> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Learn about the Okta OpenGraph extension for BloodHound.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

The Okta extension is an OpenGraph extension for [Okta Platform](https://www.okta.com/products/workforce-identity/) environments that enables BloodHound to model Okta users, groups, applications, roles, policies, and related relationships as graph data.

It adds Okta-specific [nodes](/opengraph/extensions/okta/schema#nodes), [edges](/opengraph/extensions/okta/schema#edges), [Cypher queries](/opengraph/extensions/okta/queries), and [Privilege Zone rules](/opengraph/extensions/okta/privilege-zone-rules) to help security professionals visualize and analyze Okta configurations in BloodHound.

<Note>The other main product in Okta's portfolio is [Auth0](https://auth0.com/) (previously known as Customer Identity Cloud). The Okta extension does not currently support Auth0.</Note>

## Okta Attack Paths

Okta is an interesting target for attackers because it is widely used by organizations to manage access to cloud and on-premises applications.

Compromising an Okta organization can provide attackers with access to a wide range of resources and data. Okta organizations are often secure by default, with MFA enforced for users and re-authentication required for sensitive administrative tasks.

Okta also uses role-based access control (RBAC) to mitigate privilege escalation paths. As a result, many meaningful attack paths stem from misconfigurations, including excessive role assignments, weak authentication policies, insecure application integrations, and exposure of sensitive credentials.

You should also account for users who are non-privileged in Okta but hold administrative access in connected applications, such as GitHub Enterprise Cloud or Amazon Web Services (AWS). Hybrid attack paths between on-premises Active Directory and Okta are also possible.

<Frame>
  <img src="https://mintcdn.com/specterops/vLZ2lUIRm_HibFmq/images/extensions/okta/bloodhound-role-assignments.png?fit=max&auto=format&n=vLZ2lUIRm_HibFmq&q=85&s=c2849946e6609ca438311eadf5f047a9" alt="Okta role assignments displayed in BloodHound" width="1958" height="1394" data-path="images/extensions/okta/bloodhound-role-assignments.png" />
</Frame>

<Note>Our research on Okta attack paths is still ongoing. Interesting mappings to MITRE ATT\&CK are [available from Elastic](https://github.com/elastic/detection-rules/tree/main/rules/integrations/okta).</Note>

## Available Collectors

The Okta extension supports two collector paths:

* [OpenHound Okta collector](/openhound/collectors/okta/overview): The SpecterOps-supported Okta collector. This is the primary documented path for collecting Okta data for BloodHound.
* [OktaHound collector](https://github.com/SpecterOps/OktaHound): An alternative Okta collector that also targets the Okta extension schema.

## Okta Free Trial

Okta provides a [free trial](https://developer.okta.com/signup/) plan that you can use to test the majority of OktaHound features.

## References

The following blog posts provide insights into Okta attack vectors and techniques:

* [Michael Grafnetter (SpecterOps): Discovering Unexpected Okta Attack Paths with BloodHound](https://specterops.io/blog/2026/03/23/discovering-unexpected-okta-attack-paths-with-bloodhound/)
* [Adam Chester (SpecterOps): Okta for Red Teamers](https://blog.xpnsec.com/okta-for-redteamers/)
* [Adam Chester (SpecterOps): Identity Providers for RedTeamers](https://blog.xpnsec.com/identity-providers-redteamers/)
* [Eli Guy (XM Cyber): Attack Techniques in Okta - Part 1 - A (Really) Deep Dive into Okta Key Terms](https://xmcyber.com/blog/attack-techniques-in-okta/)
* [Eli Guy (XM Cyber): Attack Techniques in Okta - Part 2 - Okta RBAC Attacks](https://xmcyber.com/blog/okta-rbac-attacks/)
* [Eli Guy (XM Cyber): Attack Techniques in Okta - Part 3 - From Okta to AWS Environments](https://xmcyber.com/blog/okta-attack-techniques-part-3-from-okta-environments-to-aws/)
* [AppOmni: Okta PassBleed Risks - A Technical Overview](https://appomni.com/ao-labs/okta-passbleed-risks/)
* [Luke Jennings (PushSecurity): Abusing Okta's SWA authentication](https://pushsecurity.com/blog/okta-swa/)
* [David French (Elastic): Testing your Okta visibility and detection with Dorothy and Elastic Security](https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy)

## Research Tools

Here are some interesting GitHub repositories related to Okta security research:

* [Okta Post-Exploitation Toolkit](https://github.com/xpn/OktaPostExToolkit)
* [Okta Terrify](https://github.com/CCob/okta-terrify)
* [Dorothy](https://github.com/elastic/dorothy)
* [SaaS Attacks](https://github.com/pushsecurity/saas-attacks/)
* [Okta SCIM Attack Tool](https://github.com/authomize/okta_scim_attack_tool)

## Community

Please join us in the `#okta` channel of the [BloodHound Community Slack](https://slack.specterops.io/) workspace if you want to chat about attack paths in Okta. You are also welcome to open an issue or pull request on [GitHub](https://github.com/SpecterOps/openhound-okta).

## Related Pages

* [Getting started](/opengraph/extensions/okta/getting-started)
* [Schema reference](/opengraph/extensions/okta/schema)
* [Cypher queries](/opengraph/extensions/okta/queries)
* [Privilege Zone rules](/opengraph/extensions/okta/privilege-zone-rules)
* [OpenHound Okta collector overview](/openhound/collectors/okta/overview)