This configuration sets up Okta with AD, maps the AD attributes, and configures SailPoint to recognize and sync users provisioned from AD through Okta.
Go to file
Ryan Malloy e59e89705e Update windows-ad/populate_ad/run.ps1 2024-11-14 18:43:01 +00:00
windows-ad Update windows-ad/populate_ad/run.ps1 2024-11-14 18:43:01 +00:00
README.md Update README.md 2024-11-14 18:07:56 +00:00
main.tf Update main.tf 2024-11-14 17:36:14 +00:00
outputs.tf Add outputs.tf 2024-11-14 17:34:39 +00:00
variables.tf Add variables.tf 2024-11-14 17:34:14 +00:00
versions.tf Add versions.tf 2024-11-14 17:35:42 +00:00

README.md

SailPoint, Okta, and Active Directory Integration

Integrating SailPoint, Okta, and Active Directory (AD) creates a robust identity management solution that combines identity governance (SailPoint), identity and access management (Okta), and the on-premises directory service (Active Directory). This combination enables seamless user provisioning, de-provisioning, access reviews, and policy enforcement across cloud and on-prem systems.

1. Integration Overview

  • Okta: Manages user authentication and access for cloud applications, providing Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
  • SailPoint: Provides Identity Governance and Administration (IGA), ensuring users have the appropriate access, conducting access reviews, and enforcing policies for compliance.
  • Active Directory (AD): An on-premises directory service used for managing users, groups, and devices in a Windows environment. It plays a key role in user management and authentication within internal enterprise systems.

The integration of these three systems provides a unified solution for managing both cloud-based and on-premises applications, ensuring consistent access control and governance across the entire environment.

2. Key Integration Points

a) User Provisioning and De-Provisioning

  • Okta and Active Directory: Okta acts as the bridge between cloud applications and Active Directory. Okta can sync users from AD and apply cloud-specific authentication policies while still relying on AD for on-prem access.
  • SailPoint: SailPoint orchestrates provisioning and de-provisioning across Okta and Active Directory. When a user is created in AD, SailPoint can automatically synchronize this data with Okta and any other connected cloud or on-prem systems.
  • Automatic User Synchronization: SailPoint ensures that user profiles, roles, and attributes are consistent across both Okta and Active Directory, maintaining uniform access policies and user attributes across cloud and on-prem environments.

b) Role-Based Access Control (RBAC)

  • Okta: Assigns users to cloud applications based on their roles, as defined in Active Directory or SailPoint.
  • SailPoint: Manages role definitions for both AD and cloud applications. Role-based policies in SailPoint are enforced across both Okta and AD, ensuring users only have the access they need based on their roles.
  • Active Directory Groups: AD groups are used in the integration to help map users to roles in Okta and SailPoint, which are reflected in the access controls for applications.

c) Identity Governance and Compliance

  • SailPoint: Ensures compliance and governance policies are applied across both Active Directory and Okta. Access certifications and periodic reviews are triggered based on roles, entitlements, and user activities in both systems.
  • Active Directory Auditing: SailPoint leverages AD audit logs along with Okta and other cloud system logs to perform comprehensive audits and access reviews, ensuring compliance with regulations (e.g., SOX, GDPR).
  • Access Reviews and Certification: SailPoint automates periodic access reviews for users across both AD and Okta, ensuring that access rights remain appropriate as user roles or organizational needs change.

d) Hybrid IT Environment Support

  • Hybrid Identity Management: The integration provides a bridge between on-prem Active Directory and cloud-based Okta identity management. This hybrid model allows organizations to seamlessly manage user access to both legacy on-prem resources and modern cloud applications.
  • Self-Service for Hybrid Environments: Users can request access to resources in both AD (on-prem) and Okta (cloud) through self-service portals, with approval workflows managed by SailPoint.

3. How the Integration Works in Practice

a) User Onboarding

  • When a new user is added to Active Directory, SailPoint automatically syncs the user's profile, attributes, and roles to Okta. Okta provisions the user into cloud applications based on roles defined in both Okta and AD.
  • SailPoint manages the user's lifecycle and ensures they have appropriate access based on their role, department, or job function.

b) Access Change Management

  • If a users role changes in Active Directory, SailPoint triggers updates across Okta and other integrated systems, adjusting permissions and roles in both cloud and on-prem resources.
  • For example, if an employee moves from the Sales department to Engineering, SailPoint updates the user's access in Okta (e.g., to the CRM or project management apps) and updates their AD group memberships (e.g., to engineering shares or internal resources).

c) Access Reviews

  • SailPoint can automatically conduct access reviews for both AD and Okta. These reviews allow managers to certify that users have appropriate access to both on-premise systems and cloud applications, ensuring compliance and security.
  • For example, SailPoint can consolidate access to Active Directory groups and Okta apps into a single access review, ensuring a consistent access review process across environments.

d) De-Provisioning

  • When a user is deactivated in Active Directory (e.g., when an employee leaves the organization), SailPoint ensures the user is also de-provisioned from Okta and any other connected systems.
  • Okta can revoke access to cloud applications, while SailPoint ensures the users access is removed from both Active Directory and Okta-based resources.

4. Benefits of Integrating SailPoint, Okta, and Active Directory

a) Centralized User Management

  • Okta handles authentication and access to cloud applications, Active Directory manages on-prem identities, and SailPoint ensures that all systems are in sync, providing centralized governance for both cloud and on-prem access.

b) Seamless Hybrid Access

  • The integration provides a seamless user experience across both cloud and on-prem applications, allowing organizations to manage hybrid IT environments efficiently and securely.

c) Improved Security and Compliance

  • By enforcing policies, conducting automated access reviews, and auditing user access across both Okta and Active Directory, organizations can ensure that access to critical resources is always appropriate, reducing the risk of unauthorized access and ensuring compliance with regulations.

d) Simplified Identity Lifecycle Management

  • The integration automates user provisioning, role assignments, access changes, and de-provisioning, reducing manual efforts, and improving efficiency in identity lifecycle management across systems.

5. Technical Integration Details

a) Active Directory and Okta Integration

  • Okta AD Connector: Okta integrates with Active Directory using an AD connector, enabling user synchronization, authentication, and provisioning.
  • SailPoint AD Connector: SailPoint uses an Active Directory connector to pull user data and groups from AD, managing user lifecycle events and ensuring compliance policies are applied.

b) APIs and Connectors

  • Okta provides RESTful APIs to manage user identities, group memberships, and application access. These APIs can be used by SailPoint to automate provisioning and de-provisioning tasks, as well as to sync roles and access controls.
  • SailPoint uses APIs to orchestrate governance workflows, such as access reviews, certifications, and role management, across both Okta and Active Directory.

c) Active Directory Synchronization with SailPoint

  • SailPoint IdentityNow supports Active Directory connectors that synchronize user data with SailPoints identity governance platform. This allows SailPoint to manage AD group memberships, roles, and access rights as part of its governance and compliance workflows.

Conclusion

Integrating SailPoint, Okta, and Active Directory provides a complete solution for managing user identities across both cloud and on-prem systems. Organizations can ensure compliance, streamline user lifecycle management, and improve security by centralizing governance, automating provisioning, and enforcing policies across their hybrid IT environment.

Terraform Demo

This configuration sets up Okta with AD, maps the AD attributes, and configures SailPoint to recognize and sync users provisioned from AD through Okta.

This Terraform configuration automates the integration of Okta with Active Directory (AD) and sets up SailPoint IdentityNow to sync user identities from Okta. By using Terraform to manage these resources, you can apply and maintain configurations consistently and audit/rollback changes.

Providers

Terraform uses providers to interact with APIs (in this case, Okta and SailPoint). The okta provider lets Terraform manage Okta resources, while the http provider enables custom HTTP requests to communicate with SailPoint API. This is due to SailPoint not currently having a terraform provider.

Okta Configuration

  • okta_org_name (string)

    • Description: The name of your Okta organization. This is used to identify the specific Okta instance to manage.
    • Default: "your-okta-org"
  • okta_base_url (string)

    • Description: The base URL for the Okta instance (usually okta.com).
    • Default: "okta.com"
  • okta_api_token (string, sensitive)

    • Description: API token for authenticating requests to Okta. Keep this token secure, as it grants access to Okta API operations.
    • Default: None (must be provided as a secure input)

SailPoint Configuration

  • sailpoint_api_url (string)

    • Description: The base URL for accessing the SailPoint IdentityNow API.
    • Default: "https://your-sailpoint-instance.identitynow.com"
  • sailpoint_api_token (string, sensitive)

    • Description: API token for authenticating requests to SailPoint. This token allows Terraform to interact with SailPoint resources.
    • Default: None (must be provided as a secure input)

Active Directory (AD) Group Configuration

  • ad_group_name (string)

    • Description: The name of the Active Directory group to be synchronized with Okta. This name is used for identifying and managing AD users in Okta.
    • Default: "AD Users"
  • ad_group_description (string)

    • Description: Description for the AD group in Okta. This is a user-friendly description that explains the purpose of the group.
    • Default: "Group for AD-synced users"
  • ad_user_profile_mappings (map(string))

    • Description: A mapping of Active Directory attributes to Okta profile attributes. This map is used to synchronize AD user attributes with Okta, ensuring that fields like firstName and lastName are populated correctly in Okta.
    • Default:
      {
        "firstName" = "givenName"
        "lastName"  = "sn"
        "email"     = "mail"
      }
      

Outputs

  • identity_sources
    • Description: Lists the identity sources available in SailPoint. This output provides visibility into the identity sources and can help verify that Okta (and its users) is recognized in SailPoint.