Okta

Set up Okta for automated tests with TrustCloud

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your Okta account and Okta Users, Groups, Policies, and Roles, so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to Okta metadata

1. Navigate to the JSON Web Key Generator to generate a JSON Web Key Set (JWKS) public/private key pair for TrustOps. Make sure the RSA tab is selected (this is the default) and set the following values:
   • Key size: 2048.
   • Key use: signature.
   • Algorithm: RSA256.
   • Key ID: This is an the identifier of the generated key, and can be set to any selection or random value.

   This step does not provide TrustCloud the ability to read any authentication information, usage information, or to write or change any data.~~~

   

2. Click Generate.
3. The JSON Web Key Generator tool extracts the public key from the key pair automatically. Copy the contents of the left and center sections (Public and Private Keypair, and Public and Private Keypair set) by clicking the Copy to Clipboard button under the respective sections**.** Paste each into a text file to use later.
4. From the Public and Private Keypair set (from the middle section), remove any extraneous keys from the keys array. Only the public key component is needed. The following keys must be kept if they are present:
   • kty
   • e
   • use
   • kid (if present)
   • alg
   • n

   All other keys can be discarded.

   The resulting JWKS file should look something like this:

   {
     "keys": [{		
       "kty": "RSA",
       "e": "AQAB",
       "use": "sig",
       "kid": "my_key_id",
       "alg": "RS256",
       "n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"	
      }]
   }
   

5. Navigate to your Okta admin console. From the console, navigate to Security → API and then select the Tokens tab**.**
6. Click Create Token. Give your token a name and click Create Token again.
7. Copy the resulting token for later use.
8. Create an OAuth service app and register the public key with the app. Okta service apps are created by sending a POST request to the dynamic client registration endpoint at https://${yourOktaDomain}/oauth2/v1/clients, with a request body containing the information specified below.
   • Prepare your request body by gathering the information you’ll need. The request requires the following parameters:
     • client_name: TrustCloud TrustCloud
     • grant_types: client_credentials
     • token_endpoint_auth_method: private_key_jwt
     • application_type: service
     • jwks: ******The contents of the JWKS file that you created in step 3.
   • To authenticate your request, use an Authorization header set to SSWS {api_token}, where {api_token} is the token copied in step 7.
   • The request can be sent using any HTTP client, such as Postman or cURL. Below is an example cURL request.

   	curl -X POST \\
     -H 'Accept: application/json' \\
     -H "Authorization: SSWS ${api_token}" \\
     -H 'Content-Type: application/json' \\
     -d '{
       "client_name": "Service Client Name",
       "response_types": ["token"],
       "grant_types": ["client_credentials"],
       "token_endpoint_auth_method": "private_key_jwt",
       "application_type": "service",
       "jwks": {
   	      "keys": [{
   	        "kty": "RSA",
   	        "e": "AQAB",
   	        "use": "sig",
   	        "kid": "O4O",
   	        "alg": "RS256",
   	        "n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"
   	      }]
       }
     }' "<https://$>{yourOktaDomain}/oauth2/v1/clients"
   

9. Make note of the ******client_id ******that is returned in the response.
10. In the Okta admin console, navigate to Applications → Applications.
11. Use the client ID you noted in step 9 to find the application you created above in step 8.
12. Click its name, and then click the Okta API Scopes tab.
13. Click Grant next to the following scopes:
    • Okta.factors.read
    • Okta.groups.read
    • Okta.roles.read
    • Okta.users.read
    • Okta.policies.read
    • Okta.apps.read
14. These scopes allow TrustCloud to audit your Okta user, group, role, and policy settings in order to determine adherence to specified controls. It only allows TrustCloud to read metadata — information about your users and their settings. It does not provide TrustCloud the ability to read any authentication information, usage information, or to write or change any data.
15. You will need to input your Okta domain URL, the client_id obtained in step 9, and the public and private keypair obtained from the leftmost section in step 3 into TrustOps. No password or other credentials are required. Only the above-granted scope will be granted access to the delegated account.

You may now delete the token obtained in step 7 by navigating to the Security → API menu and then the Tokens tab, and clicking revoke.