How to create an Okta API token for ellie.ai
Target
This guide is intended for organizations with ellie.ai integrated to their Okta platform.
Outcome
This guide will let you assign users to ellie.ai roles by mapping them to Okta groups.
Explanation
The way ellie.ai has been integrated to the Okta authentication platform (OIN OIDC application) does not allow us to get the groups of an authenticated user.
This can be a problem if you want to take advantage of ellie.ai's role features (read, write, admin).
Ellie.ai needs access to your Okta API to read the list of groups a user is a member of.
In Okta, API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change. Okta documentation
It means you could simply create a new API token from your super admin account and you would be sure to give ellie.ai the necessary access. However, we do not recommend you to give super admin API tokens to any third party for security reasons.
Instead, this guide will show you how to create an API token with permissions limited to our minimal requirements.
To do so, we are going to create a new Okta user, upgrade it to an admin role, create a new API token from it and finally downgrade it to our minimal requirements with a custom admin role.
Okta does not let custom admin create an API token, that is the reason why we need to give our user a temporary standard admin role.
Prerequisite
You should have already created Okta groups for ellie.ai that will be mapped to ellie.ai roles. There should be at least three groups, one for each ellie.ai role: read, write and admin.
Here is our recommended Okta group management:
Steps
There are different ways to obtain the same result, here is one example:
Sign in onto your Okta admin dashboard with your Okta super admin account
Create a new user that we are going to refer as ellie.ai custom user for the rest of this guide
Go to Directory > People
Click on Add person
Fill the form at your convenience, here are some advices but nothing mandatory:
In Activation select “Activate now”
Check “I will set password” and fill the password input
Uncheck “User must change password on first login”
Click on Save
Grant ellie.ai custom user a standard admin role
Go to Security > Administrators
Click on Add administrators
In Admin select our newly created ellie.ai custom user
In Role select “Read-only Administrator” (or any other standard admin role as it is just temporary)
Click on Save Changes
Sign out from the Okta dashboard
Sign in again but this time with your ellie.ai custom user
Create a new API token
Go to Security > API
Go to Tokens tab
Click on Create token
Fill in a name (i.e. ellie-api-token)
Click on Create token
Save the token value (This token will be sent to ellie.ai by email)
Click on OK, got it
Sign out from the Okta dashboard
We are not done yet, it is important to finish all the steps. You now have an API token, but we are going to downgrade its privileges to the minimal requirements.Sign in with your Okta super admin account
Create a new custom admin role
Go to Security > Administrators
Go to Roles tab
Click on Create a new role
Fill in a name (i.e. view-users-and-groups-only)
Fill in a description (i.e. “Lets the admin view users and groups details”)
Check in User permissions: “View users and their details”
Check in Group permissions: “View groups and their details”
Click on Save role
Create a new resource set (More informations about resource sets below)
Go to Security > Administrators
Go to Resources tab
Click on Create a new resource set
Fill in a name (i.e. ellie-groups)
Fill in a description (i.e. “Constrains to ellie.ai groups only”)
Define the first resource
In Resource type select “Users”
In Group names select all groups assigned to your ellie.ai application (there should be only one group: “ellie”). This group selection will define the list of users ellie.ai can view (it should mirror the list of users assigned to the ellie.ai application).
Click on Add another resource type
Define the second resource
In Resource type select “Groups”
Check “Constrain to all groups” (Recommended, otherwise you will likely have to update this resource type every time you want to change your mapping between groups and ellie.ai roles)
Otherwise, in Group names select the groups ellie.ai can view (i.e. “ellie-read”, “ellie-write”, “ellie-admin” and “ellie”)
Click on Save resource set
Downgrade our ellie.ai custom account to our newly created custom admin role
Go to Security > Administrators
Go to Admins tab
Find the ellie.ai custom account in the list
Click on Edit assignments in the Edit dropdown
In Role replace “Read-only Administrator” with the newly created custom role (from step 9)
In Resource set select the newly created resource set (from step 10)
Make sure there is only one role left in the assignments list
Click on Save Changes
You now have an API token (from step 6) downgraded to the minimal permissions.
Resource sets
When defining a resource set, you can configure two different scopes: the users scope and the groups scope.
Ellie.ai will only use {{url}}/api/v1/users/{{userId}}/groups which correspond to an intersection of both scopes. However keep in mind that you are actually giving access to the union of both scopes (view only).
Examples
In purple: what the API token gives access to on the user scope (view only).
In blue: what the API token gives access to on the group scope (view only).
In violet: what ellie.ai is actually going to view (intersection of both scopes).
In rose: what the API token does not have access to on their respective scope.
On the tables the ✓symbol represents the membership of a user. A cell left empty means that the user is not member of the group.
Restrictive resource set
Here is a representation of the most restricted configuration.
Permissive ressource set
Here is a more permissive configuration.
It is recommended if you need to regularly update your mapping between groups and ellie.ai roles.