OKTA to Extract User or Custodian Data
xAssets includes a built-in integration to import user records from OKTA into the xAssets Custodian table. This keeps your xAssets user directory in sync with OKTA, so that new employees, role changes, and departures are reflected automatically.
This integration is separate from OKTA SSO (see SSO with OKTA). SSO controls how users authenticate; this integration synchronises the user directory.
Prerequisites
- An OKTA administrator account with permission to create API tokens
- Access to xAssets with permission to create credential packs (typically Discover > Prepare > Credentials)
- The xAssets Batch Service must be running (the integration runs as a batch job)
Setup
Step 1: Create an API Token in OKTA
- Log in to the OKTA admin console
- Navigate to Security > API > Tokens
- Click Create Token and give it a descriptive name (e.g., "xAssets Integration")
- Copy the token value immediately -- OKTA only shows it once
Step 2: Create a Credential Pack in xAssets
- Navigate to Discover > Prepare > Credentials
- Click Create Credentials
- Configure the credential pack as follows:
| Field | Value |
|---|---|
| Credential Type | Named Credentials |
| Collection Server | Application Server |
| Pack Name | OKTA_API |
| Domain | Your OKTA instance domain (e.g., dev-nnnnnnn.okta.com) |
| Username | Any text (this field is not used by the OKTA integration but must not be blank) |
| Password | Your OKTA API token from Step 1 |
- Save the credential pack
Step 3: Run the Integration
- Navigate to Discover > Active Directory > Get Users from OKTA
- Select the OKTA_API credential pack
- The transformation runs as a batch job. Progress is reported in the info line on the main screen.
- When complete, the Custodian table will contain all OKTA users from your instance.
What the Integration Imports
The integration pulls user profile data from OKTA and maps it to the xAssets Custodian table. This typically includes names, email addresses, department, and job title, depending on what fields are populated in your OKTA user profiles.
Customisation
The integration can be customised to import only users from specific OKTA groups. To do this, edit the transformation behind the menu item (accessible via Admin > Transformations). The transformation uses an AMSX script that queries the OKTA Users API -- you can modify the API query to filter by group membership.
Tip: Schedule this integration to run daily or weekly via the transformation's Schedule tab, so that your xAssets Custodian table stays in sync with OKTA automatically. See Batch Jobs Overview for scheduling details.
Related Articles
- SSO with OKTA — configuring OKTA for single sign-on (authentication)
- Transformations Overview — understanding transformations