Skip to content

Okta directory connector (Floh → Okta)

Built-in connector type okta pushes user lifecycle events from Floh into an Okta org using the Okta Management API. It is the supported path for create / update / deactivate when Okta is the downstream directory.

Do not use the generic scim connector for Okta. Standard Okta orgs do not expose https://<org>.okta.com/scim/v2. That URL returns 404. Okta acts as a SCIM client when provisioning to apps (including Floh inbound SCIM), not as a SCIM server on the org hostname.

Direction Connector / endpoint Documentation
Okta → Floh Inbound /scim/v2 + scim_client token Okta setup for Floh
Floh → Okta Built-in okta connector This document

Implementation: packages/server/src/modules/connectors/handlers/okta.ts.

Connection configuration

Field Type Required Secret Description
orgUrl string Yes No https://<org>.okta.com (or *.oktapreview.com). Not the -admin console URL.
apiToken string Yes Yes API token from Security → API → Tokens. Sent as Authorization: SSWS <token>.

Example

{
  "orgUrl": "https://integrator-5887742.okta.com",
  "apiToken": "00aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890ABCDEF"
}

Test: run the test command (GET /api/v1/users?limit=1).

Commands

Aligned with the outbound scim connector command names so workflows and entitlements can reuse the same step shapes.

Command Okta API Notes
test GET /users?limit=1 Connectivity check
createUser POST /users userNameprofile.login; givenName / familyNamefirstName / lastName
getUser GET /users/{idOrLogin} Requires id or userName
updateUser POST /users/{id} Partial profile update
deactivateUser POST /users/{id}/lifecycle/deactivate Deprovision (not hard delete)
checkUserActive GET /users/{id} isActive when status === ACTIVE

Group commands (OKTA_GROUP only)

Command Okta API Notes
listGroups GET /groups Defaults to OKTA_GROUP only; paginate with afterPageTokennextPageToken
listGroupMembers GET /groups/{groupId}/users Paginate with afterPageToken / nextPageToken
addGroupMember PUT /groups/{groupId}/users/{userId} Idempotent; reconcilesWith: checkGroupMembership
removeGroupMember DELETE /groups/{groupId}/users/{userId} 404 → already removed
checkGroupMembership GET /groups/{groupId}/users?filter=… Entitlement reconciliation

Parameter names match the outbound scim connector (groupId, memberId). Membership APIs only work for OKTA_GROUP groups, not AD-imported APP_GROUP groups.

createUser parameters

Param Notes
userName Required. Work email / Okta login.
email Defaults to userName.
givenName, familyName Default to User / Account if omitted.
active Default true?activate=true on create.
sendEmail Default false. Set true to send Okta activation email.
linkExistingOnConflict Default true → on duplicate login, return existing user id.

Prerequisites

  1. Okta API token with permissions to manage users and groups (okta.users.manage, okta.groups.manage, or a super-admin dev token).
  2. Floh server HTTPS egress to *.okta.com.
  3. Use the org URL from the developer dashboard (https://<org>.okta.com), not https://<org>-admin.okta.com.