Once you set up your compliance program, Kintent TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, Kintent runs automated tests against systems in your product and business stack, and verifies that they are properly configured.
This document outlines the steps you can take to grant Kintent access to only read metadata about the configuration settings for your Okta account and Okta Users, Groups, Policies, and Roles, so that TrustOps can validate and generate evidence for your compliance program.
Navigate to the JSON Web Key Generator to generate a JSON Web Key Set (JWKS) public/private key pair for TrustOps. Make sure the RSA tab is selected (this is the default) and set the following values:
2048
.signature
.RSA256
.This step does not provide Kintent the ability to read any authentication information, usage information, or to write or change any data.~~~
https://lh4.googleusercontent.com/lZTvhIHOC2uUN2LyaP4jMwb4u9hGsSnNRF_fIeHmjmhWqiV2fkln0DJnpv4r8ctDDzblEIicqSWiddyie_xukb0sQVdAOLSvC7_a1Hk1JWcp3TjYh6y6ewW1qkXvG1UWJjPKn5sn
Click Generate.
https://lh5.googleusercontent.com/Ly7YPif-1U1j_EYDRuevxwZnVh3UKQlH2jdA9K5PhO_vRwLwNhHUXP7esbfppdX9SFPEeme5K-6ePDSsuNtL1G3FMtBKfI9zZ0xozaTSyLwGSa30EyPK_7t2DUkw0i3XUe3YqnUC
The JSON Web Key Generator tool extracts the public key from the key pair automatically. Copy the contents of the left and center sections (Public and Private Keypair, and Public and Private Keypair set) by clicking the Copy to Clipboard button under the respective sections**.** Paste each into a text file to use later.
From the Public and Private Keypair set (from the middle section), remove any extraneous keys from the keys array. Only the public key component is needed. The following keys must be kept if they are present:
kty
e
use
kid
(if present)alg
n
All other keys can be discarded.
The resulting JWKS file should look something like this:
{
"keys": [{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "my_key_id",
"alg": "RS256",
"n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"
}]
}
Navigate to your Okta admin console. From the console, navigate to Security → API and then select the Tokens tab**.**
https://lh4.googleusercontent.com/9xDjt63vutxE6N0GfiFexcr0dOM5xsEmfceiQR8oy2bFKfgAB4TwaThffzsrjUaMphkV8RBgUFlcj1av4RVVWLFrOfyxxsk8YE0JCJvCuRWW3TGFIYzTrnswbZoS65QH_nfPhDKB
Click Create Token. Give your token a name and click Create Token again.
Copy the resulting token for later use.
https://lh4.googleusercontent.com/sEAcOmI_Pewv3JNu8ARffJ76Cp-rMMzNtYxZN_oxq2xexHtacNlHZ25RHR8JVdfAWQv2bzPo8BomoP6HFDwnWOr5YV2nv8V7vr8uZSTxIqx2HLO4_iXWY6GVH4QBjL4xQn1dukKd
Create an OAuth service app and register the public key with the app. Okta service apps are created by sending a POST request to the dynamic client registration endpoint at https://${yourOktaDomain}/oauth2/v1/clients
, with a request body containing the information specified below.
client_name
: Kintent Trust Cloud
grant_types
: client_credentials
token_endpoint_auth_method
: private_key_jwt
application_type
: service
jwks
: ******The contents of the JWKS file that you created in step 3.SSWS {api_token}
, where {api_token}
is the token copied in step 7. curl -X POST \\
-H 'Accept: application/json' \\
-H "Authorization: SSWS ${api_token}" \\
-H 'Content-Type: application/json' \\
-d '{
"client_name": "Service Client Name",
"response_types": ["token"],
"grant_types": ["client_credentials"],
"token_endpoint_auth_method": "private_key_jwt",
"application_type": "service",
"jwks": {
"keys": [{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "O4O",
"alg": "RS256",
"n": "u0VYW2-76A_lYg5NQihhcPJYYU9-NHbNaO6LFERWnOUbU7l3MJdmCailwSzjO76O-2GdLE-Hn2kx04jWCCPofnQ8xNmFScNo8UQ1dKVq0UkFK-sl-Z0Uu19GiZa2fxSWwg_1g2t-ZpNtKCI279xGBi_hTnupqciUonWe6CIvTv0FfX0LiMqQqjARxPS-6fdBZq8WN9qLGDwpjHK81CoYuzASOezVFYDDyXYzV0X3X_kFVt2sqL5DVN684bEbTsWl91vV-bGmswrlQ0UVUq6t78VdgMrj0RZBD-lFNJcY7CwyugpgLbnm4HEJmCOWJOdjVLj3hFxVVblNJQQ1Z15UXw"
}]
}
}' "<https://$>{yourOktaDomain}/oauth2/v1/clients"
Make note of the ******client_id
******that is returned in the response.
In the Okta admin console, navigate to Applications → Applications.
Use the client ID you noted in step 9 to find the application you created above in step 8.
https://lh5.googleusercontent.com/363El5UAnqphizYEz0Ge_EAu5Z6qVzV1vLfCgQgjM7BQUADqGfwW23_HMLyDG0La2UwSQU6YseaqZoS9ZzS0wjw3dwG--lAUg49qgD1upYNKY-UXsnu5p_VikgOamCiCpzT52VqL
Click its name, and then click the Okta API Scopes tab.
https://lh3.googleusercontent.com/VuX7qrFbX94L2CpeqvBO4mrwW74uPfFujtrmpwFAfZY8YSk4x8Ye2NbUMa93Gcu1AxUCbA2kjf_GkcDsxuWyPkXPcDSEFDx8oh-p6FCGQ0H9K4uOEiGPp-IT-Yvc0a5XkJiWD_py
Click Grant next to the following scopes:
These scopes allow Kintent to audit your Okta user, group, role, and policy settings in order to determine adherence to specified controls. It only allows Kintent to read metadata — information about your users and their settings. It does not provide Kintent the ability to read any authentication information, usage information, or to write or change any data.
You will need to input your Okta domain URL, the client_id
obtained in step 9, and the public and private keypair obtained from the leftmost section in step 3 into TrustOps. No password or other credentials are required. Only the above-granted scope will be granted access to the delegated account.