Skip to main content
The Okta Attribute Provider connector retrieves user attributes from Okta using API requests — enriching session claims with directory data beyond what authentication alone provides.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define attribute provider integrations.

Overview

The Okta Attribute Provider uses the Okta API to look up user profile data, group memberships, and other directory attributes. It shares the same connector type as the Okta IdP connector, but configured with an API token instead of OIDC authentication fields. This connector is not an identity provider. It does not handle authentication. Instead, it is paired with another IdP connector (such as Microsoft Entra ID, ADFS, or a SAML provider) to supplement the session with additional attributes from Okta.

Use Cases

  • Unified SSO with Okta attribute enrichment — Enrich sessions with Okta profile data (department, job title, custom attributes) so applications receive consistent identity attributes regardless of which IdP handles authentication
  • Cross-IdP authorization with Okta groups — Query Okta group memberships to drive authorization decisions in Orchestrator policies, even when users authenticate through a non-Okta IdP like Entra ID or ADFS
  • Preserve Okta attributes during IdP rationalization — During migration away from Okta, maintain access to Okta directory attributes so applications continue to receive the claims they depend on without disruption
  • Multi-directory identity enrichment — Combine Okta attribute lookups with authentication from any supported IdP, bridging identity data across systems in hybrid or multi-vendor identity environments

Configuration

To create an Okta Attribute Provider connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Okta Attribute Provider.
  3. Enter a Name — this is the friendly name that identifies your provider.
  4. Enter the API Token — the token used to authenticate the Maverics client with the Okta API. Generate this from the Okta admin console under Security > API > Tokens.
  5. Enter the Domain — the Okta domain to use for attributes (e.g., your-org.okta.com).
  6. Click Save.

Troubleshooting

  • Verify the domain is correct — ensure it matches your Okta organization URL (e.g., https://your-org.okta.com)
  • Ensure the API token is valid and not expired — Okta API tokens expire if not used for 30 days; check the token status in the Okta admin console under Security > API > Tokens
  • Check that the apiToken secret reference resolves correctly via your secret provider
  • Confirm the token has sufficient permissions — the admin who created the token must have read access to user profiles and groups

Okta

OIDC identity provider connector for Okta

Identity Fabric

Overview of all identity providers and attribute providers

Microsoft Entra ID

OIDC connector for Microsoft Entra ID — commonly paired with this attribute provider

Generic OIDC

Generic OpenID Connect connector