Architecture of the Okta Service

This document will go into details on how the Okta Service is organized and how it functions.

Teleport provides an Okta Service that is responsible for dealing with all interactions with Okta. There are three main components of the Okta Service:

Synchronization

User access

Access Requests

The Okta Service uses an Okta API token and endpoint in order to interact with Okta's API. The API is used to import applications and user groups and manage assignments.

The synchronization process runs periodically in the Okta Service, occurring every 10 minutes. This service will import Okta applications, user groups and (if Teleport Identity is enabled) Okta users into Teleport, cleaning up any resources that no longer exist in Okta.

During synchronization, labels can be customized for imported applications and user groups through the use of Okta Import Rules. These objects can be created by administrators of the Teleport cluster and they will be automatically picked up during the next synchronization run.

kind: okta_import_rule version: v1 metadata: name: test-rule description: "Okta import rule for admins" spec: priority: 10 mappings: - match: - app_ids: [ "app1" , "app2" ] add_labels: app_label: app_label_value - match: - group_ids: [ "group1" , "group2" ] add_labels: label1: value1 - match: - app_name_regexes: [ "^okta.*$" , "app*" ] add_labels: app_label: app_label_value - match: - group_name_regexes: [ "^okta.*$" , "app*" ] add_labels: label1: value1

Upon logging into Teleport, users will be granted access to the Okta applications and user groups that they have access to within Teleport. If a user has RBAC access to an application or user group, it will be reflected within Okta.

Users can use Teleport's Just-in-time Access Requests in order to request temporary access to Okta applications and user groups. Upon expiration of the access request, the access granted will be revoked within Okta.

