Okta
Overview
The Okta connector enables your AI Colleagues to integrate with your organization's Okta Identity Cloud platform, facilitating automated identity and access management, user lifecycle operations, and group-based access control workflows.
Okta is a leading identity and access management service that provides secure authentication, user management, and single sign-on capabilities for enterprise applications. The Okta connector allows Leena AI to automate user provisioning, password management, group assignments, and audit operations seamlessly.
API Details
Leena AI integrates with Okta via REST APIs.
Documentation link: https://developer.okta.com/docs/reference/
Setup
The Okta connector uses API Key authentication.
Prerequisites
Before setting up the Okta connector, ensure you have:
- Administrator access to your Okta Admin Console
- Super Administrator or appropriate admin role with API credentials creation permissions
- Access to Security API section in Okta Admin Console
- Access to your Leena AI workspace with connector management permissions
Get credentials
Here is how to create an API key in Okta Admin Console:
- Log in to Okta Admin Console (Ensure you are signed in as an admin with super administrator privileges).
- Navigate to Security then API:
- Click on Security in the sidebar
- Select API
- Create API Credentials:
- Click on the Tokens tab
- Click Create
- Configure Details:
- Name: Enter a descriptive name for your credentials (e.g., Leena AI Integration)
- API calls must originate from: Select an option to specify where connections are allowed from:
- Any IP: Allow connections from any IP address or network zone
- In any network zone defined in Okta: Allow connections from any defined network zone
- In any of the following zones: Allow connections from specific network zones
- Not in any network zone defined in Okta: Allow connections from outside defined zones
- Save and Note Credentials:
- Click Create
- Copy the value immediately and store it securely
- Important: The value is displayed only once during creation. After creation, it is stored as a hash and cannot be retrieved again.
Note: API credentials inherit the privilege level of the admin account used to create them. It is recommended to create a dedicated service account for API credential creation. Credentials are valid for 30 days from creation or last use, and credentials not used for 30 days will expire.
Add connection
Here is how to add a connection on Leena AI:
- Log in to your Leena AI workspace
- Navigate to Settings then Integrations
- Search for Okta and select it from the list to add its new connector
- Start configuring the connector:
- Base URL: Your Okta organization URL (e.g., https://example.okta.com)
- Auth Type: Select API Key from the dropdown
- API Key: The API credentials created in Okta Admin Console (format: SSWS followed by your key value)
- Complete Configuration and Save:
- Click Connect in Leena AI for Okta connector setup
- The connector will validate the credentials
- Upon successful validation, the connector will be saved
Actions
The following actions are supported for the Okta connector:
Users: Create User
Creates a new user account in Okta. The Agent can leverage the skill (workflow), which has been designed to create a new user in Okta, once the user raises a query to do so. Here are some common use cases:
- Employee Onboarding: Create accounts for new hires
- User Provisioning: Automate user creation from HR systems
- Bulk User Creation: Create multiple users through workflows
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| First Name | Given name of the user (givenName) |
| Middle Name | The middle name of the user |
| Last Name | The family name of the user (familyName) |
| Display Name | Name of the user suitable for display to end users |
| The primary email address of the user | |
| Second Email | The secondary email address of the user typically used for account recovery |
| Login | The unique identifier for the user (username). Every user within your Okta org must have a unique identifier for a login |
| Password Type? | Select password type: Value, Hash, or Hook |
| Password | Specifies the password for a user. The password policy validates this password (when Password Type is Value) |
| Password Hash Algorithm | The algorithm used to generate the hash (when Password Type is Hash) |
| Password Hash Digest Algorithm | Algorithm used to generate the key. Only required for PBKDF2 algorithm |
| Password Hash Iteration Count | The number of iterations used when hashing passwords using PBKDF2. Must be greater than or equal to 4096 |
| Password Hash Key Size | Size of the derived key in bytes. Only required for PBKDF2 algorithm |
| Password Hash salt | Only required for salted hashes |
| Password Hash Salt Order | Specifies whether salt was pre- or postfixed to the password before hashing |
| Password Hash Value | The hash value (when Password Type is Hash) |
| Password Hash Work Factor | Governs the strength of the hash. Only required for BCRYPT algorithm |
| Password Hook Type | Specify a password import inline hook. Currently must be set to default |
| Activate | Executes an activation lifecycle operation when creating the user (default: true) |
| Provider | Indicates whether to create a user with a specified authentication provider |
| Next Login | With activate=true, if nextLogin=changePassword, password is set to EXPIRED |
| Credentials Provider Name | The name of the authentication provider |
| Credentials Provider Type | The type of authentication provider |
| Add Recovery Question? | Toggle to add recovery question |
| Recovery Question | The recovery question for the user |
| Recovery Question Answer | The answer to the recovery question |
| City | The city or locality of the user address |
| Cost Center | Name of the cost center assigned to a user |
| Country Code | The country name component of the user address |
| Department | Name of the user department |
| Division | Name of the user division |
| Employee Number | The organization assigned unique identifier for the user |
| Honorific Prefix | Honorific prefix(es) of the user, or title |
| Honorific Suffix | Honorific suffix(es) of the user |
| Locale | The user default location for localizing items (default: en_US) |
| Manager | The displayName of the user manager |
| Manager ID | The id of the user manager |
| Mobile Phone | The mobile phone number of the user |
| Nick Name | The casual way to address the user |
| Organization | Name of the user organization |
| Postal Address | Mailing address component of the user address |
| Preferred Language | The user preferred written or spoken language |
| Primary Phone | The primary phone number of the user |
| Profile URL | The URL of the user online profile |
| State | The state or region component of the user address |
| Street Address | The full street address component of the user address |
| Time Zone | The user time zone |
| Title | The user title, such as Vice President |
| User Type | The organization-to-user relationship, such as employee or contractor |
| ZipCode | The ZIP code or postal code component of the user address |
| Group IDs | Comma separated group IDs to assign user to |
| Realm ID | The ID of the realm in which the user is residing |
| User Type ID | The ID of the user type for non-default User Type |
Here is a sample JSON input:
{
"profile": {
"firstName": "John",
"lastName": "Doe",
"email": "[email protected]",
"login": "[email protected]",
"mobilePhone": "+1-555-123-4567",
"department": "Engineering",
"title": "Software Engineer"
},
"credentials": {
"password": {
"value": "SecurePassword123!"
}
},
"params": {
"activate": true
},
"groupIds": "00g1234567890abcdef,00g0987654321fedcba"
}Response
Upon successful creation, the action returns the created user details including:
- User ID
- User profile information
- User status
- Creation timestamp
- Assigned groups
Users: List Users
Retrieves a list of users from Okta. This action can be leveraged by Leena AI Orchestrator/Agent to list all users in the organization or filter users based on specific criteria. Here are some common use cases:
- User Directory: Get all users in the organization
- User Search: Find users by name or email
- Status Check: Find users with specific status
- Audit Reports: Generate user listing for compliance
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Query String | Finds users who match the specified query. This does not support pagination |
| After | The cursor to use for pagination. It is an opaque string that specifies the current location in the list |
| Limit | Specifies the number of results returned. Defaults to 10 if q is provided (default: 200) |
| Filter | Filters users with a supported expression for a subset of properties |
| Search | Searches for users with a supported filtering expression for most properties. Recommended for best performance |
| Sort By | Specifies field to sort by (for search queries only). Can be any single property |
| Sort Order | Specifies sort order: asc or desc (for search queries only) |
Here is a sample JSON input:
{
"params": {
"limit": 50,
"search": "profile.department eq Engineering",
"sortBy": "profile.lastName",
"sortOrder": "asc"
}
}Response
The action returns a list of users, each containing:
- User ID
- Profile information (name, email, phone, etc.)
- User status
- Creation and modification timestamps
- Pagination cursor (after) for next page
Users: Get User details
Retrieves detailed information about a specific user in Okta. The Agent can leverage the skill (workflow), which has been designed to get a user complete profile information. Here are some common use cases:
- User Lookup: Get complete user profile by ID
- Profile Verification: Verify user details
- Troubleshooting: Debug user-related issues
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to retrieve details for (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| Expand | An optional parameter to include metadata in the _embedded attribute |
Here is a sample JSON input:
{
"id": "00u1234567890abcdef",
"expand": true
}Response
The action returns detailed user information including:
- User ID
- Complete profile information
- User status
- Credentials information
- Creation and modification timestamps
- Embedded metadata (if expand is true)
Users: Update User
Updates an existing user profile in Okta. The Agent can leverage the skill (workflow), which has been designed to modify user attributes, once the user raises a query to do so. Here are some common use cases:
- Profile Updates: Update user contact information
- Role Changes: Update title and department
- Data Corrections: Fix incorrect user information
- Password Updates: Update user credentials
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to update (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| First Name | Given name of the user (givenName) |
| Middle Name | The middle name of the user |
| Last Name | The family name of the user (familyName) |
| Display Name | Name of the user suitable for display to end users |
| The primary email address of the user | |
| Second Email | The secondary email address of the user typically used for account recovery |
| Login | The unique identifier for the user (username) |
| Password Type? | Select password type: Value, Hash, or Hook |
| Password | Specifies the password for a user (when Password Type is Value) |
| Password Hash Algorithm | The algorithm used to generate the hash (when Password Type is Hash) |
| Password Hash Digest Algorithm | Algorithm used to generate the key. Only required for PBKDF2 algorithm |
| Password Hash Iteration Count | The number of iterations used when hashing passwords using PBKDF2 |
| Password Hash Key Size | Size of the derived key in bytes. Only required for PBKDF2 algorithm |
| Password Hash salt | Only required for salted hashes |
| Password Hash Salt Order | Specifies whether salt was pre- or postfixed to the password before hashing |
| Password Hash Value | The hash value (when Password Type is Hash) |
| Password Hash Work Factor | Governs the strength of the hash. Only required for BCRYPT algorithm |
| Password Hook Type | Specify a password import inline hook. Currently must be set to default |
| Strict | If true, validates against minimum age and history password policy (default: true) |
| Add Recovery Question? | Toggle to add recovery question |
| Recovery Question | The recovery question for the user |
| Recovery Question Answer | The answer to the recovery question |
| City | The city or locality of the user address |
| Cost Center | Name of the cost center assigned to a user |
| Country Code | The country name component of the user address |
| Department | Name of the user department |
| Division | Name of the user division |
| Employee Number | The organization assigned unique identifier for the user |
| Honorific Prefix | Honorific prefix(es) of the user, or title |
| Honorific Suffix | Honorific suffix(es) of the user |
| Locale | The user default location for localizing items |
| Manager | The displayName of the user manager |
| Manager ID | The id of the user manager |
| Mobile Phone | The mobile phone number of the user |
| Nick Name | The casual way to address the user |
| Organization | Name of the user organization |
| Postal Address | Mailing address component of the user address |
| Preferred Language | The user preferred written or spoken language |
| Primary Phone | The primary phone number of the user |
| Profile URL | The URL of the user online profile |
| State | The state or region component of the user address |
| Street Address | The full street address component of the user address |
| Time Zone | The user time zone |
| Title | The user title, such as Vice President |
| User Type | The organization-to-user relationship, such as employee or contractor |
| ZipCode | The ZIP code or postal code component of the user address |
| Realm ID | The ID of the realm in which the user is residing |
Here is a sample JSON input:
{
"id": "00u1234567890abcdef",
"profile": {
"department": "Sales",
"title": "Senior Account Executive",
"mobilePhone": "+1-555-987-6543"
},
"params": {
"strict": true
}
}Response
Upon successful update, the action returns the updated user details including:
- User ID
- Updated profile information
- User status
- Modification timestamp
Users: Activate User
Activates a user account in Okta. The Agent can leverage the skill (workflow), which has been designed to activate a user account, once the user raises a query to do so. Here are some common use cases:
- Employee Onboarding: Activate new hire accounts
- Account Restoration: Reactivate previously staged accounts
- Provisioning Workflows: Complete user provisioning process
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to activate (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| Send Email | Sends an activation email to the user (default: true) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"params": {
"sendEmail": true
}
}Response
Upon successful activation, the action returns:
- User activation status
- Activation link (if sendEmail is false)
- Updated user status
Users: Deactivate User
Deactivates a user account in Okta. The Agent can leverage the skill (workflow), which has been designed to deactivate a user account, once the user raises a query to do so. Here are some common use cases:
- Employee Offboarding: Deactivate departing employee accounts
- Security Response: Quickly revoke user access
- Account Cleanup: Deactivate unused accounts
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to deactivate (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| Send Email | Sends a deactivation email to the user |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"params": {
"sendEmail": true
}
}Response
Upon successful deactivation, the action returns:
- Confirmation of deactivation
- Updated user status
- Deactivation timestamp
Users: Suspend User
Suspends a user account in Okta. The Agent can leverage the skill (workflow), which has been designed to suspend a user account temporarily, once the user raises a query to do so. Here are some common use cases:
- Leave of Absence: Temporarily suspend accounts during employee leave
- Security Investigation: Suspend accounts during security reviews
- Policy Enforcement: Suspend users for policy violations
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to suspend (selected from dropdown) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef"
}Response
Upon successful suspension, the action returns:
- Confirmation of suspension
- Updated user status
- Suspension timestamp
Users: Unsuspend User
Unsuspends a previously suspended user account in Okta. The Agent can leverage the skill (workflow), which has been designed to restore a suspended user account, once the user raises a query to do so. Here are some common use cases:
- Return from Leave: Restore accounts after employee leave
- Investigation Cleared: Restore accounts after security review
- Account Restoration: Unsuspend accounts after policy compliance
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to unsuspend (selected from dropdown) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef"
}Response
Upon successful unsuspension, the action returns:
- Confirmation of unsuspension
- Updated user status (ACTIVE)
- Restoration timestamp
Users: Expire Password
Expires a user password immediately in Okta. The Agent can leverage the skill (workflow), which has been designed to expire a user password, forcing them to change it on next login. Here are some common use cases:
- Security Policy: Force password rotation
- Compliance Requirements: Enforce periodic password changes
- Account Handover: Require new password after account transfer
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user whose password to expire (selected from dropdown) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef"
}Response
Upon successful password expiration, the action returns:
- Confirmation of password expiration
- Temporary password (if applicable)
- User must change password on next login
Users: Reset Password
Initiates an admin-driven password reset for a user in Okta. The Agent can leverage the skill (workflow), which has been designed to reset a user password, once the user raises a query to do so. Here are some common use cases:
- Helpdesk Support: Reset passwords for locked-out users
- Security Incident: Force password reset after breach
- Account Recovery: Help users regain access
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user whose password to reset (selected from dropdown) |
| Send Email | Whether to send a password reset email to the user |
Optional
| Name | Description |
|---|---|
| Revoke Sessions | Revokes all user sessions, except for the current session |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"params": {
"sendEmail": true,
"revokeSessions": true
}
}Response
Upon successful password reset, the action returns:
- Reset password URL (if sendEmail is false)
- Confirmation of email sent (if sendEmail is true)
- Session revocation status
Users: Reset Forgetten Password
Triggers a forgot password flow for a user in Okta. The Agent can leverage the skill (workflow), which has been designed to initiate the forgot password process for a user. Here are some common use cases:
- Self-Service Support: Help users who forgot their password
- Automated Recovery: Trigger password recovery flows
- User Assistance: Initiate password reset on behalf of user
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to trigger forgot password for (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| Send Email | Sends a forgot password email to the user (default: true) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"params": {
"sendEmail": true
}
}Response
Upon successful initiation, the action returns:
- Password recovery URL (if sendEmail is false)
- Confirmation of recovery email sent (if sendEmail is true)
- Recovery expiration time
Users: List User's Groups
Retrieves all groups that a specific user belongs to in Okta. The Agent can leverage the skill (workflow), which has been designed to list a user group memberships. Here are some common use cases:
- Access Review: Review user group memberships
- Audit Reports: Document user access for compliance
- Troubleshooting: Debug access issues by checking group membership
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user whose groups to list (selected from dropdown) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef"
}Response
The action returns a list of groups the user belongs to, each containing:
- Group ID
- Group name
- Group type
- Group description
Users: List user applications
Retrieves all applications assigned to a specific user in Okta. The Agent can leverage the skill (workflow), which has been designed to list applications a user has access to. Here are some common use cases:
- Access Review: Review user application access
- Audit Reports: Document application assignments
- Onboarding Verification: Verify correct application assignments
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user whose applications to list (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| After | Specifies the pagination cursor for the next page of results |
| Limit | Specifies the number of results in a page (default: 200) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"params": {
"limit": 50
}
}Response
The action returns a list of applications assigned to the user, each containing:
- Application ID
- Application name
- Application status
- Application settings
- Pagination cursor (after) for next page
Groups: List Groups
Retrieves a list of groups from Okta. This action can be leveraged by Leena AI Orchestrator/Agent to list all groups in the organization or filter groups based on specific criteria. Here are some common use cases:
- Group Directory: Get all groups in the organization
- Group Search: Find groups by name
- Access Management: Review available groups for assignment
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Query String | Finds a group that matches the name property |
| Filter | Filter expression for groups |
| After | Specifies the pagination cursor for the next page of groups |
| Limit | Specifies the number of group results in a page (default: 200) |
| Expand | Additional metadata to include in response. Possible values: stats, app |
| Search | Searches for groups with a supported filtering expression |
| Sort By | Specifies field to sort by (for search queries only) |
| Sort Order | Specifies sort order: asc or desc (for search queries only) |
Here is a sample JSON input:
{
"params": {
"q": "Engineering",
"limit": 50,
"expand": "stats"
}
}Response
The action returns a list of groups, each containing:
- Group ID
- Group name
- Group type
- Group description
- Member count (if expand=stats)
- Pagination cursor (after) for next page
Groups: List Users of Group
Retrieves all users that belong to a specific group in Okta. The Agent can leverage the skill (workflow), which has been designed to list members of a group. Here are some common use cases:
- Group Membership Review: Review who belongs to a group
- Audit Reports: Document group membership for compliance
- Access Analysis: Analyze group access patterns
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| Group | The group whose users to list (selected from dropdown) |
Optional
| Name | Description |
|---|---|
| After | The cursor to use for pagination obtained from the Link response header |
| Limit | Specifies the number of user results in a page (default: 200) |
Here is a sample JSON input:
{
"groupId": "00g1234567890abcdef",
"params": {
"limit": 100
}
}Response
The action returns a list of users in the group, each containing:
- User ID
- User profile information
- User status
- Pagination cursor (after) for next page
Groups: Assign User to Group
Assigns a user to a group in Okta. The Agent can leverage the skill (workflow), which has been designed to add a user to a group, once the user raises a query to do so. Here are some common use cases:
- Access Provisioning: Grant access by adding to groups
- Role Assignment: Assign roles via group membership
- Project Teams: Add users to project-specific groups
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to assign to the group (selected from dropdown) |
| Group | The group to assign the user to (selected from dropdown) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"groupId": "00g1234567890abcdef"
}Response
Upon successful assignment, the action returns:
- Confirmation of successful assignment
- HTTP status code 204 (No Content) on success
Groups: Remove User from Group
Removes a user from a group in Okta. The Agent can leverage the skill (workflow), which has been designed to remove a user from a group, once the user raises a query to do so. Here are some common use cases:
- Access Revocation: Remove access by removing from groups
- Role Changes: Update roles via group membership changes
- Project Completion: Remove users from completed project groups
Input Parameters
Here are the input parameters required to set up this action:
Mandatory
| Name | Description |
|---|---|
| User | The user to remove from the group (selected from dropdown) |
| Group | The group to remove the user from (selected from dropdown) |
Here is a sample JSON input:
{
"userId": "00u1234567890abcdef",
"groupId": "00g1234567890abcdef"
}Response
Upon successful removal, the action returns:
- Confirmation of successful removal
- HTTP status code 204 (No Content) on success
Others: Get System Log Events
Retrieves system log events from Okta. The Agent can leverage the skill (workflow), which has been designed to fetch audit logs and system events. Here are some common use cases:
- Security Monitoring: Monitor login attempts and security events
- Audit Compliance: Retrieve logs for compliance reporting
- Incident Investigation: Investigate security incidents
- Activity Tracking: Track user and admin activities
Input Parameters
Here are the input parameters required to set up this action:
Optional
| Name | Description |
|---|---|
| Since | Filters the lower time bound of the log events published property |
| Until | Filters the upper time bound of the log events published property |
| After | Retrieves the next page of results |
| Filter | Filter expression that filters the results. All operators except brackets are supported |
| Query String | Filters log events results by one or more case insensitive keywords |
| Limit | Sets the number of results returned in the response (default: 100) |
| Sort Order | The order of the returned events sorted by the published property. Options: ASCENDING, DESCENDING |
Here is a sample JSON input:
{
"params": {
"since": "2025-01-01T00:00:00Z",
"until": "2025-01-31T23:59:59Z",
"filter": "eventType eq user.session.start",
"limit": 100,
"sortOrder": "DESCENDING"
}
}Response
The action returns a list of system log events, each containing:
- Event UUID
- Event type
- Published timestamp
- Actor information
- Target details
- Outcome (success/failure)
- Client information
- Pagination cursor (after) for next page
Updated 1 day ago