2.9 KiB
Okta, SailPoint, and Active Directory - Terraform Demo
This configuration sets up Okta with AD, maps the AD attributes, and configures SailPoint to recognize and sync users provisioned from AD through Okta.
This Terraform configuration automates the integration of Okta with Active Directory (AD) and sets up SailPoint IdentityNow to sync user identities from Okta. By using Terraform to manage these resources, you can apply and maintain configurations consistently and audit/rollback changes.
Providers
Terraform uses providers to interact with APIs (in this case, Okta and SailPoint). The okta provider lets Terraform manage Okta resources, while the http provider enables custom HTTP requests to communicate with SailPoint API. This is due to SailPoint not currently having a terraform provider.
Okta Configuration
-
okta_org_name
(string)- Description: The name of your Okta organization. This is used to identify the specific Okta instance to manage.
- Default:
"your-okta-org"
-
okta_base_url
(string)- Description: The base URL for the Okta instance (usually
okta.com
). - Default:
"okta.com"
- Description: The base URL for the Okta instance (usually
-
okta_api_token
(string, sensitive)- Description: API token for authenticating requests to Okta. Keep this token secure, as it grants access to Okta API operations.
- Default: None (must be provided as a secure input)
SailPoint Configuration
-
sailpoint_api_url
(string)- Description: The base URL for accessing the SailPoint IdentityNow API.
- Default:
"https://your-sailpoint-instance.identitynow.com"
-
sailpoint_api_token
(string, sensitive)- Description: API token for authenticating requests to SailPoint. This token allows Terraform to interact with SailPoint resources.
- Default: None (must be provided as a secure input)
Active Directory (AD) Group Configuration
-
ad_group_name
(string)- Description: The name of the Active Directory group to be synchronized with Okta. This name is used for identifying and managing AD users in Okta.
- Default:
"AD Users"
-
ad_group_description
(string)- Description: Description for the AD group in Okta. This is a user-friendly description that explains the purpose of the group.
- Default:
"Group for AD-synced users"
-
ad_user_profile_mappings
(map(string))- Description: A mapping of Active Directory attributes to Okta profile attributes. This map is used to synchronize AD user attributes with Okta, ensuring that fields like
firstName
andlastName
are populated correctly in Okta. - Default:
{ "firstName" = "givenName" "lastName" = "sn" "email" = "mail" }
- Description: A mapping of Active Directory attributes to Okta profile attributes. This map is used to synchronize AD user attributes with Okta, ensuring that fields like
Outputs
identity_sources
- Description: Lists the identity sources available in SailPoint. This output provides visibility into the identity sources and can help verify that Okta (and its users) is recognized in SailPoint.