> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Okta Attribute Provider

The Okta Attribute Provider connector retrieves user attributes from Okta using API requests -- enriching session claims with directory data beyond what authentication alone provides.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  attribute provider integrations.
</Note>

## Overview

The Okta Attribute Provider uses the Okta API to look up user profile data, group memberships, and other directory attributes. It shares the same connector type as the [Okta IdP connector](/reference/orchestrator/identity-fabric/okta), but configured with an API token instead of OIDC authentication fields. This connector is not an identity provider. It does not handle authentication. Instead, it is paired with another IdP connector (such as Microsoft Entra ID, ADFS, or a SAML provider) to supplement the session with additional attributes from Okta.

## Use Cases

* **Unified SSO with Okta attribute enrichment** -- Enrich sessions with Okta profile data (department, job title, custom attributes) so applications receive consistent identity attributes regardless of which IdP handles authentication
* **Cross-IdP authorization with Okta groups** -- Query Okta group memberships to drive authorization decisions in Orchestrator policies, even when users authenticate through a non-Okta IdP like Entra ID or ADFS
* **Preserve Okta attributes during IdP rationalization** -- During migration away from Okta, maintain access to Okta directory attributes so applications continue to receive the claims they depend on without disruption
* **Multi-directory identity enrichment** -- Combine Okta attribute lookups with authentication from any supported IdP, bridging identity data across systems in hybrid or multi-vendor identity environments

## Setup

<Tabs>
  <Tab title="Console UI">
    To create an Okta Attribute Provider connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Okta Attribute Provider**.
    3. Enter a **Name** -- this is the friendly name that identifies your provider.
    4. Enter the **API Token** -- the token used to authenticate the Maverics client with the Okta API. Generate this from the Okta admin console under **Security** > **API** > **Tokens**.
    5. Enter the **Domain** -- the Okta domain to use for attributes (e.g., `your-org.okta.com`).
    6. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: okta-attr
        type: okta
        apiToken: <vault.okta_api_token>
        domain: "{{ env.OKTA_DOMAIN }}"
    ```

    <Note>
      The Okta API token must be created by an admin user in the Okta admin console. Tokens inherit the permissions of the admin who creates them. Use a service account with the minimum required permissions for attribute lookups.
    </Note>

    ## Configuration Reference

    | Key        | Type   | Required | Description                                                              |
    | ---------- | ------ | -------- | ------------------------------------------------------------------------ |
    | `name`     | string | Yes      | Unique connector identifier referenced in app policies                   |
    | `type`     | string | Yes      | Must be `okta`                                                           |
    | `apiToken` | string | Yes      | Okta API token for authenticating requests (use secret reference syntax) |
    | `domain`   | string | Yes      | Okta organization domain (e.g., `https://your-org.okta.com`)             |

    For the complete field reference, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the `domain` is correct** -- ensure it matches your Okta organization URL (e.g., `https://your-org.okta.com`)
* **Ensure the API token is valid and not expired** -- Okta API tokens expire if not used for 30 days; check the token status in the Okta admin console under **Security** > **API** > **Tokens**
* **Check that the `apiToken` secret reference resolves correctly** via your secret provider
* **Confirm the token has sufficient permissions** -- the admin who created the token must have read access to user profiles and groups

## Related Pages

<CardGroup cols={2}>
  <Card title="Okta" icon="shield-halved" href="/reference/orchestrator/identity-fabric/okta">
    OIDC identity provider connector for Okta
  </Card>

  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers and attribute providers
  </Card>

  <Card title="Microsoft Entra ID" icon="microsoft" href="/reference/orchestrator/identity-fabric/azure-ad">
    OIDC connector for Microsoft Entra ID -- commonly paired with this attribute provider
  </Card>

  <Card title="Generic OIDC" icon="key" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>
</CardGroup>
