Sign Up

Okta SDK Integration

Suggest Edits

The Sym SDK provides convenience methods for interacting with Okta in your impl.py

📘

Did you configure your Okta Integration?

Before continuing, make sure you followed the instructions on the main Okta page to set up your Okta API Key and Integration.

Before continuing, you will need to have:

  • Connected Sym with AWS Secrets Manager
  • Configured your Okta API Key with Sym
  • Defined an Okta Integration resource

Add Your Okta Integration to your Environment

If you are writing an impl.py for your Okta Access Strategy, then your Okta Integration will be implicitly available, and you can use the SDK methods without additional configuration.

However, if you wish to use the Okta SDK methods in a different Flow (e.g. an Approval-Only Flow), then you must specify the Integration in your Environment.

resource "sym_environment" "this" {
  name            = "main"
  error_logger_id = sym_error_logger.slack.id

  integrations = {
    slack_id = sym_integration.slack.id

    # This is required to use Okta SDK methods in impl.py
    # for non-Okta strategies.
    okta_id = sym_integration.okta.id
  }
}

Using Okta in your Flows

For more information on the supported methods in the okta module, please visit the Sym SDK Okta Docs.

Example implementations

Only members of Group A can approve requests

from sym.sdk.annotations import hook
from sym.sdk.integrations import okta
from sym.sdk.templates import ApprovalTemplate


@hook
def on_approve(event):
  # Group A ID = 00g123456789
  # Only allow members of Group A ability to approve requests
  if not okta.is_user_in_group(event.user, group_id="00g123456789"):
    return ApprovalTemplate.ignore(message="Only members of Group A may approve")

Only members of the requested group can approve the request

from sym.sdk.annotations import hook
from sym.sdk.integrations import okta
from sym.sdk.templates import ApprovalTemplate


@hook
def on_approve(event):
  # Get the group details from the target in the request payload
  requested_group_id = event.payload.fields["target"].settings["group_id"]
  group_name = event.payload.fields["target"].label

  # Only allow members of the group to approve requests
  if not okta.is_user_in_group(event.user, group_id=requested_group_id):
    return ApprovalTemplate.ignore(message=f"Only members of {group_name} may approve requests for {group_name}")

DM users in an Okta group

from sym.sdk.annotations import reducer
from sym.sdk.integrations import okta


@reducer
def get_approvers(event):
  # Get the group details from the target in the request payload
  group_name = event.payload.fields["target"].name
  
  # Requests for the "super_special" group get DM'd to managers
  if group_name == "super_special":
    # Get the users in the "Managers" Okta group
    managers = okta.users_in_group(group_id="00g123456789")
    return slack.group(managers)
  
  # Otherwise all other requests go to the regular requests channel
  return slack.channel("#okta-requests")

Updated about 1 month ago