Configure Okta Instance for SaaS Security Posture Management
Configure Okta Instance for SaaS Security Posture Management
This guide will walk you through the steps required to configure the API connection for Okta with SaaS Security Posture Management. The process involves creating an API token in Okta and authorizing Netskope to access your Okta account. After the API connection is configured, you can set up Security Posture Policies to scan for policy violations.
Prerequisites
-
You must have a Read Only Admin role or higher in Okta to perform these actions.
Step 1: Create an API Token in Okta
-
Log in to Okta Admin Console using the service account with the Read Only Admin role by navigating to https://{your-okta-domain}-admin.okta.com.
-
Create the API Token. You can do so by following 2 options:
Option 1 : Simple API Token
-
Go to Security > API.
-
Switch to the Tokens tab and click on Create Token.
-
Enter a name for the token.
-
For the option API calls made with this token must originate from, choose Any IP.
-
Create Token
Optional 2 : Set Up IP Restriction:
-
Go to Security > Network, then click Add Zone > IP Zone.
-
Fill the zone named as NetskopeIPZone.
-
Fill in the Gateway IPs field. You can enter 2 or more comma separated IP addresses or CIDR ranges of the data centre.
You can find the required Netskope IP addresses for your Home POP by referring to the following articles. In this case, you need to choose 2 IP addresses, for SPM API and UA API calls.
-
For SPM API calls: Netskope SSPM gateway IP addresses for Okta Allowlisting
-
For UA API call during grant access: Netskope NewEdge Data Plane and Management Plane IP Ranges
-
-
Save the IP Zone.
-
Go to Security > API.
-
Switch to the Tokens tab and click on Create Token.
-
Enter a name for the token.
-
For the option API calls made with this token must originate from, choose In any of the following zones and choose the NetskopeIPZone zone.
-
Create Token
-
-
Copy and securely save the API token generated from the UI. You will need this token to configure the connection with SSPM.
Step 2: Configure Netskope to Access Your Okta Application
-
Log in to the Netskope tenant UI, https://<tenant hostname>.goskope.com.
-
Navigate to Settings > Configure App Access > Next Gen > Security Posture.
-
In the Applications section, select Okta and click on Setup Instance.
-
The Setup Instance window opens.
-
Domain: Enter the Okta domain name without the web protocol. Example: {your–domain}.okta.com
-
API Token: Enter the API token you created earlier.
-
Okta Administrator email: The security posture management emails will be sent on the mentioned email ID.
-
Security Scan Interval: Frequency of security posture scans
-
-
Click Grant Access to complete the API connection setup.
Once the connection is configured, you can proceed to create Security Posture Policies in Netskope to monitor and manage your Okta environment for policy violations.