Getting Okta data into the Splunk platform
Okta has great out-of-the box reporting on events within the platform, including usage reports, SSO authentication events, and password health. However, what if you have a very specific report you need to run? If you have enabled single sign-on, you can ingest Okta data and report and audit on Okta with the Splunk platform.
Before working through this procedure, ensure that you have enabled Okta single sign-on in Splunk platform.
Process
- Go to your Okta admin portal, click Applications > Browse App Catalog, and search for “Splunk”.
- Click Splunk Add-on for Okta. This provides you with a brief description of the add-on and some of its features.
- Click More details about the Okta / Splunk integration to be taken to Splunkbase.
- Click Download, and then install this add-on as appropriate for your Splunk deployment.
This Okta Identity Cloud Add-on for Splunk is built and supported by Okta, not by Splunk. Okta provides complete step-by-step documentation for this add-on on Splunkbase. The remainder of this article covers installation for the simplest deployment type, an all-in-one Splunk instance, but you should refer to this documentation for your own environment and for anything not covered below.
- In your Splunk deployment, click Apps > Manage Apps.
- Click Install app from file, click Choose file, select the add-on you downloaded, and click Upload.
- The Splunk platform installs the add-on. You will be prompted to restart Splunk after installation. Do this by clicking Restart Now.
Obtain an API key from Okta
You now need to obtain an API key from Okta to allow the Splunk platform to collect Okta’s system logs and other information from your Okta tenant. Your Splunk instance that collects this data needs to be able to connect to Okta on HTTPS port 443.
- Go to your Okta admin portal and click Security > API > Tokens > Create Token.
- Enter a name for the API token, such as “Splunk_Prod”.
- Click Create Token.
- Copy the token generated. You need this later.
- In the Splunk platform, go to Apps > Okta Identity Cloud Add-on for Splunk > Configuration > Okta Accounts > Add.
- Enter the following:
- Okta Account Name. This can be named as required.
- Okta Domain. Enter your full Okta domain, for example, subdomain.okta.com.
- Okta API token. Paste in the value that you copied in Step 3.
- To save the information, click Add.
- Click Inputs > Create New Input. We recommend that you create one input for each metric type that can be collected. These are the four metrics types, along with example configurations:
It is best practice to use a separate index for data collection. Create an index if necessary from Settings > Indexes.
- Logs. Collects Okta system log events
- Users. Collects user information, such as user profile, user activity
- Groups. Collects group information, such as group membership, group changes
- Apps. Collects app Information, such as app name, SSO/provisioning configuration, assignments
- Logs. Collects Okta system log events
- After you have finished the inputs, your list should look similar to the following.
- Run a search for index=okta and see if you are getting results. The events that are retrieved should be in a JSON format and should represent the events seen within the Okta system log.
Next steps
You can now use your Okta data to create dashboards, reports, and alerts in the Splunk platform. Some example dashboards that you can create with this data are shown below.
Next steps
If you still need assistance with your Okta integration, UK-based Somerford Associates can help. Somerford Associates is an award winning Elite Partner with Splunk and the largest Partner Practice of Consultants in EMEA. We protect data, demonstrate that it is being managed effectively and derive greater value, by providing real-time insights to support effective decision making. With our specialist knowledge, skills, experience and strong reputation for enabling digital transformation at scale and at pace, we provide full delivery, including design, implementation, deployment and support. Find us on Splunk Partnerverse.
The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.