Remote Password Changing for Okta

When using Remote Password Changing (RPC), Secrets automatically change remote account passwords when they expire, either immediately or on a defined schedule. You can also configure password strength and other attributes.

If you need information on configuring Okta for SAML or assigning a password changer to an Okta secret template go to: Configuring SAML Okta and Okta Secret Template for RPC.

Prerequisites

Before configuring the integration, ensure the following requirements are met:

  1. An Okta administrator account is required to create the API token, which will be used for running both a heartbeat and RPC.

  2. An Okta user account whose credentials will be verified (heartbeat) or changed (RPC).

  3. The Okta Verify app, from the App Store or Google Play. See Configure Okta Verify for setup details.

  4. If using Okta password changers with a distributed engine, ensure the version is 8.4.32.0 or newer.

  5. A valid Okta API key, for performing the password change.

Setup

Creating a Privileged Account

  1. In Okta, go to Security > Administrator Roles and select Add Administrator Role.

  2. The minimum role permission needed is Organization Administrator.

  3. Go to the user's profile.

  4. Select the Assignments tab.

  5. Select Assign and choose the appropriate administrator role from the list.

  6. Select Save to apply the administrator role to the user.

Creating a User Account

  1. Log into the Okta Administrator Dashboard using your administrator credentials.

  2. Navigate to Directory > People.

  3. Select Add Person and complete the following fields in the popup dialog:

    • First name

    • Last name

    • Primary e-mail

    • Username

  4. Select Save to create the new user account.

Generating an API Key

Heartbeat and RPC operations are performed through API calls. The Okta Secret must be configured with a separate API Key Secret that contains the necessary API credentials for authentication. This API key must be generated:

  1. Log into Okta with an Admin account.

  2. Navigate to Security > API.

  3. In the Tokens tab, select the Create Token button. The Create token popup appears:

  4. Provide a name for the token, select Any IP from the dropdown, and click Create Token:

  5. A success message for the created token appears. Copy the generated API key (Token Value) to a secure location:

Configuring Okta RPC in secret-server

Create a secret to hold the Okta API token

  1. Log into secret-server.

  2. Navigate to Secret Server > All secrets.

  3. Select the Create secret button. The Create new secret popup appears.

  4. Search for and select the Generic API Key template.

  5. Create a Secret of type Generic API Key to hold the Okta token value:

  6. In the API key field, paste the Token Value (API Key) copied from the Okta interface.

  7. Select the Create secret button to save the secret. The newly created secret opens by default.

Create a secret to hold the Okta user account

This account will have its credentials verified or password changed:

  1. Log into secret-server.

  2. Navigate to Secret Server > All secrets.

  3. Select the Create secret button. The Create new secret page opens.

  4. Search for and select the Okta Account template.

  5. Complete the following fields:

    1. Secret name: Provide a name for your secret.

    2. Host: Use your tenant URL (e.g. https://yourcompany.okta.com).

    3. Username: Enter the username of your Okta account.

    4. Password: Enter the password of your Okta account.

  6. In the Site field, set a site with a distributed engine connected to the internet:

  7. Select the Create secret button to save the secret. The newly created secret opens by default.

  8. Access the Remote password changing tab.

  9. Select Edit in the RPC / Autochange section.

  10. Select the option for Change password using titled Privileged account credentials.

  11. A second option for Change password using appears, click on No secret selected.

  12. Search for the secret you created previously that holds the API key of your Okta account:

  13. Click Save to implement your changes, and return to the Overview tab.

  14. Select the Heartbeat button in the top right corner, to validate the credentials. If the credentials are valid the status will change from Pending to Success.

    To check the heartbeat status immediately, go to Settings > Heartbeat Log.

All Okta accounts require an admin API key in the privileged account field under the Remote Password Changing tab to change or verify passwords. If no admin API key is assigned, a warning notification appears:

To maintain security, rotate the API key regularly. Okta recommends rotating the API keys at least every 90 days or as per your organization's security policies.

Verification

To monitor heartbeat status, go to Settings > Heartbeat Log. To change the password immediately, select Change password now.