ConnectorsOkta
Okta
Connect Okta to Compass for identity provider analysis.
The Okta connector integrates with your Okta organisation to pull user lifecycle, authentication, and application assignment metrics.
Prerequisites
- An Okta organisation with admin access
- An API token with read-only permissions
Setup
1. Create an API Token
- Sign in to your Okta Admin Console
- Go to Security > API > Tokens
- Click Create Token
- Name it "Compass IAM Discovery"
- Copy the token value — it won't be shown again
Important: The token inherits the permissions of the admin who creates it. Use a read-only admin account if possible.
2. Add to Compass
- Go to Settings > Connectors in Compass
- Click Add Connector > Okta
- Enter:
- Okta Domain — Your org URL (e.g.,
yourcompany.okta.com) - API Token — The token you just created
- Okta Domain — Your org URL (e.g.,
- Click Test Connection
- Save
Metrics Collected
| Category | Metrics |
|---|---|
| Users | Total count, active/suspended/deprovisioned, creation rate, stale accounts |
| MFA | Enrollment rate, factor types, users without MFA enrolled |
| Applications | Total apps, SSO-enabled apps, users per app, unassigned apps |
| Groups | Group count, membership distribution, rule-based vs manual |
| Authentication | Sign-in success/failure rates, locked accounts, suspicious activity |
| Lifecycle | Provisioning status, deprovisioning backlog, joiner/mover/leaver metrics |
Troubleshooting
Rate limiting
Okta enforces API rate limits. If Compass encounters rate limits during data collection, it will automatically retry with backoff. Large organisations (50,000+ users) may take longer to collect.
Token expiration
Okta API tokens expire after 30 days of inactivity. If your connector stops working, regenerate the token and update it in Compass settings.