Document toolboxDocument toolbox

Okta Resources collector

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
10 min read
[ 1.1 Configuration requirements ] [ 1.2 Overview ] [ 2 Devo Collector features ] [ 2.1 Data source description ] [ 2.2 Vendor Setup ] [ 2.3 Run the collector ] [ 2.4 Activeboards ] [ 2.5 Rate limits ] [ 2.6 Change log for v1.x.x ]

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration

Details

Configuration

Details

Getting Okta credentials

You will need to create an api_token and get the okta_url to run this collector.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

The Okta Resources API is used for gaining insights into the content management of activities from your organization or company. Okta Resources APIs generate system logs and other events in real time.

Devo Collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

Not allowed

Running Environments

Collector Server

On Premise

Data source description

You can use the Okta collector to send this information to your Devo domain. Once the gathered information arrives at Devo it will be categorized in different tables in your domain, as you can check in the following table.

Okta services

Listed in the table below are some service names, details, and how the Devo platform treats the data.

Services

Description

Devo data tables

Services

Description

Devo data tables

Apps

Application API provides operations to manage applications and/or assignments to users or groups for your organization.

auth.okta.apps

Client Application

The Dynamic Client Registration API provides operations to register and manage client applications to be used with Okta's OAuth 2.0 and OpenID Connect endpoints.

auth.okta.clients

Groups

Groups API provides operations to manage Okta groups and their user members for your organization.

auth.okta.groups

IDPS

Identity Providers API provides operations to manage federations with external Identity Providers (IDP). For example, your app can support logging in with credentials from Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (OIDC) protocol.

auth.okta.idps

System Logs

System Log records system events related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. Often the terms "event" and "log event" are used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system and "log" or "log event" is the recorded fact.

auth.okta.system

Users

User API provides operations to manage users in your organization.

auth.okta.users

Zones

Zones API provides operations to manage zones in your organization. Zones may be used to guide policy decisions.

auth.okta.zones

The System Log API will eventually replace the Events API. It contains much more structured data.

For more references about Okta Resources API, visit the Okta API Reference.

Vendor Setup

Getting Okta credentials

  1. Visit Developer Okta to create an api_token and get the okta_url.

  2. Log in with your company credentials (or sign up for a free developer account).

  3. Click Dashboard and save the okta_url that is displayed in the top right corner (it will be used later in the config file).


  4. On the top menu, go to API → Tokens.


  5. Click on Create Token and enter a name for your token in the window that appears, which will be used for tracking API calls. Click Create Token.


  6. Copy your token and click OK, got it. Note that the token will be only displayed here, so don't forget to copy it. Save it as api_token (it will be used later in the config file).


Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Activeboards

There are a number of predefined dashboards that can be downloaded in your Devo domain.

  1. Create a new Devo Activeboard in your domain.

  2. In the Edit mode click on the ellipsis button and select Edit raw configuration.

  3. Open the downloaded file, select all the text, and copy it to the clipboard.

  4. Paste the content of the file in the raw editor. Make sure you replace completely the existing configuration.

  5. Click on Save the changes. The dashboard shows up.

Rate limits

The number of API requests for an organization is limited for all APIs in order to protect the service for all users. The number of Okta-generated emails that can be sent also has rate limits.

Okta has two types of API rate limits:

  • Org-wide rate limits that vary by API endpoint. These limits are applied on a per-minute or per-second basis, and some are also applied on a per-user basis. For example, if your org sends a request to list applications more than one hundred times in a minute, the org-wide rate limit is exceeded. These limits protect against denial-of-service attacks and help ensure that adequate resources are available for all customers.

  • Concurrent rate limits on the number of simultaneous transactions. For example, if you sent 77 very long-lasting requests to any API endpoint simultaneously, you might exceed the concurrent rate limit.

Okta has one type of email rate limit:

  • Okta-Generated Email Message Rate Limits that vary by email type. Okta enforces rate limits on the number of Okta-generated email messages that are sent to customers and customer users. For example, if the number of emails sent to a given user exceeds the per-minute limit for a given email type, subsequent emails of that type are dropped for that user until that minute elapses.

Rate limits may be changed to protect customers. We provide advance warning of changes when possible.

Check the following web pages for more information on Okta rate limits:

Change log for v1.x.x

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.4.3

Jul 29, 2022

IMPROVEMENT

Improvements:

  • Upgraded underlay IFC SDK v1.3.0 to v1.4.0.

    • Updated the underlying DevoSDK package to v3.6.4 and dependencies, this upgrade increases the resilience of the collector when the connection with Devo or the Syslog server is lost. The collector is able to reconnect in some scenarios without running the self-kill feature.

    • Support for stopping the collector when a GRACEFULL_SHUTDOWN system signal is received.

    • Re-enabled the logging to devo.collector.out for Input threads.

    • Improved self-kill functionality behavior.

    • Added more details in log traces.

    • Added log traces for knowing system memory usage.

Upgrade

v1.5.0

Nov 3, 2022

IMPROVEMENT

Improvements:

  • Upgraded underlay IFC SDK from v1.4.0 to v1.4.3.

    • Added:

      • New "templates" functionality.

      • New controlled stopping condition when any input thread fatally fails.

      • Added log traces for knowing the execution environment status (debug mode).

    • Changed:

      • Improved log trace details when runtime exceptions happen.

      • Refactored source code structure.

      • Fixes in the current puller template version.

      • The Docker container exits with the proper error code.

Recommended Version