Okta directory connector (Floh → Okta)¶
Built-in connector type okta pushes user lifecycle events from Floh into an Okta org using the Okta Management API. It is the supported path for create / update / deactivate when Okta is the downstream directory.
Do not use the generic
scimconnector for Okta. Standard Okta orgs do not exposehttps://<org>.okta.com/scim/v2. That URL returns 404. Okta acts as a SCIM client when provisioning to apps (including Floh inbound SCIM), not as a SCIM server on the org hostname.
| Direction | Connector / endpoint | Documentation |
|---|---|---|
| Okta → Floh | Inbound /scim/v2 + scim_client token |
Okta setup for Floh |
| Floh → Okta | Built-in okta connector |
This document |
Implementation: packages/server/src/modules/connectors/handlers/okta.ts.
Connection configuration¶
| Field | Type | Required | Secret | Description |
|---|---|---|---|---|
orgUrl |
string | Yes | No | https://<org>.okta.com (or *.oktapreview.com). Not the -admin console URL. |
apiToken |
string | Yes | Yes | API token from Security → API → Tokens. Sent as Authorization: SSWS <token>. |
Example¶
{
"orgUrl": "https://integrator-5887742.okta.com",
"apiToken": "00aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890ABCDEF"
}
Test: run the test command (GET /api/v1/users?limit=1).
Commands¶
Aligned with the outbound scim connector command names so workflows and entitlements can reuse the same step shapes.
| Command | Okta API | Notes |
|---|---|---|
test |
GET /users?limit=1 |
Connectivity check |
createUser |
POST /users |
userName → profile.login; givenName / familyName → firstName / lastName |
getUser |
GET /users/{idOrLogin} |
Requires id or userName |
updateUser |
POST /users/{id} |
Partial profile update |
deactivateUser |
POST /users/{id}/lifecycle/deactivate |
Deprovision (not hard delete) |
checkUserActive |
GET /users/{id} |
isActive when status === ACTIVE |
Group commands (OKTA_GROUP only)¶
| Command | Okta API | Notes |
|---|---|---|
listGroups |
GET /groups |
Defaults to OKTA_GROUP only; paginate with afterPageToken → nextPageToken |
listGroupMembers |
GET /groups/{groupId}/users |
Paginate with afterPageToken / nextPageToken |
addGroupMember |
PUT /groups/{groupId}/users/{userId} |
Idempotent; reconcilesWith: checkGroupMembership |
removeGroupMember |
DELETE /groups/{groupId}/users/{userId} |
404 → already removed |
checkGroupMembership |
GET /groups/{groupId}/users?filter=… |
Entitlement reconciliation |
Parameter names match the outbound scim connector (groupId, memberId). Membership APIs only work for OKTA_GROUP groups, not AD-imported APP_GROUP groups.
createUser parameters¶
| Param | Notes |
|---|---|
userName |
Required. Work email / Okta login. |
email |
Defaults to userName. |
givenName, familyName |
Default to User / Account if omitted. |
active |
Default true → ?activate=true on create. |
sendEmail |
Default false. Set true to send Okta activation email. |
linkExistingOnConflict |
Default true → on duplicate login, return existing user id. |
Prerequisites¶
- Okta API token with permissions to manage users and groups (
okta.users.manage,okta.groups.manage, or a super-admin dev token). - Floh server HTTPS egress to
*.okta.com. - Use the org URL from the developer dashboard (
https://<org>.okta.com), nothttps://<org>-admin.okta.com.
Related docs¶
- Okta outbound user lifecycle — workflows and smoke tests
- Outbound SCIM connector — other IdPs (Entra, OneLogin, etc.)
- Okta setup for Floh — OIDC + inbound SCIM