Configuring Okta as an Identity Provider

In addition to supporting Active Directory, Tenable Identity Exposure now integrates with Okta as an Identity Provider (IdP), extending visibility into modern, cloud-based identity platforms. This integration introduces new Indicators of Exposure tailored to Okta-specific risks.

This guide provides step-by-step instructions to connect your Okta environment with Tenable Identity Exposure. By enabling this integration, Tenable can collect identity-related metadata from Okta, helping you uncover potential vulnerabilities and strengthen your overall identity security posture.

To integrate Okta with Tenable Identity Exposure, follow closely this on-boarding process:

Prerequisites

You must have a Tenable Cloud account to log in to “cloud.tenable.com” and use the Okta support feature.

This Tenable Cloud account is the same email address used for your Welcome email. If you do not know your email address for "cloud.tenable.com," please contact Support.

All customers with a valid license (On-Premises or SaaS) can access the Tenable Cloud at “cloud.tenable.com”. This account allows you to configure Tenable scans for your Okta and collect the scan results.

Note: You do not need a valid Tenable Vulnerability Management license to access Tenable Cloud. A currently valid standaloneTenable Identity Exposure license (On-Premises or SaaS) is sufficient.

License Count

Tenable does not count duplicate identities against the license only when the Tenable Cloud sync feature is enabled. Without this feature, it cannot match accounts from Okta and Active Directory, causing it to count each account separately.

  • Without Tenable Cloud sync: A single user with both an AD account and an Okta account count as two separate users against the license.

  • With Tenable Cloud sync enabled: The system consolidates multiple accounts into a single identity, ensuring that a user with multiple accounts is counted only once.

Configure Okta Settings

Note: Okta is a third-party service, and its interface or configuration process may change over time. For the most accurate and up-to-date instructions, always refer to Okta’s official documentation.

Use the following procedures (adapted from the Okta documentation) to configure all required settings in Okta.

    1. Log in to Okta with an "Admin" account.

    2. Navigate to the Admin Console.

    3. Navigate to Security/API.

    4. Click on the Tokens tab -> Create Token (e.g. https://youroktaorg.okta.com/admin/access/api/tokens).

    5. Name your token – Enter a descriptive name to help you identify the purpose of this token later.

    6. Define token usage restrictions – Specify the IP ranges or locations from which API calls using this token are allowed.

    7. Click Create Token – This generates a new API token.

      A message confirms that the "Token created successfully" appears.

    8. Copy the token and securely store the token value, as it will only be shown once. You’ll need it later when configuring Tenable Identity Exposure.

    9. Verify the token – The newly created token should now be listed on your Tokens page.

    1. After you configure all the required settings in Okta: In Tenable Vulnerability Management, create a new credential of type "Okta Cloud Identity."

    2. Select the "Key" authentication method.

    3. Type a name and description in the required boxes.

    4. Under Settings, type your organization URL and the token value that you retrieved from the previous procedure.

Activate Okta support

  • To use Okta, you must activate the feature in Tenable Identity Exposure settings.

  • See Identity 360, Exposure Center, Okta, and Microsoft Entra ID Support Activation for instructions.

Enable tenant scans

Adding a tenant links Tenable Identity Exposure with the Okta tenant to perform scans on that tenant.

  1. In the Configuration page, click on the Identity Providers tab.

    The Tenant Management page opens.

  2. Click on Add a tenant.

    The Add a tenant page opens.

  3. In the Provider drop-down list box, select Okta.

  4. In the Name of the tenant box, type a name.

  5. In the Credentials box, click the drop-down list to select a credential.

  6. If your credential does not appear in the list, you can either:

  7. Click Refresh to update the drop-down list of credentials.

  8. Select the credential you created.

  9. Click Add.

    A message confirms that Tenable Identity Exposure added the tenant, which now appears in the list on the Tenant Management page.

Note: Tenant scans do not occur in real time and require at least one hour. Okta data is visible in the Identity Explorer, depending on the tenant size.

  • Select a tenant on the list and click the toggle to Scan enabled.

    Tenable Identity Exposure requests a scan on the tenant and the results appear in the Indicator of Exposure page.

    Note: The mandatory minimum time delay between two scans is 30 minutes and occurs at least once per day. Depending on the tenant size, most customers' data refresh multiple times per day.

Troubleshoot the configuration

  • After configuration, check the scan status of the Okta Identity Provider in the Tenable Identity Exposure > Identity Providers section.The status should display green a few minutes after a successful scan.

  • Additionally, you can verify that Okta resources (users, roles, apps, groups.) begin to appear across the various Tenable Identity Exposure screens.

  • If the status remains red or no data is ingested:

    • Double-check the credentials (Org URL / Token).

    • Review scope permissions.

    • Confirm network access and API rate limits on the Okta side.

  • Double-check your configuration values. Typos in the domain or token are common mistakes. You can find the correct values in your Okta Developer Console.