Okta

Set up Okta for automated tests with TrustCloud!

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your Okta account and Okta Users, Groups, Policies, and roles so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to Okta metadata

1. Go to the JSON Web Key Generator to generate a ‘JSON Web Key Set (JWKS)’ public/private key pair for TrustOps. Make sure the RSA tab is selected (this is the default) and set the following values:
   1. Key size: 2048.
   2. Key use:signature.
   3. Algorithm:RSA256.
   4. Key ID: This is the identifier of the generated key and can be set to any selection or random value.

   NOTE: This step does not provide TrustCloud with the ability to read any authentication information, usage information, or write or change any data.

   

2. Click on the “Generate” button.
3. The JSON Web Key Generator tool extracts the public key from the key pair automatically. Copy the contents of the Public and Private Key Pair and Public and Private Key Pair set by clicking the “Copy to Clipboard” button under the respective sections. Paste each into a text file to use later.
4. From the Public and Private key pair sets (from the middle section), remove any extraneous keys from the keys array. Only the public key component is needed. The following keys must be kept if they are present:
   1. kty
   2. e
   3. use
   4. kid (if present)
   5. alg
   6. n

   All other keys can be discarded.
   The resulting JWKS file should look something like this:
   

   {
     "keys": [{		
       "kty": "RSA",
       "e": "AQAB",
       "use": "sig",
       "kid": "my_key_id",
       "alg": "RS256",
       "n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"	
      }]
   }
   

5. Go to your Okta admin console. From the console, go to ‘Security’, click on ‘API,’ and then go to the ‘Tokens’ tab.
6. Click on the “Create Token” button. Give your token a name and click on “Create Token” again.
7. Copy the resulting token for later use.
8. Create an OAuth service app and register the public key with the app. Okta service apps are created by sending a POST request to the dynamic client registration endpoint at https://${yourOktaDomain}/oauth2/v1/clients, with a request body containing the information specified below.
   1. Prepare your request by gathering the information you’ll need. The request requires the following parameters:
      1. client_name: TrustCloud
      2. grant_types: client_credentials
      3. token_endpoint_auth_method: private_key_jwt
      4. application_type: service
      5. jwks: The contents of the JWKS file that you created in step 3.
   2. TTo authenticate your request, use an Authorization header set to SSWS {api_token}, where {api_token} is the token copied in step 7.
   3. The request can be sent using any HTTP client, such as Postman or cURL. Below is an example cURL request.

   	curl -X POST \\
     -H 'Accept: application/json' \\
     -H "Authorization: SSWS ${api_token}" \\
     -H 'Content-Type: application/json' \\
     -d '{
       "client_name": "Service Client Name",
       "response_types": ["token"],
       "grant_types": ["client_credentials"],
       "token_endpoint_auth_method": "private_key_jwt",
       "application_type": "service",
       "jwks": {
   	      "keys": [{
   	        "kty": "RSA",
   	        "e": "AQAB",
   	        "use": "sig",
   	        "kid": "O4O",
   	        "alg": "RS256",
   	        "n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"
   	      }]
       }
     }' "<https://$>{yourOktaDomain}/oauth2/v1/clients"
   

9. Make note of the client_id that is returned in the response.
10. In the Okta admin console, go to ‘Applications’ and click on ‘Applications’.
11. Use the client ID you noted in step 9 to find the application you created above in step 8.
12. Click its name, and then go to the ‘Okta API Scopes’ tab.
13. Click Grant next to the following scopes:
    1. Okta.factors.read
    2. Okta.groups.read
    3. Okta.roles.read
    4. Okta.users.read
    5. Okta.policies.read
    6. Okta.apps.read
    7. Okta.logs.read
14. These scopes allow TrustCloud to audit your Okta user, group, role, and policy settings in order to determine adherence to specified controls. It only allows TrustCloud to read metadata – information about your users and their settings. It does not provide TrustCloud with the ability to read any authentication information, usage information, or write or change any data.
15. You need to input your Okta domain URL, the client_id obtained in step 9, and the public and private key pairs obtained from the leftmost section in step 3 into TrustOps. No password or other credentials are required. Only the above-granted scope will be granted access to the delegated account.

You can now delete the token obtained in step 7. Go to ‘Security’, click on ‘API’ menu, and then go to ‘Tokens’ tab, and click on ’Revoke’.