Skip to content

feat: Okta group-to-role mapping and user auto-provisioning #6573

Description

@an0nym21

Summary

The current Okta integration authenticates users correctly but lacks two features required for production use:

  1. Group-to-role mapping — there is no way to map Okta group membership to Keep roles (admin, noc, webhook). All users fall back to the default role.
  2. User auto-provisioning — users are not created in Keep's local DB on first login, so they don't appear in the users list.

Proposed solution

Environment variables

Variable Description
OKTA_ADMIN_GROUPS Comma-separated Okta groups mapped to admin role
OKTA_NOC_GROUPS Comma-separated Okta groups mapped to noc role
OKTA_WEBHOOK_GROUPS Comma-separated Okta groups mapped to webhook role
OKTA_USERINFO_URL Override the userinfo endpoint URL (optional)

Behaviour

  • On each login, Keep calls Okta's /v1/userinfo endpoint to retrieve group memberships (group claims are not included in access tokens by default)
  • The highest-priority matching group determines the user's role (admin > noc > webhook)
  • Users are automatically created in Keep's DB on first login and their role/last-login are updated on subsequent logins
  • The OktaIdentityManager.get_users() method now reads from Keep's local DB instead of returning an empty list

Metadata

Metadata

Assignees

No one assigned

    Labels

    FeatureA new featureProviderProviders related issues

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions