Onboarding an Okta application in Britive

Follow these steps to configure the Okta application in Britive.

1. Login to Britive with administrator privileges.
2. Click on Admin -> Application and Access Profile Management.
3. Click on CREATE APPLICATION from the Tenant Applications page.
4. Click Add (+) sign inline to the Okta application on Add Application page.
5. Enter the following values in the Application tab:
   1. Enter the Application Name.
   2. Enter the Application Description, if required.
   3. Select email from Account Mapping.
6. Click NEXT. The Settings tab is displayed,
7. Click SAVE.
8. Click CREATE ENTITY button.
9. Enter the following details on the Create Environment/Environment Group page:
   1. Select Environment in the Entity Type.
   2. Enter Entity Name.
   3. Enter Entity Description.
   4. Click SAVE.
10. Click on the Settings tab and enter the following details:
    1. Click EDIT to edit the properties.
    2. Enter the Okta tenant identifier in the Login URL.
    3. Enter the API Token generated in the section Creating an API Token on Okta.
    4. Optionally, enter a Filter for users and a Filter for groups to avoid collecting all users and groups within Okta. The filters supported by Okta REST API are used. For more information see Okta documentation for Users and Groups REST API for valid filters. 
       Note:

       Okta supports search criteria with keywords search, filter, and q. Enter the correct criteria, for example, filter=status eq "ACTIVE".

    5. Profile Settings: Configure the maximum session duration for profiles. You can select the duration between 15 minutes to 7 calendar days. This allows to setup expiration duration for each profile while creating/updating the profile up to this configured value. If existing profiles are created with more than 12 hours and the above setting is changed, then it cannot be lowered until all profiles are updated with a lower expiration duration.

11. Click SAVE AND TEST.

Supporting Okta Custom Roles

Okta supports custom administrator roles. For more information, see Custom administrator roles. 

Scanning an Okta application in Britive now scans for Okta custom admin roles as well and lists them on the Data page. You can filter the Permissions based on Type: Role, Group, or Custom Role.

Assigning granular access to Okta Resource Sets

Generally, all Britive profiles get access to the roles that are predefined in the onboarded application's target environment. Okta provides the capability to specify or limit access to specific applications or groups for administrators such as Application administrator, Group administrator, Group membership administrator, or Helpdesk administrator. Now you can extend the same capability to Britive profiles as well. You can specify the applications or groups based on the roles added. 

To grant granular access in Britive profiles: 

1. Login to Britive with administrator privileges.
2. Click on Admin -> Application and Access Profile Management.
3. Search the Okta application and click Manage from the Tenant Applications page.
4. Click on Profiles from the menu.
5. Select the profile, click Manage and click the Permissions tab. The manage button is available only for the roles which can have granular access.
6. Click ADD PERMISSIONS button and add the required permissions.
7. Click on Manage to fine-tune the permissions.
8. The Permission Constraints page is displayed. This page varies as per the selected permission. Some of the permissions do not have any constraints defined in Okta.
   • Helpdesk Administrator/Group administrator:  You can add multiple groups supported by the selected permission. Groups do not support constraints.
   • Application Administrator: You can add Applications and Catalog Applications.
   • Custom Role: You can add Resource sets defined in Okta.
9. After a Britive profile is checked out, the application administrator or group administrator can only manage the added application/catalog applications or the groups.

Exclude admin from admin-related communication

Okta provides the capability to exclude admins from receiving admin-related communication while assigning administrators in Okta. Britive provides this capability by setting such property for the application profile. This profile setting is applicable only if the Manage third-party admins setting is enabled in Okta. You can enable this in Okta by selecting the Manage third-party admins checkbox on the Settings->Account page. For more information on this setting on Okta see,  Exclude admin from admin-related communication.

Britive sets this value for an Okta administrator while assigning standard role membership during the profile check-out. 

To set this advanced setting:

1. Login to Britive with administrator privileges.
2. Click on Admin -> Application and Access Profile Management.
3. Search the Okta application and click Manage from the Tenant Applications page.
4. Click on Profiles from the menu.
5. Select the profile and click Manage.
6. Select an option for Exclude admin from admin related communication:
   1. Default: Skips updating the value during profile check-out. It uses the default Okta value which is false or keeps the value intact in case it’s already set.
   2. True: Sets the value to true irrespective of the earlier value set in Okta and admin is excluded from receiving admin-related communication.
   3. False: Sets the value to false irrespective of the earlier value. 
      Note:

      Britive overrides the earlier setting from Okta in case the option is set to True or False, and the check-in operation does not revert it to the earlier state.
      For more information about Britive profiles, see Britive Profile Management.