Additional configuration for Okta Group Gate
Configuration (POST /config)
The okta_group_id field accepts the Okta Group ID string referencing the Okta Group,
where users will be temporarily added when using the /claim endpoint.
Request
curl --header "X-Vault-Token: <admin-token>" \
--request POST \
http://127.0.0.1:8200/v1/auth/plugin/config \
--data @payload.jsonPayload
{
[...] // fields already documented in 'HTTP API Reference' page
"okta_group_id": "00gp83riuxRpnO0iV5d7"
}The 00gp83riuxRpnO0iV5d7 value is the Okta Group ID, available through the Okta API and Admin Panel.
Okta API Configuration (POST /config/okta/api)
Request
curl --header "X-Vault-Token: <admin-token>" \
--request POST \
http://127.0.0.1:8200/v1/auth/plugin/config/okta/api \
--data @payload.jsonPayload
{
"org_url": "https://myorg.okta.com",
"api_token": "00EkHWuMmFWRSOyrYbTcCbcF4K[...]",
"auth_mount_accessor": "auth_oidc_7c864405",
"okta_entity_key": "" // not implemented
}org_url: The URL of the Okta organization to point the API calls against.
api_token: The Okta SSWS API Token equipped with the Group Membership Admininstrator privileges.
auth_mount_accessor: Populate this if you authenticate to Vault/OpenBao using the Okta IdP with the OIDC Auth Method (see for Vault / OpenBao). It is used to fetch the Entity Alias of the requestor and extract their Okta User ID. Mutually exclusive with okta_entity_key.
okta_entity_key: (Not implemented) Used to extract the requestor’s Okta User ID from the Entity Metadata. Mutually exclusive with auth_mount_accessor.
Test Okta API Privileges (POST /config/okta/api/test)
This endpoint tests connectivity to the Okta Organization URL and privileges of the Okta API Key, by temporarily adding a given Okta User to the configured Okta Group.
Request
curl --header "X-Vault-Token: <admin-token>" \
--request POST \
http://127.0.0.1:8200/v1/auth/plugin/config/okta/api \
--data @payload.jsonPayload
{
"user_id": "00up44uglx1peLV6n5d7"
}user_id: The Okta User ID to briefly add and remove from the configured Okta Group