Certifying Access for Disconnected Application in Okta

The beauty with Okta is that there are over 500 applications in the Okta Integration Network that enables Admins to automate the user lifecycle. For these apps, Okta Identity Governance enables immediate remediation based on access reviews.

There are still many applications that don’t and won’t support this, which creates a challenge when it comes to reviewing and revoking its users access. A good example of this is when a manager needs to certify their employees access to a Financial Service system that doesn’t have any API integrations. This article will show you how to govern access to these “Disconnected” applications.

To accomplish this at a high level:

  1. In Okta, add a CSV directory 
  2. (Optional) Configure a custom attribute for reviewers to attest the user’s entitlement during the campaign
  3. Create a CSV with a list of users to import to Okta via the On-Premise Provisioning (OPP) agent
    • Bonus: Create a process to regenerate the CSV on a frequent basis
  1. On a server, download and install the OPP agent, connect it to Okta
  2. In Okta, import users from the CSV and match them to existing Okta users
  3. Configure Okta Workflows for access revocation 
  4. Create an access certification campaign around the disconnected application

Step-by-step instructions:

Step 1:

  • Navigate to Directory > Directory Integrations and select Add Directory
  • Add the CSV Directory and provide the name for the application 

Step 2:

  • Navigate to Directory > Profile Editor and search for the newly added CSV directory application and select it
  • Add a new attribute within the application profile to provide user-specific information about their entitlement to the application to provide additional context for the access certification reviewer
  • Here are the supported attributes for entitlement details
    • Role (role) – string – define a single user role (recommended)
    • Roles (roles) – string array – define multiple user roles. CSV doesn’t support array but this can be done by parsing data with the Okta Expression Language 
    • Licenses (licenses) – string array – define user assigned license(s)

Step 3:

  • Generate a CSV that matches the Okta expected CSV template/format 
  • Here’s a sample CSV template
    • Bonus: Ideally, you’ll want to have the disconnected app be able to automatically generate this CSV on a set scheduled. However, if the application isn’t able to generate this CSV, this will have to be a manual process.

Step 4:

  • Bonus:
    • Navigate to the To Okta setting and specify an import schedule along with enabling the Auto-confirm exact/partial matches
    • I do NOT recommend enabling Confirm new users into Okta so that we don’t create new users as this would most likely be a downstream application

Step 5: 

  • Navigate to the Import tab and run an import
  • Once the user has been imported and matched to an existing user, you can check the People tab and review the user’s entitlement. You’ll see the value that was specified in the CSV

Step 6:

Step 7:

  • Create an access certification campaign for the disconnected application using Okta Identity Governance
  • Ensure that the Revoked action is set to Don’t take any action so that the remediation can be done out-of-band and have it be reflected in the CSV in the next import schedule.
  • As a reviewer/certifier of the access, you can now certify the user’s access and have an out-of-band remediation process

Leave a Reply