Skip to main content
Okta enforces API rate limits by default. OpenHound is configured to retry each HTTP request up to 10 times with increasing delays.
Applies to BloodHound Enterprise and CE This page covers configuring the Okta collector for your Okta organization.

Prerequisites

  • OpenHound installed with the Okta collector included. Follow the OpenHound installation instructions to set up OpenHound for BloodHound Community Edition. The Okta collector is included by default in the OpenHound container image.
  • An Okta account with permissions to access the Okta API. See the options below for recommended roles and permissions.
Register the Okta collector as a service application in Okta. Grant the application limited read-only permissions, then configure authentication with either a symmetric client secret or an asymmetric RSA public/private key pair. Use an RSA public/private key pair when possible, because it provides stronger security than a symmetric client secret.

API Token (SSWS)

The Okta collector can also authenticate using API tokens (also known as SSWS tokens) associated with specific Okta Super Administrator accounts. This is the least secure option, but the easiest one to set up.

Configure OpenHound

The following OpenHound configuration parameters are required to run the Okta collector. These can either be set via the [sources.source.okta.credentials] section of the secrets file or via environment variables using the SOURCES__OKTA__CREDENTIALS prefix.

Option 1: Service Application with JSON key file

Parameter NameEnvironment VariableDescription
base_url{PREFIX}__BASE_URLThe base URL of the Okta organization. For example: https://spectoropspreview.oktapreview.com.
client_id{PREFIX}__CLIENT_IDThe client ID of the Okta service application used to authenticate to the Okta API.
private_key_path{PREFIX}__PRIVATE_KEY_PATHThe path to the private key (.json) used for authentication.

Option 2: Service Application with base64-encoded JSON key string

Parameter NameEnvironment VariableDescription
base_url{PREFIX}__BASE_URLThe base URL of the Okta organization. For example: https://spectoropspreview.oktapreview.com.
client_id{PREFIX}__CLIENT_IDThe client ID of the Okta service application used to authenticate to the Okta API.
private_key_encoded{PREFIX}__PRIVATE_KEY_ENCODEDThe private key (.json) encoded as a base64 string.

Option 3: API Token (SSWS)

Parameter NameEnvironment VariableDescription
base_url{PREFIX}__BASE_URLThe base URL of the Okta organization. For example: https://spectoropspreview.oktapreview.com.
token{PREFIX}__TOKENThe API token (SSWS) used for authentication.

Example Configuration

secrets.toml
 [sources.source.okta.credentials]
base_url = "https://mytenant.oktapreview.com"
client_id = "myclientid"
private_key_path = "/path/to/private/key.json"

Running OpenHound and Collecting Data

After you set the required configuration parameters, run OpenHound to start the collector and collect data from your . The collector will generate JSON files in the output directory that can be uploaded to BloodHound for analysis.