Overview

Okta is a leading identity and access management (IAM) platform used to secure workforce access to applications. Persona’s Okta marketplace integration connects to your Okta tenant so you can look up rich user profile data and take direct account actions from within Persona Workflows.

This integration helps Compliance, IT, and People Ops teams move faster by syncing key attributes (including custom profile fields) and automating account lifecycle actions like resetting MFA factors or suspending/unsuspending users without switching tools.

Benefits

Unified Employee Context: Surface Okta profile attributes (including custom fields like legal name or date of birth) in Persona to reduce manual lookups and mismatches.

Reduced Manual Work: Replace repetitive admin tasks with reusable workflows that run consistently and at scale.

Fewer Verification Hurdles: Automatically use the correct identity information (e.g., legal name vs. preferred name) from Okta to increase verification success and reduce manual fixes..

Integration Features

Persona’s Okta integration supports real-time data retrieval and direct account actions to power secure, two-way workflows between Persona and Okta.

• Retrieve User Profile: Look up an Okta user and return standard and custom attributes to enrich Persona Workflows and Cases.
• Reset All MFA Factors: Remove all enrolled authenticators for a user so they must re-enroll at next sign-in—useful after high-risk events.
• Suspend User: Temporarily disable access for an Okta user while an investigation is ongoing.
• Unsuspend User: Restore access for a previously suspended user once they are cleared.

Setting up the Okta integration

Prerequisites

To set up the Okta integration, ensure you have:

• Admin access to your Okta account
• Necessary API permissions to access Okta credentials

Setting up the Okta Credentials

You can connect Okta to Persona using either OAuth or API token. See the FAQs for more information on which authentication method to choose.

Option A: Connect via OAuth

1. In Okta Admin, create an OIDC app

   • Navigate to Applications > Applications > Create App Integration
   • For sign-in method, selectOIDC – OpenID Connect
   • For application type, select Web application
   • Provide a name for the app integration (e.g. “Persona OAuth application”)
   • For the sign-in redirect URLs, add https://app.withpersona.com/integrations/oauth-callback
   • Choose Skip group assignments for now

2. Grant required Okta API scopes

   • At minimum, grant: okta.users.read and okta.users.manage
   • If testing with your own user, you may also need okta.users.read.self and okta.users.manage.self
   • Ensure “Granted” is checked for each scope

   

3. Assign the app to appropriate users or an admin group

   • Navigate to Applications > Assignments > Assign to People or Assign to Groups (e.g., Administrators)
   • Note: Any assigned users will be able to trigger allowed commands in scope—assign thoughtfully.

   

4. Add the OAuth credential in Persona

   • Navigate to Persona Dashboard > Integrations > Marketplace > Okta > Add Credential
   • Enter your Okta subdomain, provide a nickname for the credential, and paste the Client ID and Client Secret from Okta
   • Note: Use the tenant subdomain (e.g., "example" for https://example.okta.com). Do not include “-admin” (e.g., https://example-admin.okta.com).

   

5. Authorize and test the credential

   • Complete the OAuth popup using an Okta user who has the app assigned
   • After connecting, click Test to verify the credential is working
   • Note: If you add or change the scopes granted to your OAuth credential after you’ve added it within Persona, you will need to redo Step 4 (as outlined above) for the changes to take effect.

Option B: Connect via API key

1. Create an API token in Okta Admin

   • Navigate to Security > API > Tokens > Create Token
   • Copy the provided API token
   • Note: The terms API keys and API tokens are used interchangeably in this context.

2. Add the API token as a credential in Persona

   • Navigate to Persona Dashboard > Integrations > Marketplace > Okta > Add Credential > Okta API Key Credentials

   • Enter your Okta subdomain, provide a nickname for the credential, and paste the token

     

3. After connecting, click Test to verify the credential is working

Using the Okta integration in a workflow

1. Create a new workflow, or open an existing workflow you’d like to update.
2. Add a new Action step > Integrations.
3. Select the Okta integration and choose your Okta credential.
4. Configure the inputs (e.g., user identifier, action to perform) and map outputs to Persona fields as needed.
5. Save and publish the workflow.

Okta Operations Overview

In addition to syncing field values, Persona can retrieve user profiles, reset MFA factors, and suspend or unsuspend users using Okta’s API. These actions support seamless two-way workflows, letting teams manage investigations without switching platforms. See below for a comprehensive list of available Workflow Action steps and possible configurations for the Okta integration:

Retrieve a user

Fetches an Okta user’s profile to populate Workflow variables in Persona.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to retrieve

Activate a user

Configuration Steps:

• Provide values for required fields:
  • ID of the user to activate

Deactivate a user

Configuration Steps:

• Provide values for required fields:
  • ID of the user to deactivate

Reactivate a user

Configuration Steps:

• Provide values for required fields:
  • ID of the user to reactivate

Reset all factors for a user

Removes all enrolled MFA authenticators for the specified user, requiring them to re-enroll on next sign-in. This is commonly used when a high-risk event occurs or when devices are suspected to be compromised.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to reset

Suspend a user

Temporarily disables a user’s access while an investigation is underway. Once suspended, the user cannot access apps protected by Okta until they are unsuspended.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to suspend

Unlock a user account

Unlocks a user who is locked out or unlocks an active user that’s blocked from unknown devices. Unlocked users have an ACTIVE status and can sign in with their current password.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to unlock

Unsuspend a user

Restores access for a user who was previously suspended. Provide the user identifier to return the user to an active state and re-enable access according to your Okta policies. This action is typically used after an investigation concludes or when false positives are resolved, ensuring minimal disruption to legitimate users.

Configuration Steps:

• Provide values for required fields:
  • ID of the user to unsuspend

List groups for a user

Lists all groups of which the user is a member.

Configuration Steps:

• Provide values for required fields:
  • ID of the user

FAQs

When should I use OAuth vs. an API key?

An API key is a unique, secret code used by applications to access an API. An API key is like a master key you generate in Okta and give to Persona. Whoever holds the key can make requests to Okta on your behalf, usually with broad permissions. API keys are quick to set up for service-to-service access but are less granular and require careful handling.

OAuth is an open standard authorization protocol that allows a user to grant a third-party application limited access to their resources on another service. OAuth is more like giving out temporary, scoped passes instead of the master key. In this instance, Persona will ask for specific permissions, and you will approve these in order to create the connection with Okta.

Despite being more complex to set up, OAuth is generally recommended for production-level usage due to its higher security levels and more granular controls. Choose which authentication method to use based on your security requirements and governance model.

What happens when I reset all factors?

All MFA enrollments for the user are cleared. The user will be prompted to re-enroll factors on next sign-in in accordance with your Okta policies.