> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the Collector

> Configure the OpenHound Okta collector to gather data from your Okta organization.

export const source_0 = "Okta"

export const env_0 = "organization"

<Tip>Okta enforces API [rate limits](https://developer.okta.com/docs/reference/rl-global-mgmt/) by default. OpenHound is configured to retry each HTTP request up to 10 times with increasing delays.</Tip>

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

This page covers configuring the OpenHound Okta collector for your Okta organization.

## Prerequisites

* OpenHound installed with the Okta collector included. Follow the OpenHound [installation](/openhound/community) instructions to set up OpenHound for BloodHound Community Edition. The Okta collector is included by default in the OpenHound container image.
* An Okta account with permissions to access the Okta API. See the options below for recommended roles and permissions.

<Note>The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users, for now.</Note>

### OAuth 2.0 Service Application (Recommended)

Register the OpenHound Okta collector as a [service application](/openhound/collectors/okta/okta-app-registration) in Okta.

Grant the application limited read-only permissions, then configure authentication with either a symmetric client secret or an asymmetric RSA public/private key pair.

Use an RSA public/private key pair when possible, because it provides stronger security than a symmetric client secret.

### API Token (SSWS)

The OpenHound Okta collector can also authenticate using API tokens (also known as SSWS tokens) associated with specific Okta Super Administrator accounts.
This is the least secure option, but the easiest one to set up.

## Configure OpenHound

The following OpenHound configuration parameters are required to run the Okta collector. These can either be set
via the `[sources.source.okta.credentials]` section of the secrets file or via environment variables using the `SOURCES__OKTA__CREDENTIALS` prefix.

### Option 1: Service Application with JSON key file

| Parameter Name     | Environment Variable            | Description                                                                                      |
| ------------------ | ------------------------------- | ------------------------------------------------------------------------------------------------ |
| `base_url`         | \{PREFIX}\_\_BASE\_URL          | The base URL of the Okta organization. For example: `https://spectoropspreview.oktapreview.com`. |
| `client_id`        | \{PREFIX}\_\_CLIENT\_ID         | The client ID of the Okta service application used to authenticate to the Okta API.              |
| `private_key_path` | \{PREFIX}\_\_PRIVATE\_KEY\_PATH | The path to the private key (.json) used for authentication.                                     |

### Option 2: Service Application with base64-encoded JSON key string

| Parameter Name        | Environment Variable               | Description                                                                                      |
| --------------------- | ---------------------------------- | ------------------------------------------------------------------------------------------------ |
| `base_url`            | \{PREFIX}\_\_BASE\_URL             | The base URL of the Okta organization. For example: `https://spectoropspreview.oktapreview.com`. |
| `client_id`           | \{PREFIX}\_\_CLIENT\_ID            | The client ID of the Okta service application used to authenticate to the Okta API.              |
| `private_key_encoded` | \{PREFIX}\_\_PRIVATE\_KEY\_ENCODED | The private key (.json) encoded as a base64 string.                                              |

### Option 3: API Token (SSWS)

| Parameter Name | Environment Variable   | Description                                                                                      |
| -------------- | ---------------------- | ------------------------------------------------------------------------------------------------ |
| `base_url`     | \{PREFIX}\_\_BASE\_URL | The base URL of the Okta organization. For example: `https://spectoropspreview.oktapreview.com`. |
| `token`        | \{PREFIX}\_\_TOKEN     | The API token (SSWS) used for authentication.                                                    |

### Example Configuration

```toml title="secrets.toml" theme={null}
 [sources.source.okta.credentials]
base_url = "https://mytenant.oktapreview.com"
client_id = "myclientid"
private_key_path = "/path/to/private/key.json"
```

## Running OpenHound and Collecting Data

After you set the required configuration parameters, [run](/openhound/community#collect) OpenHound to start the {source_0} collector and collect data from your {source_0} {env_0}. The collector will generate JSON files in the output directory that can be uploaded to BloodHound for analysis.