# Okta
This topic describes how to integrate P0 with your Okta instance for effective identity and access management. This integration enables you to:
* Manage user access and permissions through your Okta instance
* Provision AWS access when users federate via Okta SAML
* Maintain an inventory of the user directory for Identity and Access Management (IAM) assessments
This guide contains the following sections:
1. [Prerequisites](#prerequisites)
2. [Integrate Okta for P0](#integrate-okta-for-p0)
3. [Configure Okta](#configure-okta)
4. [Configure Group Management](#configure-group-management)
5. [Next steps](#next-steps)
## Prerequisites
* Existing P0 account at [P0.app](https://p0.app)
* Administrative access to an Okta instance. You must have one of the following roles:
* Super Administrator
* Application Administrator
## Integrate Okta for P0
You can integrate Okta from the P0 app:
1. From the [P0.app](https://p0.app) site, navigate to **Integrations**, then click **Okta**.
2. From the list of **Available components**, click **Directory listing**.
3. On the **Directory listing** page, click **+ Add directory**.
{% hint style="info" %}
Keep the browser tab open for the [P0.app](https://p0.app) **Directory listing** page. You will return to this page in later steps.
{% endhint %}
4. In a new tab, log into the [**Okta Admin Dashboard**](https://support.okta.com/help/s/article/How-to-access-Okta-admin-console-when-Default-App-for-Sign-In-Widget-is-enabled?language=en_US).
{% hint style="info" %}
Keep the browser tab open for the **Okta Admin Dashboard** page. You will return to this page in later steps.
{% endhint %}
5. Copy the directory identifier directly from the URL in the browser's address bar.
6. Return to the browser tab for the [P0.app](https://p0.app) **Directory listing** page, enter the directory identifier, which can be either a domain (e.g. `example.com`) or a URL (e.g.,`example.com/director`), and click **Next**.
{% hint style="info" %}
Replace `company.okta.com` with your domain.
{% endhint %}
7. Copy the Okta public key generated during the installation. You'll use the copied key to[ Configure Okta](#configure-okta).
{% hint style="warning" %}
* Do not click **Next** yet. You must complete the steps in [Configure Client Credentials](#configure-client-credentials) before clicking **Next.**
* Ensure you copy the *entire* key. The contents of the key cannot be accessed again after you click **Next**.
* Keep the browser tab open for the **Directory listing** page. You will return to this page in later steps.
{% endhint %}
## Configure Okta
Configure settings in Okta to enable secure identity management for your P0 app. In this setup process you will:
1. [Create an Application Instance](#create-an-application-instance)
2. [Configure Client Credentials](#configure-client-credentials)
3. [Assign API Scopes](#assign-api-scopes)
4. [Assign Admin Roles](#assign-admin-roles)
5. [Link Okta and P0](#link-okta-and-p0)
### Create an Application Instance
Use the application instance to create a secure identity for P0 within Okta, which enables authentication and access management:
1. In the Okta browser tab, click **Applications** from the menu, then click **Create App Integration**.
2. Select **API Services** as the application type, then click **Next**.
3. Enter a name for your application (e.g. `P0 Integration App`), then click **Save**.
### Configure Client Credentials
Configure the client credentials to set up the secure authentication keys:
1. Select **Applications** in your Okta dashboard, then click the newly created application under the **General** tab.\\
2. In the **Client Credentials** section, click **Edit**.
3. Select **Public key / Private key** authentication, then click **Add key**.
4. Paste the public key you copied from P0 during the [public key generation](#generate-a-public-key) process, then click **Done**.
5. Uncheck the checkbox requiring "Proof of possession".
6. Return to the browser tab for the [P0.app](https://p0.app) **Directory listing** page and click **Next.**
### Assign API Scopes
Assign the API scopes that P0 needs to manage permissions for users and groups in Okta:
1. Click the **Okta API Scopes** tab.
2. Select each of the following scopes, then click **Grant** to provide the required permissions:
* `okta.groups.read`
* `okta.users.read`
3. (Optional) If Amazon Web Services (AWS) user provisioning is set up using the [Okta SAML application](https://help.okta.com/en-us/content/topics/deploymentguides/aws/aws-configure-identity-provider.htm), grant these scopes:
* `Okta.apps.manage` - Allows P0 to configure and manage the Okta SAML application connected to AWS.
* `Okta.schemas.manage` - Allows P0 to manage custom user schemas, ensuring accurate synchronization of user attributes with AWS.
### Assign Admin Roles
Assign admin roles to the P0 Integration App so that it has the permissions needed to read your Okta directory:
1. Click the **Admin roles** tab on your P0 Integration App.
2. Click **Edit assignments**.
3. Click **Add assignment**.
4. From the **Role** dropdown, select **Group Administrator** (for read access to groups) and click **Save Changes**.
{% hint style="info" %}
If you also plan to configure [Group Management](#configure-group-management), you can select **Group Membership Administrator** instead, which includes the permissions needed for both directory listing and group assignment.
{% endhint %}
### Link Okta and P0
Connect the Okta Client ID with P0 to complete the integration:
1. Return to the **General** tab of your Okta application, and copy the **Client ID**.
2. Return to the browser tab for the [P0.app](https://p0.app) **Directory listing** page, and paste the Client ID into the **Okta application client ID** text field.
3. Click **Finish**. Once installation is complete, your Okta directory is displayed on the **Directory listing** page.
## Configure Group Management
Set up and manage user groups in Okta to control access and permissions:
1. From the [p0.app](https://p0.app) site, navigate to **Integrations**, then select **Okta**.
2. From the list of **Available components**, click **Group assignment**.
3. On the **Group assignment** page, click **+ Add** **directory**.
4. Select the [directory identifier](#integrate-okta-for-p0) from the dropdown and click **Next**.
5. Switch back to the Okta browser tab, click the **Okta API Scopes** tab.
6. Add the `okta.groups.manage` scope to the Granted scopes by clicking **Grant next to it.**
7. Click the **Admin roles** tab.
8. Click **Edit assignments**.
9. Select **Add assignment**.
10. From the **Role** dropdown, select **Group Membership Administrator** and click **Save Changes**.
11. Return to the browser tab for the [P0.app](https://p0.app/) **Group assignment** page and click **Next**.
12. Click **Finish**.
{% hint style="success" %}
Congratulations! You've configured different identity groups after setting up Okta authentication for P0.
{% endhint %}
## Next steps
After completing the Okta integration, you can assign P0 roles (such as Owner and Security Reviewer) based on Okta groups. See [Role-Based Access Control](https://docs.p0.dev/p0-management/role-based-access-control#assigning-roles-with-okta-groups) for setup instructions, including the required Okta Login app group claims configuration.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.p0.dev/integrations/directory-integrations/okta.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
