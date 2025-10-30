Version: 18.x

Okta has its own permissions system that doesn't directly map into Teleport. This includes permissions granted by Okta groups along with the assignment of users to individual applications within Okta. To model this within Teleport, an administrator would typically need to carefully craft a labeling system to attach to various Okta apps and groups and a set of roles to go along with them.

With the synchronization of Okta apps and groups as Teleport Access List feature in the Okta integration, this work is performed for you. This guide explains how to set up Okta app and the sync.

In Teleport, the Okta Access List synchronizer looks for any Okta group with members or any Okta application with individual assignments that matches filters that you can optionally supply during Okta integration enrollment. The synchronizer creates the following resources for each matched Okta group or application:

A role for members that grants access to the group/application.

A role for owners that grants the ability to review access to the group/application.

An Access List representing membership to the group/application.

Members for the Access List.

All synchronized Okta users are assigned a builtin okta-requester role which allows to request access to the synchronized resources. This role assignment can be disabled with --no-assign-default-roles flag when creating the integration with tctl or can be disabled with tctl edit plugins/okta by setting okta.sync_settings.disable_assign_default_roles: true . Note that unless the connector was created manually, this role is also assigned by default in the auth connector role mapping and needs to be updated there for the change to take effect.

It should be noted that the Access List sync waits until the Okta groups and Okta applications has finished syncing as Teleport resources, so it may not start synchronizing immediately on startup.

Only Okta user groups with assignments will be imported as Teleport Access Lists. If an Okta User Group has no assignments, it will not be imported until it has assignments. If the last user is removed from the Access List, the Access List will be removed from Teleport on the next sync.

A running Teleport Enterprise cluster. If you do not have one, read Getting Started.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: TELEPORT_DOMAIN= teleport.example.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



Teleport Identity Governance enabled on your account.

An Okta authentication connector. important Before following the guided app and group sync integration flow, you must have completed the following: Guided Okta single sign-on flow. Guided Okta user sync flow.

(Optional) The Okta SCIM integration. You can follow the guided integration flow.

To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username: teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

An Okta organization with admin access.

Enabling the Okta integration with bidirectional sync enabled will make Teleport take ownership over app and group assignments in Okta and can make changes within Okta based on your Teleport RBAC configuration. To limit the scope of the integration, ensure that:

(Optional) You have organized your Okta applications and groups into Okta resource sets, which allow you to limit the scope your Okta access token.

The first step of setting up Okta Access List synchronization is defining default Access List owners. You can select any number of default owners or manually enter the owners if they do not yet exist in the system. These owners can be later changed and will not be overwritten by the Okta Access List synchronization process.

Make sure you are on the Sync User Groups and App Assignments page. If you are not, visit the integration status page by navigating to Access -> Integrations and clicking anywhere on the Okta integration row. Then visit the Sync User Groups and App Assignments page. Under Add Default List Owner(s), enter the names of Teleport users to the dropdown menu.

After configuring default owners, you can customize which Okta user groups and applications should be imported. By default, all user groups and applications will be imported. This section shows you how to configure the Okta integration to import certain user groups and applications as Access Lists.

If you would like to import all user groups and applications, click Submit Configuration at the bottom of the menu.

To configure user group and application imports:

In the Teleport Web UI, make sure you are on the Sync User Groups and App Assignments page. In Step 2, deselect the Sync All User Groups switch. In the box labeled Filter by Group Name(s), enter names of Okta user groups to import. When specifying a user group, you can use globs ( * characters) or regular expressions. Globs represent arbitrary values. Regular expressions must begin with ^ and end with $ , and use the Google RE2 regular expression syntax. When filters are added, the list of user groups will update with the results of your filter applied. If no filters are provided, Teleport treats the value as the wildcard * , even if the Sync All User Groups switch is unchecked. In Step 3, repeat these steps for applications. As with user groups, you can optionally deselect Sync All Applications and enter application names, including any globs and regular expressions.

Only Okta user groups and applications with assignments will be imported as an Access List. If an Okta user group or application has no assignments, it will not be imported until it has assignments. If the last user is removed from the Access List, the Access List will be removed from Teleport on the next sync.

note You can also filter Okta apps and user groups using Okta resource sets, but this doesn't support globbing and regular expressions.

Teleport supports nested Access Lists, where an Access List can include other Access Lists as members, creating a hierarchical structure. However, Okta does not support nested groups. This section describes the logic the Teleport Okta integration uses to support Access Lists.

When synchronizing nested Access Lists from Teleport to Okta, the synchronizer flattens nested Access Lists.

Members in Access Lists, from all levels of nesting, are aggregated into a single, flat list of members when synchronized to Okta. This ensures that all users who should have access according to the Teleport hierarchy are included in the corresponding Okta group or application.

For example, consider the following Teleport Access List structure:

Access List A : Members: User1 Nested Members: Access List B

: Access List B : Members: User2, User3

:

This structure will have the following representation in Okta:

Group/Application for Access List A: Members: User1, User2, User3



By flattening the Teleport hierarchy, all users receive the permissions associated with the root-level Access List in Okta.

When synchronizing from Okta to Teleport, the synchronizer handles the flattened structure from Okta by attempting to map it back to the Teleport hierarchy. It compares the flattened list of members from Okta against the existing Access List hierarchy in Teleport.

If there are new users added in Okta that are not present in the Teleport Access List hierarchy, these users are added as members at the root-level Access List in Teleport. This approach maintains the hierarchical structure within Teleport while ensuring that access changes made in Okta are reflected appropriately.

For example, considering the following Okta group/application for Access List A in the previous section:

Okta Group/Application for Access List A : Members: User1, User2, User3, User4 (User4 is a new member added in Okta)

:

The synchronizer applies the following update:

Access List A : Members: User1, User4 Nested Members: Access List B

: Access List B : Members: User2, User3

:

Access Lists synchronized from Okta will automatically be deleted when there are no members assigned to them in Okta or when they are deleted in Okta.

warning It is possible for an administrator to delete Access Lists, but this should only be done once the Okta integration has been removed and/or Access List synchronization is disabled. This could remove all users from the Okta group or application that's being targeted!

When first synchronizing an Access List, the owners of the Access List will be set to the default owners configured during the initial Okta integration enrollment, and the initial review date will be set 6 months from the configured date. These fields are modifiable, as are the owner and membership requirements. However, you will not be able to change grants, as these belong to the Okta Access List synchronizer.

The owners of an Okta synchronized Access List will be preserved between runs.