# Okta
This topic describes how to integrate P0 with your Okta instance for effective identity and access management. This integration enables you to:
* Manage user access and permissions through your Okta instance
* Provision AWS access when users federate via Okta SAML
* Maintain an inventory of the user directory for Identity and Access Management (IAM) assessments
This guide contains the following sections:
1. [Prerequisites](#prerequisites)
2. [Integrate Okta for P0](#integrate-okta-for-p0)
3. [Configure Okta](#configure-okta)
4. [Configure Group Management](#configure-group-management)
5. [Next steps](#next-steps)
## Prerequisites
* Existing P0 account at [P0.app](https://p0.app)
* Administrative access to an Okta instance. You must have one of the following roles:
* Super Administrator
* Application Administrator
## Integrate Okta for P0
You can integrate Okta from the P0 app:
1. From the [P0.app](https://p0.app) site, navigate to **Integrations**, then click **Okta**.
2. From the list of **Available components**, click **Directory listing**.
3. On the **Directory listing** page, click **+ Add directory**.
{% hint style="info" %}
Keep the browser tab open for the [P0.app](https://p0.app) **Directory listing** page. You will return to this page in later steps.
{% endhint %}
4. In a new tab, log into the [**Okta Admin Dashboard**](https://support.okta.com/help/s/article/How-to-access-Okta-admin-console-when-Default-App-for-Sign-In-Widget-is-enabled?language=en_US).
{% hint style="info" %}
Keep the browser tab open for the **Okta Admin Dashboard** page. You will return to this page in later steps.
{% endhint %}
5. Copy the directory identifier directly from the URL in the browser's address bar.
6. Return to the browser tab for the [P0.app](https://p0.app) **Directory listing** page, enter the directory identifier, which can be either a domain (e.g. `example.com`) or a URL (e.g.,`example.com/director`), and click **Next**.
{% hint style="info" %}
Replace `company.okta.com` with your domain.
{% endhint %}
7. Copy the Okta public key generated during the installation. You'll use the copied key to[ Configure Okta](#configure-okta).
{% hint style="warning" %}
* Do not click **Next** yet. You must complete the steps in [Configure Client Credentials](#configure-client-credentials) before clicking **Next.**
* Ensure you copy the *entire* key. The contents of the key cannot be accessed again after you click **Next**.
* Keep the browser tab open for the **Directory listing** page. You will return to this page in later steps.
{% endhint %}
## Configure Okta
Configure settings in Okta to enable secure identity management for your P0 app. In this setup process you will:
1. [Create an Application Instance](#create-an-application-instance)
2. [Configure Client Credentials](#configure-client-credentials)
3. [Assign API Scopes](#assign-api-scopes)
4. [Assign Admin Roles](#assign-admin-roles)
5. [Link Okta and P0](#link-okta-and-p0)
### Create an Application Instance
Use the application instance to create a secure identity for P0 within Okta, which enables authentication and access management:
1. In the Okta browser tab, click **Applications** from the menu, then click **Create App Integration**.
2. Select **API Services** as the application type, then click **Next**.
3. Enter a name for your application (e.g. `P0 Integration App`), then click **Save**.
### Configure Client Credentials
Configure the client credentials to set up the secure authentication keys:
1. Select **Applications** in your Okta dashboard, then click the newly created application under the **General** tab.\\
2. In the **Client Credentials** section, click **Edit**.
3. Select **Public key / Private key** authentication, then click **Add key**.
4. Paste the public key you copied from P0 during the [public key generation](#generate-a-public-key) process, then click **Done**.
5. Uncheck the checkbox requiring "Proof of possession".
6. Return to the browser tab for the [P0.app](https://p0.app) **Directory listing** page and click **Next.**
### Assign API Scopes
Assign the API scopes that P0 needs to manage permissions for users and groups in Okta:
1. Click the **Okta API Scopes** tab.
2. Select each of the following scopes, then click **Grant** to provide the required permissions:
* `okta.groups.read`
* `okta.users.read`
3. (Optional) If Amazon Web Services (AWS) user provisioning is set up using the [Okta SAML application](https://help.okta.com/en-us/content/topics/deploymentguides/aws/aws-configure-identity-provider.htm), grant these scopes:
* `Okta.apps.manage` - Allows P0 to configure and manage the Okta SAML application connected to AWS.
* `Okta.schemas.manage` - Allows P0 to manage custom user schemas, ensuring accurate synchronization of user attributes with AWS.
### Assign Admin Roles
Assign admin roles to the P0 Integration App so that it has the permissions needed to read your Okta directory:
1. Click the **Admin roles** tab on your P0 Integration App.
2. Click **Edit assignments**.
3. Click **Add assignment**.
4. From the **Role** dropdown, select **Group Administrator** (for read access to groups) and click **Save Changes**.
{% hint style="info" %}
If you also plan to configure [Group Management](#configure-group-management), you can select **Group Membership Administrator** instead, which includes the permissions needed for both directory listing and group assignment.
{% endhint %}
### Link Okta and P0
Connect the Okta Client ID with P0 to complete the integration:
1. Return to the **General** tab of your Okta application, and copy the **Client ID**.
2. Return to the browser tab for the [P0.app](https://p0.app) **Directory listing** page, and paste the Client ID into the **Okta application client ID** text field.
3. Click **Finish**. Once installation is complete, your Okta directory is displayed on the **Directory listing** page.
## Configure Group Management
Set up and manage user groups in Okta to control access and permissions:
1. From the [p0.app](https://p0.app) site, navigate to **Integrations**, then select **Okta**.
2. From the list of **Available components**, click **Group assignment**.
3. On the **Group assignment** page, click **+ Add** **directory**.
4. Select the [directory identifier](#integrate-okta-for-p0) from the dropdown and click **Next**.
5. Switch back to the Okta browser tab, click the **Okta API Scopes** tab.
6. Add the `okta.groups.manage` scope to the Granted scopes by clicking **Grant next to it.**
7. Click the **Admin roles** tab.
8. Click **Edit assignments**.
9. Select **Add assignment**.
10. From the **Role** dropdown, select **Group Membership Administrator** and click **Save Changes**.
11. Return to the browser tab for the [P0.app](https://p0.app/) **Group assignment** page and click **Next**.
12. Click **Finish**.
{% hint style="success" %}
Congratulations! You've configured different identity groups after setting up Okta authentication for P0.
{% endhint %}
## Next steps
After completing the Okta integration, you can assign P0 roles (such as Owner and Security Reviewer) based on Okta groups. See [Role-Based Access Control](https://docs.p0.dev/p0-management/role-based-access-control#assigning-roles-with-okta-groups) for setup instructions, including the required Okta Login app group claims configuration.
.png?alt=media)
.png?alt=media)
