Okta
Discover users, groups, OAuth/OIDC apps, service accounts and admin roles. Govern non-human identities (bots, integrations, tokens) and their effective permissions across your SaaS estate.
What the connector discovers
- Users & Groups
User profiles, lifecycle state, group membership (direct/transitive), group rules, external users.
- Applications & Service Accounts
OIDC/OAuth apps, app assignments, service accounts, trusted origins, authorization servers and custom scopes.
- Roles, Grants & Admin Privileges
Org admin, app admin, custom roles, app-level grants and delegated administration.
- Policies & Factors
Password, sign-on, MFA/enrollment policies; factor configuration; IdP routing rules.
- Effective Permissions
Scope-normalized view: which agent/app can do what on which resources at the moment of action.
Okta sits at the center of identity and access. ClarioSec transforms this into **runtime governance**: drift-aware scoring, pre-execution controls, and narratives you can defend.
Drift-aware risk scoring
Baselines per app/agent; peer groups by function/team; detection of scope expansion, privilege creep and risky sequences (who → what → where → sensitivity).
Pre-execution enforcement
Allow / Alert / Block / Approve with governed overrides. Auto minimization of scopes and rotation of API tokens/secrets when thresholds are hit.
Audit-grade narratives
For each action, a narrative ties **rule → reason → proof → control map** (SOC 2, GDPR, ISO/IEC 27001 & 42001, AI Act).
Connect Okta
ClarioSec can connect via **Okta API Token** (simplest) or an **OAuth 2.0 service app** with read-only scopes.
- Option A — API Token (recommended to start)
Okta Admin Console → Security → API → Tokens → Create token. Copy the token value (shown once) and your Okta domain (e.g., https://YOURDOMAIN.okta.com).
- Option B — OAuth Service App (least privilege)
Create a service app and grant read-only scopes such as: okta.users.read, okta.groups.read, okta.apps.read, okta.roles.read, okta.policies.read, okta.logs.read.
- Add credentials in ClarioSec
In ClarioSec, open the Okta connector and paste Okta Domain + API Token (or Client ID/Secret & scopes for OAuth).
- Rate limits
ClarioSec honors Okta org rate limits and auto-batches discovery to avoid throttling.
High-value objects pulled from Okta Core & System Log:
- Users, Groups, Group Rules, Group Assignments
- Apps (OIDC/OAuth/SAML), App Assignments, Authorization Servers, Scopes
- Admin Roles & Custom Roles, App Grants, Inline/Event Hooks
- Policies: Sign-on, Password, MFA; Factors configuration
- System Log events mapped to agent actions & permission-at-time-of-action
Endpoint family: /api/v1/users, /groups, /apps, /roles, /policies, /grants, /logs, /eventHooks, /authorizationServers.
- Over-privileged service accounts
Service principals or technical users with admin roles beyond their scope.
- Stale API tokens
Tokens unused for long periods or belonging to deactivated owners.
- App grants drift
OIDC/OAuth apps silently gaining broader scopes over time.
- Weak sign-on/MFA policy edges
Exemptions and routing rules creating inconsistent protection.
- Just-in-time approvals for sensitive app grants
- Automatic scope minimization and token rotation
- Owner attestations for apps and service accounts
- Audit-grade narratives mapped to SOC 2 / GDPR / ISO / AI Act
Ready to govern Okta agents at runtime?
Move from directory posture to **provable behavior** — identity → permission → action → narrative.