Enable user access management of Okta Integration Network (OIN) apps
For Okta Enterprise users, Productiv enables admins to remove user app access based on a user's application usage history.
Once the Okta user access management connector is properly set up, you can create Productiv deprovisioning workflows that remove app access via Okta based on the app usage insights in Productiv.
For details on steps to take post-setup, see Use the Okta user access management connector.
Connector setup procedure
The setup process starts at the Productiv console, then moves to the Okta Admin console, and then returns to the Productiv console. The process takes less than 10 minutes to complete.
In the Productiv console:
- Navigate to the Settings page from the left-side menu.
- Open the “Access management” tab. Under SSO connectors, Productiv displays the Okta user access management tile.
- Click the Configure button on the tile. Productiv displays the “Connect Okta for automatic license provisioning” page.
The next steps of this setup procedure are done in your Okta instance.
Note: The following steps duplicate (and slightly update) the material that is available by clicking the Productiv console's Setup Guide - User access management - Okta link.
In the Okta Admin Dashboard:
The following steps create an API token that grants the Productiv Admin API access to your Okta instance. They can only be performed by a user account that has both Group Admin and App Admin permissions.
- Log in to your Okta enterprise website, which should have a name similar to
https://yourdomain.okta.com - At the right side of the header bar, click Admin. Okta displays the Admin Dashboard.
- In the header tabs, navigate to Security > API.
- To generate an API token, click Create Token.
- Name the token Productiv, then click Create Token.
Note: For security reasons, the value of this token is displayed only once. It’s very important to copy the token value to both the clipboard AND also to one other secure location where it won’t be lost. - Once the token is successfully created, Okta provides a way to copy the token value. Click the Copy to clipboard icon.
The final steps of the process are completed back at the Productiv console.
At the Productiv console:
- Return to the “Connect Okta for automatic license provisioning” page. Scroll down to Setup.
- In the Setup section, under From Okta, paste the value for the token you just created at the Okta Admin Dashboard, and enter the URL for your Okta Enterprise instance.
- If desired, enter notes in the For use in Productiv window.
- Click Authorize.
Validating the connector
The best way to validate the user access management connector is to begin setting up a workflow rule on an app known to be connected through Okta SSO, and verifying that Remove SSO Access via Okta is included among the possible Action methods.
For a step-by-step example of how to do that, see Use the Okta user access management connector.
Troubleshooting
If an application instance does not display “Remove SSO Access via Okta” as an option on the provisioning rule creation page, this could be because:
- The instance is an SSO-discovered instance, but not an Okta-discovered instance.
- The instance is an Okta-discovered instance, but that particular Okta instance does not have a user access management connector connected.
- The instance is connected directly to Productiv, but does not have any activity through an Okta instance with a user access management connector connected.
If none of the above conditions seem to apply, either contact Productiv Support directly, or Submit a Request.
Comments
0 comments
Article is closed for comments.