Support Β· Installation Β· License Β· Related Integrations
The Okta Orchestrator Extension allows you to manage Okta Apps and IdPs as certificate stores in Keyfactor. This extension supports both inbound SAML (IdPs) and outbound SAML (Apps) integrations with Okta.
The Okta Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to use one, or both of these Certificate Store Types. Descriptions of each are provided below.
This integration is compatible with Keyfactor Universal Orchestrator version 24.5 and later.
The Okta Universal Orchestrator extension is open source and there is no SLA. Keyfactor will address issues and feature requests as resources become available. Keyfactor customers may request escalation by opening up a support ticket through their Keyfactor representative.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute bug fixes or additional enhancements, use the Pull requests tab.
Before installing the Okta Universal Orchestrator extension, we recommend that you install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.
- Apps: Okta's term for internal SAML integrations.
- IdPs: Okta's term for external SAML identity providers.
- When manually adding an Okta cert store, use the App ID or IdP ID as the Store Path.
You need an Okta API token to use this extension. Create one in your Okta admin console under Security => API => Tokens.
Example App ID:
- https://trial-1.okta.com/admin/app/trial-1_testapp/instance/0000000Z697
- The App ID is the value after
instance/
Example:0000000Z697
Example IdP ID:
- Go to Access => Identity Providers in your Okta admin portal
(e.g.,https://trial-1.okta.com/admin/access/identity-providers) - The IdP ID is listed for each IdP in that view.
Running a Discovery job automatically finds all Okta Apps/IdPs that have certificates (depending on the store type you set up) and creates a Cert Store for each App/IdP.
Before reenrolling a certificate, review the Reenrollment section for both cert store types. It contains critical operational guidance that must be followed.
To use the Okta Universal Orchestrator extension, you must create the Certificate Store Types required for your use-case. This only needs to happen once per Keyfactor Command instance.
The Okta Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to use one, or both of these Certificate Store Types.
Click to expand details
The OktaAPP cert store type represents an Okta App (used for outbound SAML).
| Operation | Is Supported |
|---|---|
| Add | π² Unchecked |
| Remove | π² Unchecked |
| Discovery | β Checked |
| Reenrollment | β Checked |
| Create | π² Unchecked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand OktaApp kfutil details
This will reach out to GitHub and pull the latest store-type definition
# OktaApp
kfutil store-types create OktaAppIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the OktaApp store type manually in the Keyfactor Command Portal
Click to expand manual OktaApp details
Create a store type called OktaApp with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | OktaApp | Display name for the store type (may be customized) |
| Short Name | OktaApp | Short display name for the store type |
| Capability | Store type name orchestrator will register with. Check the box to allow entry of value | |
| Supports Add | π² Unchecked | Indicates that the Store Type supports Management Add |
| Supports Remove | π² Unchecked | Indicates that the Store Type supports Management Remove |
| Supports Discovery | β Checked | Check the box. Indicates that the Store Type supports Discovery |
| Supports Reenrollment | β Checked | Indicates that the Store Type supports Reenrollment |
| Supports Create | π² Unchecked | Indicates that the Store Type supports store creation |
| Needs Server | β Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | π² Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | π² Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | π² Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | π² Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| DefaultValidityYears | DefaultValidityYears | Number of years the certificate will be valid for by default. Required by Okta. | String | 1 | β Checked |
The Custom Fields tab should look like this:
| Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry |
|---|---|---|---|---|---|---|---|---|
| SANList | SANList | This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN. | String | π² Unchecked | π² Unchecked | π² Unchecked | β Checked | |
| ActivateCredential | ActivateCredential | This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG. | Bool | false | π² Unchecked | π² Unchecked | π² Unchecked | β Checked |
The Entry Parameters tab should look like this:
Click to expand details
The OktaIdP cert store type represents an Okta IdP (used for inbound SAML).
| Operation | Is Supported |
|---|---|
| Add | π² Unchecked |
| Remove | π² Unchecked |
| Discovery | β Checked |
| Reenrollment | β Checked |
| Create | π² Unchecked |
kfutil is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
For more information on kfutil check out the docs
Click to expand OktaIdP kfutil details
This will reach out to GitHub and pull the latest store-type definition
# OktaIdP
kfutil store-types create OktaIdPIf required, it is possible to create store types from the integration-manifest.json included in this repo. You would first download the integration-manifest.json and then run the following command in your offline environment.
kfutil store-types create --from-file integration-manifest.jsonBelow are instructions on how to create the OktaIdP store type manually in the Keyfactor Command Portal
Click to expand manual OktaIdP details
Create a store type called OktaIdP with the attributes in the tables below:
| Attribute | Value | Description |
|---|---|---|
| Name | OktaIdP | Display name for the store type (may be customized) |
| Short Name | OktaIdP | Short display name for the store type |
| Capability | Store type name orchestrator will register with. Check the box to allow entry of value | |
| Supports Add | π² Unchecked | Indicates that the Store Type supports Management Add |
| Supports Remove | π² Unchecked | Indicates that the Store Type supports Management Remove |
| Supports Discovery | β Checked | Check the box. Indicates that the Store Type supports Discovery |
| Supports Reenrollment | β Checked | Indicates that the Store Type supports Reenrollment |
| Supports Create | π² Unchecked | Indicates that the Store Type supports store creation |
| Needs Server | β Checked | Determines if a target server name is required when creating store |
| Blueprint Allowed | π² Unchecked | Determines if store type may be included in an Orchestrator blueprint |
| Uses PowerShell | π² Unchecked | Determines if underlying implementation is PowerShell |
| Requires Store Password | π² Unchecked | Enables users to optionally specify a store password when defining a Certificate Store. |
| Supports Entry Password | π² Unchecked | Determines if an individual entry within a store can have a password. |
The Basic tab should look like this:
| Attribute | Value | Description |
|---|---|---|
| Supports Custom Alias | Forbidden | Determines if an individual entry within a store can have a custom Alias. |
| Private Key Handling | Forbidden | This determines if Keyfactor can send the private key associated with a certificate to the store. Required because IIS certificates without private keys would be invalid. |
| PFX Password Style | Default | 'Default' - PFX password is randomly generated, 'Custom' - PFX password may be specified when the enrollment job is created (Requires the Allow Custom Password application setting to be enabled.) |
The Advanced tab should look like this:
For Keyfactor Command versions 24.4 and later, a Certificate Format dropdown is available with PFX and PEM options. Ensure that PFX is selected, as this determines the format of new and renewed certificates sent to the Orchestrator during a Management job. Currently, all Keyfactor-supported Orchestrator extensions support only PFX.
Custom fields operate at the certificate store level and are used to control how the orchestrator connects to the remote target server containing the certificate store to be managed. The following custom fields should be added to the store type:
| Name | Display Name | Description | Type | Default Value/Options | Required |
|---|---|---|---|---|---|
| DefaultValidityYears | DefaultValidityYears | Number of years the certificate will be valid for by default. Required by Okta. | String | 1 | β Checked |
The Custom Fields tab should look like this:
| Name | Display Name | Description | Type | Default Value | Entry has a private key | Adding an entry | Removing an entry | Reenrolling an entry |
|---|---|---|---|---|---|---|---|---|
| SANList | SANList | This is a comma-separated list of Subject Alternative Names (SANs) to be included in the certificate. Required by Okta. Must contain at least one SAN. | String | π² Unchecked | π² Unchecked | π² Unchecked | β Checked | |
| ActivateCredential | ActivateCredential | This is a boolean indicating whether to activate the certificate in Okta after reenrollment/ODKG. | Bool | true | π² Unchecked | π² Unchecked | π² Unchecked | β Checked |
The Entry Parameters tab should look like this:
-
Download the latest Okta Universal Orchestrator extension from GitHub.
Navigate to the Okta Universal Orchestrator extension GitHub version page. Refer to the compatibility matrix below to determine whether the
net6.0ornet8.0asset should be downloaded. Then, click the corresponding asset to download the zip archive.Universal Orchestrator Version Latest .NET version installed on the Universal Orchestrator server rollForwardcondition inOrchestrator.runtimeconfig.jsonokta-orchestrator.NET version to downloadOlder than 11.0.0net6.0Between 11.0.0and11.5.1(inclusive)net6.0net6.0Between 11.0.0and11.5.1(inclusive)net8.0Disablenet6.0Between 11.0.0and11.5.1(inclusive)net8.0LatestMajornet8.011.6and newernet8.0net8.0Unzip the archive containing extension assemblies to a known location.
Note If you don't see an asset with a corresponding .NET version, you should always assume that it was compiled for
net6.0. -
Locate the Universal Orchestrator extensions directory.
- Default on Windows -
C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions - Default on Linux -
/opt/keyfactor/orchestrator/extensions
- Default on Windows -
-
Create a new directory for the Okta Universal Orchestrator extension inside the extensions directory.
Create a new directory called
okta-orchestrator.The directory name does not need to match any names used elsewhere; it just has to be unique within the extensions directory.
-
Copy the contents of the downloaded and unzipped assemblies from step 2 to the
okta-orchestratordirectory. -
Restart the Universal Orchestrator service.
Refer to Starting/Restarting the Universal Orchestrator service.
-
(optional) PAM Integration
The Okta Universal Orchestrator extension is compatible with all supported Keyfactor PAM extensions to resolve PAM-eligible secrets. PAM extensions running on Universal Orchestrators enable secure retrieval of secrets from a connected PAM provider.
To configure a PAM provider, reference the Keyfactor Integration Catalog to select an extension and follow the associated instructions to install it on the Universal Orchestrator (remote).
The above installation steps can be supplemented by the official Command documentation.
The Okta Universal Orchestrator extension implements 2 Certificate Store Types, each of which implements different functionality. Refer to the individual instructions below for each Certificate Store Type that you deemed necessary for your use case from the installation section.
OktaApp (OktaApp)
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "OktaApp" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This should contain your Okta URL (e.g. https://trial-1111.okta.com). Store Path This should contain the Okta App ID (please see overview for description). Orchestrator Select an approved orchestrator capable of managing OktaAppcertificates. Specifically, one with the `` capability.DefaultValidityYears Number of years the certificate will be valid for by default. Required by Okta.
Click to expand details
-
Generate a CSV template for the OktaApp certificate store
kfutil stores import generate-template --store-type-name OktaApp --outpath OktaApp.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "OktaApp" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This should contain your Okta URL (e.g. https://trial-1111.okta.com). Store Path This should contain the Okta App ID (please see overview for description). Orchestrator Select an approved orchestrator capable of managing OktaAppcertificates. Specifically, one with the `` capability.Properties.DefaultValidityYears Number of years the certificate will be valid for by default. Required by Okta. -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name OktaApp --file OktaApp.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | Username to use when connecting to server |
| ServerPassword | Password to use when connecting to server |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
The Inventory job inventories all certificates associated with the given Okta App.
The alias records the App ID and the Okta Key Credential ID (as specified by KeyCred) associated with each certificate.
Important: Even if you set the Activate entry parameter to true, additional manual steps are required to fully enable the reenrolled certificate for use by your Okta App. Users will not be able to access the App until these steps are completed. See Okta's guide:
https://developer.okta.com/docs/guides/sign-your-own-saml-csr/main/#upload-the-new-certificate-to-the-isv
Subject format (required):
CN=test, OU=test, O=test, L=test, ST=test, C=test
Only the CN, OU, O, L, ST, C attributes are allowed in the subject.
If you set Activate = true, the certificate generated through reenrollment/ODKG is automatically activated for use by the Okta App after issuance.
SANList requirement: Provide DNS Subject Alternative Names as a comma-separated list. It must include at least the same DNS name as the CN.
Example: if CN=test.com, then SANList must include test.com (e.g., test.com, test2.com).
OktaIdP (OktaIdP)
Click to expand details
-
Navigate to the Certificate Stores page in Keyfactor Command.
Log into Keyfactor Command, toggle the Locations dropdown, and click Certificate Stores.
-
Add a Certificate Store.
Click the Add button to add a new Certificate Store. Use the table below to populate the Attributes in the Add form.
Attribute Description Category Select "OktaIdP" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This should contain your Okta URL (e.g. https://trial-1111.okta.com). Store Path This should contain the Okta IdP ID (please see overview for description). Orchestrator Select an approved orchestrator capable of managing OktaIdPcertificates. Specifically, one with the `` capability.DefaultValidityYears Number of years the certificate will be valid for by default. Required by Okta.
Click to expand details
-
Generate a CSV template for the OktaIdP certificate store
kfutil stores import generate-template --store-type-name OktaIdP --outpath OktaIdP.csv
-
Populate the generated CSV file
Open the CSV file, and reference the table below to populate parameters for each Attribute.
Attribute Description Category Select "OktaIdP" or the customized certificate store name from the previous step. Container Optional container to associate certificate store with. Client Machine This should contain your Okta URL (e.g. https://trial-1111.okta.com). Store Path This should contain the Okta IdP ID (please see overview for description). Orchestrator Select an approved orchestrator capable of managing OktaIdPcertificates. Specifically, one with the `` capability.Properties.DefaultValidityYears Number of years the certificate will be valid for by default. Required by Okta. -
Import the CSV file to create the certificate stores
kfutil stores import csv --store-type-name OktaIdP --file OktaIdP.csv
Attributes eligible for retrieval by a PAM Provider on the Universal Orchestrator
If a PAM provider was installed on the Universal Orchestrator in the Installation section, the following parameters can be configured for retrieval on the Universal Orchestrator.
| Attribute | Description |
|---|---|
| ServerUsername | Username to use when connecting to server |
| ServerPassword | Password to use when connecting to server |
Please refer to the Universal Orchestrator (remote) usage section (PAM providers on the Keyfactor Integration Catalog) for your selected PAM provider for instructions on how to load attributes orchestrator-side.
Any secret can be rendered by a PAM provider installed on the Keyfactor Command server. The above parameters are specific to attributes that can be fetched by an installed PAM provider running on the Universal Orchestrator server itself.
The content in this section can be supplemented by the official Command documentation.
The Inventory job inventories all certificates associated with the given Okta IdP.
The alias records the IdP ID and the Okta Key Credential ID (as specified by KeyCred) associated with each certificate.
Important: Even if you set the Activate entry parameter to true, additional manual steps are required to fully enable the reenrolled certificate for use by your Okta IdP. Users will not be able to access the IdP until these steps are completed. See Okta's guide:
https://developer.okta.com/docs/guides/sign-your-own-saml-csr/main/#upload-the-new-certificate-to-the-isv
Subject format (required):
CN=test, OU=test, O=test, L=test, ST=test, C=test
Only the CN, OU, O, L, ST, C attributes are allowed in the subject.
If you set Activate = true, the certificate generated through reenrollment/ODKG is automatically activated for use by the Okta IdP after issuance.
SANList requirement: Provide DNS Subject Alternative Names as a comma-separated list. It must include at least the same DNS name as the CN.
Example: if CN=test.com, then SANList must include test.com (e.g., test.com, test2.com).
OktaApp
- Set your client machine to your Okta instance URL (for example,
https://trial-admin.okta.com). - Set your server password to your Okta API token value.
- Set your server username to any non-empty placeholder string (some Keyfactor versions require a username to schedule a discovery job; the value is not used).
- Set directories to search to any non-empty placeholder string (for example,
test). This value is not used but cannot be empty due to internal Keyfactor rules.
The job discovers all Okta Apps that have certificates. Each App is recorded as a Cert Store.
OktaIdP
- Set your client machine to your Okta instance URL (for example,
https://trial-admin.okta.com). - Set your server password to your Okta API token value.
- Set your server username to any non-empty placeholder string (some Keyfactor versions require a username to schedule a discovery job; the value is not used).
- Set directories to search to any non-empty placeholder string (for example,
test). This value is not used but cannot be empty due to internal Keyfactor rules.
The job discovers all Okta IdPs that have certificates. Each IdP is recorded as a Cert Store.
Apache License 2.0, see LICENSE.