating account lifecycle actions like resetting MFA factors or suspending/unsuspending users without switching tools.

Benefits

Unified Employee Context: Surface Okta profile attributes (including custom fields like legal name or date of birth) in Persona to reduce manual lookups and mismatches.

Reduced Manual Work: Replace repetitive admin tasks with reusable workflows that run consistently and at scale.

Fewer Verification Hurdles: Automatically use the correct identity information (e.g., legal name vs. preferred name) from Okta to increase verification success and reduce manual fixes..

Integration Features

Persona’s Okta integration supports real-time data retrieval and direct account actions to power secure, two-way workflows between Persona and Okta.

• Retrieve User Profile: Look up an Okta user and return standard and custom attributes to enrich Persona Workflows and Cases.
• Update User: Updates a user's profile or credentials.
• Reset All MFA Factors: Remove all enrolled authenticators for a user so they must re-enroll at next sign-in—useful after high-risk events.
• Suspend User: Temporarily disable access for an Okta user while an investigation is ongoing.
• Unsuspend User: Restore access for a previously suspended user once they are cleared.

Setting up the Okta integration

Prerequisites

To set up the Okta integration, ensure you have:

• Admin access to your Okta account.
• Necessary API permissions to access Okta credentials.

Setting up the Okta Credentials

You can connect Okta to Persona using an Okta API Service or an Okta API key. See the FAQs for more information on which authentication method to choose.

Option A: Connect via API Service

Follow these steps to set up the Private Key JWT Authentication method. All steps are required in order for the authentication to function properly, so please take care to ensure each step is followed exactly.

1. In Okta Admin, create an API Services app by navigating to Applications > Create App Integration > API Services.
   • Copy the generated Client ID to your clipboard.
2. In the Persona Dashboard, navigate to Integrations > Marketplace > Okta.
   • Click + Add Credential. Select Okta API Service.
   • Select the appropriate Server, and fill out the nickname, subdomain, and pasted Client ID from Step 2.
   • Save. The credential row in the table should now display a JWKS URL column with a copyable value.
3. Return to the created API Service from Step 1 in Okta Admin.
   • Under the Public Keys section for Configuration , click Edit. Select the “Use a URL to fetch keys dynamically” option.
   • Paste in the JWKS URL from Step 6 in the “Url” field. Click Save.
   • Under the Client Credentials section, click Edit. Select the “Public key / Private key” option for the "Client authentication" field. Click Save.
   • Under the General Settings section, click Edit.
   • Uncheck the “Require Demonstrating Proof of Possession (DPoP) header in token requests” checkbox. Click Save.
4. Navigate to the "Okta API Scopes" tab and grant required scopes.

   • IMPORTANT: Persona's Okta integration can perform high-risk operations, including pulling sensitive information from Okta and affecting end users' ability to access their accounts. To follow least-privilege principles, enable only the scopes your API service actually requires. Use the table below to identify which scopes correspond to the endpoints you're using.

     Okta API Scope	Affected Okta API Endpoints
     okta.users.read: Read User's Info	List all users; Retrieve a user; List all groups for a user
     okta.users.manage: Manage User's Info	Update a user; Activate a user; Deactivate a user; Reactivate a user; Reset all factors for a user; Suspend a user; Unlock a user account; Unsuspend a user; Generate a temporary access code for a user
     okta.authenticators.read: Read Authenticators	List all authenticators; Retrieve an authenticator

   • Once you determine which scopes are required, ensure “Granted” is checked for each scope.

5. Create a Role and Resource Set for your API Service. This will control what capabilities your Okta integration has.

   • Navigate to Security > Administrators.

   • Click on the "Roles" tab and click "Create new role".

   • Set "Role name" to "Persona Okta Integration Role" or a similar title.

   • Grant permissions based on the endpoints you’re using. Only grant the permissions that your integration use case actually requires. Use the table below to identify which permissions correspond to the endpoints you're using.

     Okta API Endpoint	Required Role Permissions
     List all users	User > View users and their details or Edit users’ profile attributes
     Retrieve a user	User > View users and their details or Edit users’ profile attributes
     Update a user	User > Edit users’ profile attributes
     Activate a user	User > Edit users’ lifecycle states > Activate users
     Deactivate a user	User > Edit users’ lifecycle states > Deactivate users
     Reactivate a user	User > Edit users’ lifecycle states > Activate users
     Reset all factors for a user	User > Reset users’ authenticators
     Suspend a user	User > Edit users’ lifecycle states > Suspend users
     Unlock a user account	User > Edit users’ lifecycle states > Unlock users
     Unsuspend a user	User > Edit users’ lifecycle states > Unsuspend users
     List groups for a user	User > View users and their details; Group > View groups and their details
     List all authenticators	None
     Retrieve an authenticator	None
     Generate a temporary access code for a user	User > Edit users’ authenticator operations > Manage user’s temporary access code

   • Click on the "Resources" tab and click "Create new resource set."

   • Set "Name" to "Persona Okta Integration Resource Set" or a similar title.

   • Click + Add resource. Search for "Users" and select "All users".

   • Navigate back to your application at Applications > Applications. Click on the "Admin roles" tab and click "Edit assignments". Select your new "Persona Okta Integration Role" role and "Persona Okta Integration Resource Set" resource set. Save your changes.

6. After connecting, click Test in the Persona dashboard to verify the credential is working.

Option B: Connect via API key

1. Create an API token in Okta Admin.
   • Navigate to Security > API > Tokens > Create Token.
   • Copy the provided API token.
   • Note: The terms API keys and API tokens are used interchangeably in this context.
2. Add the API token as a credential in Persona.
   • Navigate to Persona Dashboard > Integrations > Marketplace > Okta > Add Credential > Okta API Key Credential.
   • Enter your Okta subdomain, provide a nickname for the credential, and paste the token.
3. After connecting, click Test to verify the credential is working.

Persona does not support OAuth 2.0 for our Okta integration. Okta OAuth 2.0 credentials have a maximum, non-extendable lifetime of 90 days, making them inappropriate for long-lived integrations. This authorization scheme is not intended for machine-to-machine communication, and results in integration errors.

Using the Okta integration in a workflow

1. Create a new workflow, or open an existing workflow you’d like to update.
2. Add a new Action step > Integrations.
3. Select the Okta integration and choose your Okta credential.
4. Configure the inputs (e.g., user identifier, action to perform) and map outputs to Persona fields as needed.
5. Save and publish the workflow.

Okta Operations Overview

In addition to syncing field values, Persona can retrieve user profiles, reset MFA factors, and suspend or unsuspend users using Okta’s API. These actions support seamless two-way workflows, letting teams manage investigations without switching platforms. See below for a comprehensive list of available Workflow Action steps and possible configurations for the Okta integration:

Retrieve a user

Fetches an Okta user’s profile to populate Workflow variables in Persona.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to retrieve.

Update a user

Updates an Okta user's profile or credentials.This can be used to reset the user's password.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to reset.
  • Request body including attributes to update. Refer to Okta's documentation for information about the request body schema.

Activate a user

Configuration Steps:

• Provide values for required fields:
  • ID of the user to activate.

Deactivate a user

Configuration Steps:

• Provide values for required fields:
  • ID of the user to deactivate.

Reactivate a user

Configuration Steps:

• Provide values for required fields:
  • ID of the user to reactivate.

Reset all factors for a user

Removes all enrolled MFA authenticators for the specified user, requiring them to re-enroll on next sign-in. This is commonly used when a high-risk event occurs or when devices are suspected to be compromised.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to reset.

Suspend a user

Temporarily disables a user’s access while an investigation is underway. Once suspended, the user cannot access apps protected by Okta until they are unsuspended.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to suspend.

Unlock a user account

Unlocks a user who is locked out or unlocks an active user that’s blocked from unknown devices. Unlocked users have an ACTIVE status and can sign in with their current password.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to unlock.

Unsuspend a user

Restores access for a user who was previously suspended. Provide the user identifier to return the user to an active state and re-enable access according to your Okta policies. This action is typically used after an investigation concludes or when false positives are resolved, ensuring minimal disruption to legitimate users.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to unsuspend.

List groups for a user

Lists all groups of which the user is a member.

Configuration Steps:

• Provide values for required fields:
  • ID of the user.

FAQs

When should I use an API service vs. an API key?

An API service is a service account intended for service-to-service communications. API service credentials are exchanged via Private Key JWT authentication, providing greater security over API keys. Capabilities are configured on the service itself, and are not tied to a specific Okta user.

An API key is a unique, secret code used by applications to access an API. An API key is like a master key you generate in Okta and give to Persona. The capabilities of an API key are tied to those of the issuing Okta user, and will stop working if the issuing user is deactivated.

Persona recommends using API services for our Okta integration and only recommends using API keys for testing purposes. Okta API services provide durable credentials whose capabilities are not tied to a specific user account, resulting in a more robust, secure, and manageable integration. On the other hand, API keys have a weaker security profile: whoever holds the key can make requests to Okta on your behalf, usually with broad permissions.

What happens when I reset all factors?

All MFA enrollments for the user are cleared. The user will be prompted to re-enroll factors on next sign-in in accordance with your Okta policies.