Article

    Okta

    4 min read
    Last updated 14 hours ago

    Introduction

    Unthread’s Okta integration lets teams automate access management from Unthread workflows. Once connected, Unthread can grant and revoke Okta group access, assign and remove Okta application access, and reset a user’s Okta MFA factors.

    Okta is also supported separately for Single Sign-On (SSO) and directory sync. Those features use different setup paths, so this article covers each Okta-related area and when to use it.

    Feature overview

    With the native Okta integration, you can:

    • Grant a user access to an Okta group
    • Revoke a user’s access from an Okta group
    • Assign a user to an Okta application
    • Remove a user from an Okta application
    • Reset a user’s Okta MFA factors
    • Grant temporary access that automatically expires after a configured duration

    Unthread makes real-time API calls to Okta when these automation actions run. It does not continuously sync Okta groups or applications in the background.

    Connecting Okta

    To connect Okta, open your Unthread dashboard and go to the Integrations page.

    You’ll need:

    • Okta Domain: your Okta organization domain, such as your-org.okta.com
    • API Token: an Okta SSWS API token with access to users, groups, and applications

    When you save the integration, Unthread validates the token by checking that it can access Okta users, groups, and applications. The API token is stored encrypted.

    Using Okta in automations

    After Okta is connected, Okta actions become available in Unthread Automations.

    Available actions:

    • Grant Okta Group Access
      Adds a selected user to an Okta group.

    • Revoke Okta Group Access
      Removes a selected user from an Okta group.

    • Assign Okta Application Access
      Assigns a selected user to an Okta application.

    • Revoke Okta Application Access
      Removes a selected user from an Okta application.

    • Reset Okta MFA
      Resets the selected user’s MFA factors in Okta.

    For group and application actions, Unthread shows available Okta groups and applications in the automation builder so you can select them by name instead of manually entering IDs.

    Temporary access

    The grant group and assign application actions can be configured with an expiration time.

    For example, you can grant access for:

    • 3 days
    • 1 week
    • 2 weeks
    • 1 month
    • 3 months
    • A custom duration

    When the expiration time is reached, Unthread automatically queues a follow-up action to revoke the same Okta access.

    How users are matched

    Unthread matches users to Okta by email address. The selected Unthread user must have an email address that matches the user’s Okta profile email.

    The Okta integration does not create new Okta users. The user must already exist in Okta.

    Okta SSO

    Okta can also be used for Single Sign-On, which lets internal users log in to Unthread through Okta.

    SSO is separate from the native Okta automation integration. Use SSO when you want Okta to control Unthread login access. Use the Okta integration when you want automations to manage Okta groups, applications, or MFA.

    Unthread supports:

    • OIDC, recommended
    • SAML 2.0, supported for legacy requirements

    Okta directory sync

    Okta can also be connected through Unthread’s HRIS / Directory Sync functionality. Directory sync is used to keep employee profile data, manager relationships, departments, locations, and group membership information up to date in Unthread.

    Directory sync is separate from the Okta automation integration. Directory sync brings user information into Unthread; the native Okta integration performs actions back in Okta.

    Troubleshooting

    If Okta actions do not appear in Automations, confirm that the Okta integration is connected and enabled.

    If setup fails with a permissions error, confirm that the Okta API token can access users, groups, and applications.

    If an automation cannot find a user, confirm that the selected Unthread user has an email address and that the same email exists in Okta.

    If a group or application is missing from the selector, confirm that the Okta API token has permission to read that group or application.

    If a revoke action runs for access that was already removed, Unthread treats that as a successful no-op.

    References checked: Single Sign-On, Automations, and the Integrations index.