Summary
The current Okta integration authenticates users correctly but lacks two features required for production use:
- Group-to-role mapping — there is no way to map Okta group membership to Keep roles (admin, noc, webhook). All users fall back to the default role.
- User auto-provisioning — users are not created in Keep's local DB on first login, so they don't appear in the users list.
Proposed solution
Environment variables
| Variable |
Description |
OKTA_ADMIN_GROUPS |
Comma-separated Okta groups mapped to admin role |
OKTA_NOC_GROUPS |
Comma-separated Okta groups mapped to noc role |
OKTA_WEBHOOK_GROUPS |
Comma-separated Okta groups mapped to webhook role |
OKTA_USERINFO_URL |
Override the userinfo endpoint URL (optional) |
Behaviour
- On each login, Keep calls Okta's
/v1/userinfo endpoint to retrieve group memberships (group claims are not included in access tokens by default)
- The highest-priority matching group determines the user's role (
admin > noc > webhook)
- Users are automatically created in Keep's DB on first login and their role/last-login are updated on subsequent logins
- The
OktaIdentityManager.get_users() method now reads from Keep's local DB instead of returning an empty list
Summary
The current Okta integration authenticates users correctly but lacks two features required for production use:
Proposed solution
Environment variables
OKTA_ADMIN_GROUPSadminroleOKTA_NOC_GROUPSnocroleOKTA_WEBHOOK_GROUPSwebhookroleOKTA_USERINFO_URLBehaviour
/v1/userinfoendpoint to retrieve group memberships (group claims are not included in access tokens by default)admin>noc>webhook)OktaIdentityManager.get_users()method now reads from Keep's local DB instead of returning an empty list