Okta connector for Amazon AppFlow
Okta is an identity and access management solution. If you you're an Okta user, your account contains data about your Okta objects, such as your users, groups, devices and applications. You can use Amazon AppFlow to transfer data from Okta to certain AWS services or other supported applications.
Amazon AppFlow support for Okta
Amazon AppFlow supports Okta as follows.
- Supported as a data source?
Yes. You can use Amazon AppFlow to transfer data from Okta.
- Supported as a data destination?
No. You can't use Amazon AppFlow to transfer data to Okta.
Before you begin
To use Amazon AppFlow to transfer data from Okta to supported destinations, you must meet these requirements:
-
You have an account with Okta that contains the data that you want to transfer. For more information about the Okta data objects that Amazon AppFlow supports, see Supported objects.
-
In your account , you've created either of the following resources for Amazon AppFlow. These resources provide credentials that Amazon AppFlow uses to access your data securely when it makes authenticated calls to your account.
-
An OIDC app integration to support OAuth 2.0 authentication. For the steps to create an app integration, see Create OIDC app integrations
in the Okta Help Center. -
An API token. For the steps to create one, see Create an API token
in the Okta Help Center.
-
-
If you created an OIDC app integration, you've configured it with the following settings:
-
The application type is Web Application.
-
The activated grant types include Authorization Code and Refresh Token.
-
The sign-in redirect URIs include one or more URLs for Amazon AppFlow.
Redirect URLs have the following format:
https://
region
.console.aws.amazon.com/appflow/oauthIn this URL, region is the code for the AWS Region where you use Amazon AppFlow to transfer data from Okta. For example, the code for the US East (N. Virginia) Region is
us-east-1
. For that Region, the URL is the following:https://us-east-1.console.aws.amazon.com/appflow/oauth
For the AWS Regions that Amazon AppFlow supports, and their codes, see Amazon AppFlow endpoints and quotas in the AWS General Reference.
-
The following scopes are permitted:
-
okta.apps.read
-
okta.devices.read
-
okta.groups.read
-
okta.users.read
-
okta.userTypes.read
-
-
If you created an OIDC app integration, note the client ID and client secret . If you created an API token, note the token value. You provide these values to Amazon AppFlow when you connect to your Okta account.
Connecting Amazon AppFlow to your Okta account
To connect Amazon AppFlow to your Okta account, provide the client credentials from your app integration, or provide an API token. If you haven't yet configured your Okta account for Amazon AppFlow integration, see Before you begin.
To connect to Okta
Sign in to the AWS Management Console and open the Amazon AppFlow console at https://console.aws.amazon.com/appflow/
. -
In the navigation pane on the left, choose Connections.
-
On the Manage connections page, for Connectors, choose Okta.
-
Choose Create connection.
-
In the Connect to Okta window, for Select authentication type, choose how to authenticate Amazon AppFlow with your Okta account when it requests to access your data:
-
Choose OAuth2 to authenticate Amazon AppFlow with the client credentials from an OIDC app integration. Then, specify the following:
-
Authorization tokens URL and Authorization code URL – For each of these fields, do the following:
-
Choose the format of your Okta Org URL. For more information, see Org URLs
in the Okta Developer documentation. -
Enter your Okta subdomain. For the steps to look up your subdomain, see Find your Okta domain
in the Okta Developer documentation..
-
-
Client ID – The client ID from your app integration.
-
Client secret – The client secret from your app integration.
-
-
Choose Okta_API_Token to authenticate Amazon AppFlow with an API token. Then, enter the token value for Okta API Token.
-
-
For Your Okta Domain URL, enter your domain URL, such as
. For the steps to find your domain, see Find your Okta domainmy-domain
.okta.comin the Okta Developer documentation. -
Optionally, under Data encryption, choose Customize encryption settings (advanced) if you want to encrypt your data with a customer managed key in the AWS Key Management Service (AWS KMS).
By default, Amazon AppFlow encrypts your data with a KMS key that AWS creates, uses, and manages for you. Choose this option if you want to encrypt your data with your own KMS key instead.
Amazon AppFlow always encrypts your data during transit and at rest. For more information, see Data protection in Amazon AppFlow.
If you want to use a KMS key from the current AWS account, select this key under Choose an AWS KMS key. If you want to use a KMS key from a different AWS account, enter the Amazon Resource Name (ARN) for that key.
-
For Connection name, enter a name for your connection.
-
Choose Continue.
-
In the window that appears, sign in to your Okta account, and grant access to Amazon AppFlow.
On the Manage connections page, your new connection appears in the Connections table. When you create a flow that uses Okta as the data source, you can select this connection.
Transferring data from Okta with a flow
To transfer data from Okta, create an Amazon AppFlow flow, and choose Okta as the data source. For the steps to create a flow, see Creating flows in Amazon AppFlow.
When you configure the flow, choose the data object that you want to transfer. For the objects that Amazon AppFlow supports for Okta, see Supported objects.
Also, choose the destination where you want to transfer the data object that you selected. For more information about how to configure your destination, see Supported destinations.
Supported destinations
When you create a flow that uses Okta as the data source, you can set the destination to any of the following connectors:
Supported objects
When you create a flow that uses Okta as the data source, you can transfer any of the following data objects to supported destinations:
Object |
Field |
Data type |
Supported filters |
---|---|---|---|
Application |
Accessibility |
Struct |
|
Created |
DateTime |
||
Credentials |
Struct |
||
Credentials Signing Key ID |
String |
EQUAL_TO |
|
Embedded |
Struct |
||
Features |
List |
||
Group ID |
String |
EQUAL_TO |
|
ID |
String |
||
Label |
String |
||
Last Updated |
DateTime |
||
Links |
Struct |
||
Name |
String |
EQUAL_TO |
|
Profile |
Struct |
||
Request Object Signing Alg |
String |
||
Settings |
Struct |
||
Status |
String |
EQUAL_TO |
|
User ID |
String |
EQUAL_TO |
|
Visibility |
Struct |
||
signOnMode |
String |
||
Device |
Created |
DateTime |
|
Display Name |
String |
EQUAL_TO |
|
ID |
String |
EQUAL_TO |
|
IMEI |
String |
EQUAL_TO |
|
Last Updated |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
|
Links |
Struct |
||
Manufacturer |
String |
EQUAL_TO |
|
Mobile Equipment Identifier (MEID) |
String |
EQUAL_TO |
|
Model |
String |
EQUAL_TO |
|
OS Version |
String |
EQUAL_TO |
|
Platform |
String |
EQUAL_TO |
|
Profile |
Struct |
||
Registered |
Boolean |
EQUAL_TO |
|
Resource Alternate ID |
String |
||
Resource Display Name |
Struct |
||
Resource ID |
String |
||
Resource Type |
String |
||
Secure Hardware Present |
Boolean |
EQUAL_TO |
|
Serial Number |
String |
EQUAL_TO |
|
Status |
String |
EQUAL_TO |
|
Windows Security identifier (SID) |
String |
EQUAL_TO |
|
macOS UDID |
String |
EQUAL_TO |
|
tpmPublicKeyHash |
String |
EQUAL_TO |
|
Group |
Created |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
Embedded |
Struct |
||
GUID (objectGUID) of the Windows Group |
String |
EQUAL_TO |
|
Group Description |
String |
EQUAL_TO |
|
Group Name |
String |
EQUAL_TO |
|
ID |
String |
EQUAL_TO |
|
Last Membership Updated |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
|
Last Updated |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
|
Links |
Struct |
||
Object Class |
List |
||
Profile |
Struct |
||
SAM Account Name |
String |
EQUAL_TO |
|
Source ID |
String |
EQUAL_TO |
|
Type |
String |
EQUAL_TO |
|
Windows Domain Qualified Name |
String |
EQUAL_TO |
|
Windows Group Distinguished Name |
String |
EQUAL_TO |
|
User |
Activated |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
City |
String |
EQUAL_TO |
|
Cost Center |
String |
EQUAL_TO |
|
Country Code |
String |
EQUAL_TO |
|
Created |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
|
Credentials |
Struct |
||
Department |
String |
EQUAL_TO |
|
Display Name |
String |
EQUAL_TO |
|
Division |
String |
EQUAL_TO |
|
String |
EQUAL_TO |
||
Embedded Resources |
Struct |
||
Employee Number |
String |
EQUAL_TO |
|
First Name |
String |
EQUAL_TO |
|
Honorific Prefix |
String |
EQUAL_TO |
|
Honorific Suffix |
String |
EQUAL_TO |
|
ID |
String |
EQUAL_TO |
|
Last Login |
DateTime |
||
Last Name |
String |
EQUAL_TO |
|
Last Updated |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
|
Links |
Struct |
||
Locale |
String |
EQUAL_TO |
|
Manager Display Name |
String |
EQUAL_TO |
|
Manager ID |
String |
EQUAL_TO |
|
Middle Name |
String |
EQUAL_TO |
|
Mobile Phone |
String |
EQUAL_TO |
|
Nickname |
String |
EQUAL_TO |
|
Occupation |
String |
EQUAL_TO |
|
Organization |
String |
EQUAL_TO |
|
Password Changed |
DateTime |
||
Postal Address |
String |
EQUAL_TO |
|
Preferred Language |
String |
EQUAL_TO |
|
Primary Phone |
String |
EQUAL_TO |
|
Profile |
Struct |
||
Profile URL |
String |
EQUAL_TO |
|
Second Email |
String |
EQUAL_TO |
|
State |
String |
EQUAL_TO |
|
Status |
String |
EQUAL_TO |
|
Status Changed |
DateTime |
EQUAL_TO, NOT_EQUAL_TO, GREATER_THAN, GREATER_THAN_OR_EQUAL_TO, LESS_THAN, LESS_THAN_OR_EQUAL_TO |
|
Street Address |
String |
EQUAL_TO |
|
Timezone |
String |
EQUAL_TO |
|
Title |
String |
EQUAL_TO |
|
Transitioning to status |
String |
||
Type |
Struct |
||
Type ID |
String |
EQUAL_TO |
|
User Type |
String |
EQUAL_TO |
|
Username |
String |
EQUAL_TO |
|
Zip Code |
String |
EQUAL_TO |
|
User Type |
Created |
DateTime |
|
Created By |
String |
||
Default |
Boolean |
||
Description |
String |
||
Display Name |
String |
||
ID |
String |
||
Last Updated |
DateTime |
||
Last Updated By |
String |
||
Links |
Struct |
||
Name |
String |