> ## Documentation Index
> Fetch the complete documentation index at: https://docs.leen.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta IDP Instructions

> Information about the Okta Identity Provider integration available in Leen. This integration uses the Core Okta API to interact with your Okta organization.

## Required Permissions

The API token inherits the permissions of the Okta user who creates it. The token creator must have a role that grants the following OAuth scopes:

| Scope                | Description                                                                  | APIs Used                                                          |
| -------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------------------------ |
| `okta.users.read`    | Read user profiles, credentials, group memberships, and enrolled MFA factors | List Users, List User Groups, List User MFA Factors                |
| `okta.groups.read`   | Read group information and group-application assignments                     | List Groups, List Group Applications                               |
| `okta.apps.read`     | Read application configurations and user-application assignments             | List Applications, List Application Users                          |
| `okta.logs.read`     | Read system log events                                                       | Get System Log Events                                              |
| `okta.roles.read`    | Read administrative role assignments for users                               | List User Roles                                                    |
| `okta.policies.read` | Read security policies, policy rules, and policy mappings                    | List Policies, Get Policy, List Policy Rules, List Policy Mappings |

We recommend creating the API token with a user that has the **Read-Only Admin** role, which grants all of the above permissions.

## Onboarding Okta Identity Provider

Follow the steps below to onboard your environment to our Okta Identity Provider integration. This integration uses the [Core Okta API](https://developer.okta.com/docs/reference/core-okta-api/) to interact with your Okta organization.

To connect to Okta, we require:

1. Okta Domain
2. API Token

<Steps>
  <Step title="Determine Your Okta Domain">
    Your Okta domain (also known as your org URL) is the URL you use to access your Okta organization. It typically looks like: `https://{your-tenant}.okta.com`. Make note of this URL as you'll need it later.
    If you are on the Okta Admin console, the URL will appear as `https://{your-tenant}-admin.okta.com`. The the URL excluding `-admin` is your Okta domain.
  </Step>

  <Step title="Navigate Okta Admin Console">
    Login to the Okta Admin Console and navigate to the API Tokens page. (Sidebar: Security -> API -> Tokens)
  </Step>

  <Step title="Create API Token">
    Click on the `Create Token` button. You will see the following screen.

    Add a `name` for the token(eg. leen-okta-idp), set allowable origin to `Any IP` and click on the `Create Token` button.

    <img src="https://mintcdn.com/leen/vQ2Rhs44KY1LGMJC/images/okta/create_api_token.png?fit=max&auto=format&n=vQ2Rhs44KY1LGMJC&q=85&s=5096bfc887ea309542fde87b445a10ff" alt="Create API Token" width="3474" height="2058" data-path="images/okta/create_api_token.png" />

    On the next screen, you will see the secret API token.
    <Warning>Record your API token secret somewhere safe. After the credential window is closed, the secret is no longer visible.</Warning>
  </Step>

  <Step title="Enter Credentials">
    In the Okta Identity Provider connector in Leen, enter the following information:

    * **Okta Domain**: Enter your full Okta domain URL (e.g., `https://{your-tenant}.okta.com`)
    * **API Token**: Paste the API token you created in the previous step
  </Step>
</Steps>

For more information on Okta API tokens and how to use them, refer to the [Okta API documentation](https://developer.okta.com/docs/reference/core-okta-api/#authentication).