# Connecting to Okta
<a name="connecting-to-okta"></a>

 The Okta API is the programmatic interface to Okta, used for managing large or complex Okta accounts and campaigns. If you're a Okta user, you can connect AWS Glue to your Okta account. Then, you can use Okta as a data source in your ETL jobs. Run these jobs to transfer data between Okta and AWS services or other supported applications. 

**Topics**
+ [AWS Glue support for Okta](okta-support.md)
+ [Policies containing the API operations for creating and using connections](okta-configuring-iam-permissions.md)
+ [Configuring Okta](okta-configuring.md)
+ [Configuring Okta connections](okta-configuring-connections.md)
+ [Reading from Okta entities](okta-reading-from-entities.md)
+ [Okta connection option reference](okta-connection-options.md)
+ [Okta New Account and Developer App creation steps](okta-create-account.md)
+ [Limitations](okta-connector-limitations.md)

# AWS Glue support for Okta
<a name="okta-support"></a>

AWS Glue supports Okta as follows:

**Supported as a source?**  
Yes. You can use AWS Glue ETL jobs to query data from Okta.

**Supported as a target?**  
No.

**Supported Okta API versions**  
 v1. 

# Policies containing the API operations for creating and using connections
<a name="okta-configuring-iam-permissions"></a>

 The following sample policy describes the required AWS permissions for creating and using connections. If you are creating a new role, create a policy that contains the following: 

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:ListConnectionTypes",
        "glue:DescribeConnectionType",
        "glue:RefreshOAuth2Tokens",
        "glue:ListEntities",
        "glue:DescribeEntity"
      ],
      "Resource": "*"
    }
  ]
}
```

------

You can also use the following managed IAM policies to allow access:
+  [ AWSGlueServiceRole ](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole) – Grants access to resources that various AWS Glue processes require to run on your behalf. These resources include AWS Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, AWS Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints. 
+  [ AWSGlueConsoleFullAccess ](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) – Grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console. 

# Configuring Okta
<a name="okta-configuring"></a>

Before you can use AWS Glue to transfer data to or from Okta, you must meet these requirements:

## Minimum requirements
<a name="okta-configuring-min-requirements"></a>
+  You have a Okta account. For more information on creating an account, see [Okta New Account and Developer App creation steps](okta-create-account.md). 
+  Your Okta account is enabled for API access. 
+  You have created a OAuth2 API integration in your Okta account. This integration provides the client credentials that AWS Glue uses to access your data securely when it makes authenticated calls to your account. For more information, refer Steps to Create a Client app and OAuth2.0 credentials: Okta New Account and Developer App Creation Steps 
+  You have a Okta account with a OktaApiToken. Refer to [ Okta documentation ](https://developer.okta.com/docs/guides/create-an-api-token/main/#create-the-token). 

 If you meet these requirements, you’re ready to connect AWS Glue to your Okta account. For typical connections, you don't need do anything else in Okta. 

# Configuring Okta connections
<a name="okta-configuring-connections"></a>

 Okta supports two types of authentication mechanisms: 
+  OAuth auth: Okta supports the `AUTHORIZATION_CODE` grant type. 
  +  This grant type is considered “three-legged” OAuth as it relies on redirecting users to the third party authorization server to authenticate the user. It is used when creating connections via the AWS Glue Console. The AWS Glue Console will redirect the user to Okta where the user must login and allow AWS Glue the requested permissions to access their Okta instance. 
  +  Users may opt to create their own connected app in Okta and provide their own client ID and client secret when creating connections through the AWS Glue Console. In this scenario, they will still be redirected to Okta to login and authorize AWS Glue to access their resources. 
  +  This grant type results in a refresh token and access token. The access token is short lived, and may be refreshed automatically without user interaction using the refresh token. 
  +  For more information, see [ public Okta documentation on creating a connected app for Authorization Code OAuth flow ](https://developers.google.com/workspace/guides/create-credentials). 
+  Custom auth: 
  +  For public Okta documentation on generating the required API keys for custom authorization, see [ Okta documentation ](https://developer.okta.com/docs/guides/create-an-api-token/main/#create-the-token). 

To configure an Okta connection:

1.  In AWS Secrets Manager, create a secret with the following details. It is required to create a secret for each connection in AWS Glue. 

   1.  For OAuth auth: 
      +  For customer managed connected app – Secret should contain the connected app Consumer Secret with `USER_MANAGED_CLIENT_APPLICATION_CLIENT_SECRET` as key. 

   1.  For Custom auth: 
      +  For customer managed connected app - Secret should contain the connected app Consumer Secret with `OktaApiToken` as key. 

1. In AWS Glue Studio, create a connection under **Data Connections** by following the steps below: 

   1.  Under Connections, choose **Create connection**. 

   1. When selecting a **Data Source**, select Okta.

   1. Provide your Okta subdomain.

   1. Select the Okta Domain URL of your Okta account.

   1.  Select the IAM role which AWS Glue can assume and has permissions for following actions: 

------
#### [ JSON ]

****  

      ```
      {
        "Version":"2012-10-17",		 	 	 
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "secretsmanager:DescribeSecret",
              "secretsmanager:GetSecretValue",
              "secretsmanager:PutSecretValue",
              "ec2:CreateNetworkInterface",
              "ec2:DescribeNetworkInterfaces",
              "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
          }
        ]
      }
      ```

------

   1.  Select Authentication Type to connect to data source. 

   1.  For OAuth2 authentication type, provide the **User Managed Client Application ClientId** of the Okta app. 

   1.  Select the `secretName` which you want to use for this connection in AWS Glue to put the tokens. 

   1.  Select the network options if you want to use your network. 

1.  Grant the IAM role associated with your AWS Glue job permission to read `secretName`. 

1.  In your AWS Glue job configuration, provide `connectionName` as an **Additional network connection**. 

# Reading from Okta entities
<a name="okta-reading-from-entities"></a>

 **Prerequisites** 
+  A Okta Object you would like to read from. Refer the supported entities table below to check the available entities. 

 **Supported entities** 


| Entity | Can be Filtered | Supports Limit | Supports Order By | Supports Select \$1 | Supports Partitioning | 
| --- | --- | --- | --- | --- | --- | 
| Applications | Yes | Yes | No | Yes | No | 
| Devices | Yes | Yes | No | Yes | Yes | 
| Groups | Yes | Yes | Yes | Yes | Yes | 
| Users | Yes | Yes | Yes | Yes | Yes | 
| User Types | No | No | No | Yes | No | 

 **Example** 

```
okta_read = glueContext.create_dynamic_frame.from_options(
    connection_type="Okta",
    connection_options={
        "connectionName": "connectionName",
        "ENTITY_NAME": "applications",
        "API_VERSION": "v1"
    }
```

 **Okta entity and field details** 

 Entities list: 
+  Application: [ https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/ ](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/) 
+  Device: [ https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/ ](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Device/) 
+  Group: [ https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/ ](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) 
+  User: [ https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/ ](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) 
+  User Type: [ https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/ ](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) 

 **Partitioning queries** 

 Additional spark options `PARTITION_FIELD`, `LOWER_BOUND`, `UPPER_BOUND`, `NUM_PARTITIONS` can be provided if you want to utilize concurrency in Spark. With these parameters, the original query would be split into `NUM_PARTITIONS` number of sub-queries that can be executed by spark tasks concurrently. 
+  `PARTITION_FIELD`: the name of the field to be used to partition query. 
+  `LOWER_BOUND`: an inclusive lower bound value of the chosen partition field. 

   For date, we accept the Spark date format used in Spark SQL queries. Example of valid values: `"2024-02-06"`. 
+  `UPPER_BOUND`: an exclusive upper bound value of the chosen partition field. 
+  `NUM_PARTITIONS`: number of partitions. 

 **Example** 

```
okta_read = glueContext.create_dynamic_frame.from_options(
    connection_type="okta",
    connection_options={
        "connectionName": "connectionName",
        "ENTITY_NAME": "lastUpdated",
        "API_VERSION": "v1",
        "PARTITION_FIELD": "lastMembershipUpdated"
        "LOWER_BOUND": "2022-08-10T10:28:46.000Z"
        "UPPER_BOUND": "2024-08-10T10:28:46.000Z"
        "NUM_PARTITIONS": "10"
    }
```

# Okta connection option reference
<a name="okta-connection-options"></a>

The following are connection options for Okta:
+  `ENTITY_NAME`(String) - (Required) Used for Read/Write. The name of your Object in Okta. 
+  `API_VERSION`(String) - (Required) Used for Read/Write. Okta Rest API version you want to use. Example: v1. 
+  `SELECTED_FIELDS`(List<String>) - Default: empty(SELECT \$1). Used for Read. Columns you want to select for the object. 
+  `FILTER_PREDICATE`(String) - Default: empty. Used for Read. It should be in the Spark SQL format. 
+  `QUERY`(String) - Default: empty. Used for Read. Full Spark SQL query. 
+  `PARTITION_FIELD`(String) - Used for Read. Field to be used to partition query. 
+  `LOWER_BOUND`(String)- Used for Read. An inclusive lower bound value of the chosen partition field. 
+  `UPPER_BOUND`(String) - Used for Read. An exclusive upper bound value of the chosen partition field. 
+  `NUM_PARTITIONS`(Integer) - Default: 1. Used for Read. Number of partitions for read. 

# Okta New Account and Developer App creation steps
<a name="okta-create-account"></a>

 Create a developer account on Okta for getting access to the Okta API. A free Okta developer account gives access to most key developer features required for accessing Okt API. 

**To create a developer account on Okta**

1.  Navigate to [https://developer.okta.com/signup/](https://console.cloud.google.com). 

1.  Enter account information email, first name, last name and country/region. Choose ** I’m not a robot** and then, **Signup**. 

1.  A verification mail is sent to your registered mail id. You will receive a link in your email for activating your Okta developer account. Choose **Activate**. 

1.  You will be redirected to password reset page. Enter the new password twice and choose ** Reset password**. 

1.  You will be redirected to your Okta developer account dashboard. 

**To create a client app and OAuth 2.0 credentials**

1.  In the developer dashboard, choose create app integration.   
![\[The screenshot shows the Create OAuth client ID page and the Authorised redirect URIs section. Here, add the URIs and choose ADD URI if needed. Once done, choose CREATE.\]](http://docs.aws.amazon.com/glue/latest/dg/images/create-client-app-step-1.png)

1.  The **Create a new app Integration** window will appear and present various sign-in methods. Select **OIDC –OpenID Connect**. 

1.  Scroll down to the Application type section. Select as a **Web Application** and choose **Next**. 

1.  On the "New Web App Integration" screen, fill following information: 
   + App integration name - Enter the name of the app. 
   + Grant type - Choose **Authorization Code** and **Refresh Token** from the list.
   + Sign-in redirect URIs - Choose **Add URI ** and add `https://{regioncode}.console.aws.amazon.com/appflow/oauth`. For example, if you are using `us-west-2 (Oregon)` you can add `https://us-east-1.console.aws.amazon.com/appflow/oauth`.
   + Controlled Access - Assign the app to your user groups as you require and choose **Save**.

1. Your Client Id and Client Secret is generated.

# Limitations
<a name="okta-connector-limitations"></a>

The following are limitations for the Okta connector:
+  For ‘Applications’ entity only one filter can be applied. If more than 1 filter is applied then 400 Bad Request is return with error summary –‘Invalid Search criteria’. 
+  Order by can be supported with search queries only. For example, ` http://dev-15940405.okta.com/api/v1/groups?search=type e.q. "OKTA_GROUP"&sortBy=lastUpdated&sortOrder=asc `