Okta

Okta is a cloud-based identity and access management platform that provides single sign-on, multi-factor authentication, and lifecycle management for enterprise applications. Organizations use Okta as a canonical source of employee identity, organizational hierarchy, and application access.

This page covers Okta as a people data source. If you use Okta for SSO, see Okta SSO configuration. When you set up Okta as a people data source, you can also optionally enable Okta-managed apps and activity-based features by granting additional API scopes.

The Okta connector crawls user profiles, Okta-managed applications, and system activity logs into Glean. This powers people cards, org charts, directory search, and app discovery, giving employees a single place to find colleagues, understand reporting structures, and access the tools they need.

Who can use this integration

• IT admins: Manage people data ingestion and ensure org chart accuracy across Glean.
• People operations: Verify that employee profiles, departments, and reporting lines are reflected correctly in Glean's directory and org chart.
• Employees: Search for colleagues by name, title, department, or location, and discover Okta-managed apps.
• System admins: Configure and maintain the Okta connector to keep identity data synchronized with Glean.

Supported objects

The connector crawls identity, application, and activity data from Okta.

• Users
  • Full user profile data including name, email, title, department, manager, location, and phone number.
  • Employee type classification (full-time, contractor, service account).
  • Custom field support for manager, department, title, hire date, and other profile attributes.
• Apps
  • Okta-managed applications including app name, status, logo, sign-on mode, and visibility settings.
  • User-to-app assignments for app-based access control in Glean.
  • Nested app link support for apps that provide multiple destinations.
• Activity logs
  • System log events for user authentication (user.authentication.sso), session start (user.session.start), and sign-on policy evaluation (policy.evaluate_sign_on).

Supported API endpoints

The connector uses the Okta API to fetch identity and activity data. The following table summarizes how Glean uses these endpoints.

Purpose	Endpoint	Method	Notes
List users	/api/v1/users	GET	Retrieves all user profiles with pagination. Batch size is configurable.
List apps	/api/v1/apps	GET	Retrieves Okta-managed applications. Requires the okta.apps.read scope.
List app members	/api/v1/apps/{appId}/users	GET	Retrieves users assigned to a specific app for group membership mapping.
System logs	/api/v1/logs	GET	Retrieves system log events filtered by event type and time window. Requires the okta.logs.read scope.
OAuth token	/oauth2/v1/token	POST	Exchanges a signed JWT for a temporary access token using the Client Credentials flow.

Content scope and behavior

The Okta connector focuses on identity and application data rather than document content. This section describes what is indexed and how access is handled.

Indexed content

The connector indexes people data and application metadata to power Glean features:

• User profiles: Name, email, title, department, manager, location, phone number, and employee type are indexed to populate people cards, directory, and org chart.
• Application metadata: App name, logo, sign-on mode, and status are indexed so employees can discover and access Okta-managed apps through Glean search.
• Activity data: Authentication and session events are indexed to surface app usage analytics for IT admins and improve search personalization for employees.

Security and access control

The connector uses restricted API scopes and secure authentication:

• Read-only access: The connector only reads data from Okta. No data is written or modified.
• Scoped permissions: The Glean Connector app is assigned a Read-only Administrator role and granted only the specific API scopes needed (okta.users.read, and optionally okta.apps.read and okta.logs.read).
• Client Credentials flow: Authentication uses the OAuth 2.0 Client Credentials flow with signed JWTs and JWKS key pairs. Tokens are temporary (10-minute lifetime) and scoped to specific API operations.
• Temporary setup token: The super admin API token used during initial setup is only needed to create the connector apps and should be deleted immediately after.

Coverage boundaries

• Identity only: This connector crawls people data and apps. It does not crawl content from other Okta modules or external systems.
• Apps, not groups: Okta apps are mapped to groups in Glean for access control. Standard Okta groups are not directly crawled.
• Active users: By default, only users with an active status are crawled. Configurable status filters can include additional statuses such as PASSWORD_EXPIRED, RECOVERY, and LOCKED_OUT.
• Custom fields: Profile fields such as manager, department, and title can be mapped to custom Okta profile attributes. You can configure these mappings in the Glean admin console.

Crawling strategy

The connector uses scheduled full crawls to keep Glean in sync with Okta. Users and apps are crawled on separate schedules.

• Runs full crawls of user profiles every 3 hours to keep people data current.
• Runs full crawls of apps and their user assignments daily (requires the okta.apps.read scope).
• Polls system logs using time-windowed queries to capture authentication and session activity.
• Uses Okta's Link header pagination to handle large datasets efficiently.

The following table summarizes the crawl behavior:

Crawl type	Full crawl	Incremental crawl	People data	Activity	Update rate	Webhook	Notes
Users	Crawls all user profiles from the /api/v1/users endpoint with configurable batch sizes.	No incremental crawl. Full crawl refreshes all user data.	Yes. User profiles power people cards, directory, and org chart.	No	Every 3 hours (configurable)	No	Default active statuses: ACTIVE, PASSWORD_EXPIRED, RECOVERY, LOCKED_OUT.
Apps	Crawls all Okta-managed apps and their user assignments.	No incremental crawl. Full crawl refreshes all app data.	No	No	Daily (configurable)	No	Requires the okta.apps.read scope. Apps are mapped to groups for Glean access control.
Activity logs	Polls system logs within a configured time window.	No	No	Yes. Captures SSO, session start, and sign-on policy events.	Configurable	No	Requires the okta.logs.read scope. Used for app usage analytics and search personalization.

Results display

In Glean, Okta data appears across several features:

• People cards: Employee name, title, department, manager, location, email, and phone number.
• Org chart: Reporting hierarchy based on manager relationships from Okta profiles.
• Directory search: Search for colleagues by name, title, department, team, or location.
• App search: Okta-managed apps appear as search results with app name, logo, and a deep link back to the app (requires the okta.apps.read scope).

Troubleshooting

Verify that SSO is configured and you are signed in as a super admin. Re-enter your Okta domain and try again.

Confirm the Glean Connector app has the okta.users.read scope and the Read-only Administrator role assigned.

These fields may require custom field mapping. Configure the appropriate Okta profile attribute mappings in the Glean admin console.

Okta rate limits vary by plan. Glean retries automatically with backoff. If persistent, contact Glean support to adjust crawl batch sizes.

Verify the Glean Connector app has the okta.apps.read scope granted. App crawls run daily by default.

User crawls run every 3 hours by default. Check the crawl status in the Glean admin console to confirm crawls are completing successfully.