# Okta

{% hint style="info" %}
Cortex connects to many third-party vendors whose system interfaces frequently change. As a result, integration behavior or configuration steps may shift without notice. If you encounter unexpected issues, check with your system administrator or refer to the vendor's documentation for the most current information. Additionally, integration sync times vary and are subject to scheduling overrides and timing variance.
{% endhint %}

## Overview

[Okta](https://www.okta.com/) is an identity and access management (IAM) platform. Integrate Cortex with Okta to drive insights into authentication and ownership.

After configuring the integration, you can set Okta teams and team members as owners of entities.

For information on configuring Okta SSO or Okta SCIM for logging in to Cortex, see the [Okta SSO documentation](https://docs.cortex.io/configure/settings/managing-users/configuring-sso) and [Okta SCIM documentation](https://github.com/cortexapps/hippocampus/blob/master/configure/settings/managing-users/configuring-sso/okta/okta-scim.md).

## How to configure Okta with Cortex

### Prerequisites

Before getting started:

* An Okta administrator, with at least the [View groups](https://help.okta.com/en-us/Content/Topics/Security/custom-admin-role/about-role-permissions.htm) permissions, must [create an Okta API token](https://developer.okta.com/docs/guides/create-an-api-token/create-the-token/).
  * Grant the following scopes for the API token:
    * `okta.groups.read`
    * `okta.profileMappings.read`
    * `okta.users.read`
* Obtain your Okta domain.
  * This can be found in the prefix of your Okta URL. For example, `https://domain.okta.com`.

### Configure the integration in Cortex

1. In Cortex, navigate to the [Okta settings page](https://app.getcortexapp.com/admin/integrations/okta):
   * Click **Integrations** from the main nav. Search for and select **Okta**.
2. Click **Add configuration**.
3. Configure the Okta integration form:
   * **Domain**: Enter your Okta domain.
   * **API token**: Enter your Okta API token.
   * **Group types**: Specify which group types to include.
4. Click **Save**.

To modify the integration configuration, see [Modifying an existing integration configuration](https://docs.cortex.io/ingesting-data-into-cortex/integrations/..#modifying-an-existing-integration-configuration).

## How to connect Cortex entities to Okta

### Import teams from Okta

See the [Create teams documentation](https://docs.cortex.io/entities-overview/entities/adding-entities/teams#creating-a-team) for instructions on importing entities.

Team data syncs from Okta daily at 3 p.m. UTC.

### Editing the entity descriptor

```yaml
x-cortex-owners:
  - type: group
    name: Engineering # group name in Okta
    provider: OKTA
    description: This is a description for this owner # optional
```

The group name is case-sensitive and should be exactly the same as in Okta.

## Using the Okta integration

### Scorecards and CQL

With the Okta integration, you can create Scorecard rules and write CQL queries based on Okta teams.

See more examples in the [CQL Explorer](https://app.getcortexapp.com/admin/cql-explorer) in Cortex.

<details>

<summary>All ownership details</summary>

A special built-in type that supports a null check or a count check, used to enforce ownership of entities.

**Definition:** `ownership: Ownership | Null`

**Example**

An initial level in a security Scorecard might include a rule to ensure an entity has at least one team as an owner:

```
ownership.teams().length > 0
```

</details>

<details>

<summary>All owner details</summary>

List of owners, including team members and individual users, for each entity

**Definition:** `ownership.allOwners()`

**Example**

The Scorecard might include a rule to ensure that entity owners all have an email set:

```
ownership.allOwners().all((member) => member.email != null)
```

</details>

<details>

<summary>Team details</summary>

List of teams for each entity

**Definition:** `ownership.teams(): List<Team>`

**Example**

The Scorecard might include a rule to ensure that an entity owners all have a description and are not archived:

```
ownership.teams().all(team => team.description != null and team.isArchived == false)
```

</details>

### View integration logs <a href="#still-need-help" id="still-need-help"></a>

## Background sync

Cortex conducts an ownership sync for Okta teams every day at 3 p.m. UTC.

## Troubleshooting and FAQ

**I've added an API token but the login is still using Google.**

To set up Okta for SSO, use the [Okta SSO guide](https://docs.cortex.io/configure/settings/managing-users/configuring-sso/okta).

## Still need help?[​](https://docs.cortex.io/docs/reference/integrations/aws#still-need-help) <a href="#still-need-help" id="still-need-help"></a>

The following options are available to get assistance from the Cortex Customer Engineering team:

* **Email**: <help@cortex.io>, or open a support ticket in the in app Resource Center
* **Slack**: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a `:ticket:` reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cortex.io/ingesting-data-into-cortex/integrations/okta.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.