Sync with Okta

This describes how to set up Foxpass to sync your directory with Okta.

1. Create a new Okta user

It's under "Admin", then "Directory > People > Add Person.

Click Add Person

Click Add Person

Add your user details and click Save.

Add Person

Add Person

2. Make that user a read-only admin

Go to "Admin", then "Security", then "Administrators". Give your user Read-Only admin rights.

3. Get that user's API key

Log into Okta as the Foxpass user we created in step 1. Then, generate an API key by going to Security > API > Create Token. Refer to the instructions from Okta.

4. Enter your Okta credentials into Foxpass

Go to the Foxpass 'Sync' page. Click on the "Okta" tab. Choose 'Yes' from one or both of the dropdown menus, then enter your Okta site's URL and the API key you just generated and click "Save."

Enter Okta credentials

Enter Okta credentials

Okta sync configured

Okta sync configured

Click on 'Sync now' button. You will see success message 'Sync initiated successfully'. Click Ok and you can check sync status in the box as shown in the picture below:

Last sync successful

Last sync successful

Now, you can see synced users on the Users page.

Sample Users page

Sample Users page with synced users from Okta

Optional: Enable Group Sync Allowed list

If you have group sync enabled, you can allowed groups that get imported during sync. This is useful for organizations that only want to import a subset of their groups used in Foxpass. Once group sync is enabled, you'll see a field to add any group prefixes allowed to be synced. During the group sync process, any groups that do not begin with that prefix are not synced with Foxpass.

Optional: Enable Allowed Users list via Group Membership

If you have group sync enabled, you can add an allowed users list from specific groups. This is useful for organizations that only want a subset of their directory to have access to Foxpass. Once group sync is enabled, you'll see a field to mark any groups allowed to be synced. During the group sync process, any users that are not a member of one of those groups are automatically marked as "inactive."

Optional: Enable Non Allowed Users list via Group Membership

If you have group sync enabled, you can have a list of non-allowed users that belong to specific groups. This is useful for organizations that have a large number of machine or role accounts that don't need access to Foxpass. Once group sync is enabled, you'll see a field to mark any groups to be ignored from syncing. During the group sync process, any users that are a member of one of those groups are automatically marked as "inactive."

Optional: Restrict Users by Domain

If your organization's Okta directory includes a lot of users from another part of your organization or freelancers that you don't want in Foxpass, you can enable the Domain Restrictions feature for Okta sync. This will prevent any new non-domain users from syncing into Foxpass from Okta.

For instance, if your company's domain is @example.com and you were just bought by @bigcorp.com and your Okta directories were merged, enabling this setting will mean that only your @example.com users will sync with Foxpass. This will also apply to any outside users with a different email domain.