Saltar a contenido
_

Okta Cheatsheet integral

Instalación

Okta CLI Instalación

Platform Command
macOS (Homebrew) INLINE_CODE_10 or INLINE_CODE_11
Linux (Ubuntu/Debian) INLINE_CODE_12
Windows (Chocolatey) INLINE_CODE_13
Windows (Direct) INLINE_CODE_14
Verify Installation INLINE_CODE_15

SDK installation

Language Command
Node.js INLINE_CODE_16
Python INLINE_CODE_17
Java (Maven) Add dependency: INLINE_CODE_18
Go INLINE_CODE_19
.NET INLINE_CODE_20

On-Premises Agent installation

Component Command
AD Agent (Windows) INLINE_CODE_21
Verify AD Service INLINE_CODE_22
LDAP Agent (Linux) INLINE_CODE_23

Comandos básicos

CLI Setup and Authentication

Command Description
INLINE_CODE_24 Configure Okta CLI with your organization credentials
INLINE_CODE_25 Set default organization URL
INLINE_CODE_26 Display current session information
INLINE_CODE_27 Logout from current session

Gestión de Usuarios

Command Description
INLINE_CODE_28 List all users in the organization
INLINE_CODE_29 Get details for a specific user
INLINE_CODE_30 Create a new user
INLINE_CODE_31 Update user profile information
INLINE_CODE_32 Deactivate a user account
INLINE_CODE_33 Permanently delete a user

Application Management

Command Description
INLINE_CODE_34 List all applications in the organization
INLINE_CODE_35 Get details for a specific application
INLINE_CODE_36 Create a new application (interactive)
INLINE_CODE_37 Assign user to an application

Group Management

Command Description
INLINE_CODE_38 List all groups in the organization
INLINE_CODE_39 Create a new group
INLINE_CODE_40 Add user to a group
INLINE_CODE_41 Remove user from a group

Advanced Usage

API Authentication

Command Description
INLINE_CODE_42 Get OAuth 2.0 access token using client credentials
INLINE_CODE_43 Exchange authorization code for access token
INLINE_CODE_44 Refresh an expired access token

Operaciones avanzadas de usuario

Command Description
INLINE_CODE_45 Search users by status filter
INLINE_CODE_46 Search users by profile attribute
INLINE_CODE_47 Complex user search with multiple conditions
INLINE_CODE_48 Suspend a user account
INLINE_CODE_49 Unsuspend a user account
INLINE_CODE_50 Unlock a locked user account
INLINE_CODE_51 Force password expiration for user
INLINE_CODE_52 Reset user password and send email

Creación y actualizaciones de usuarios

Command Description
INLINE_CODE_53 Create new user with password
INLINE_CODE_54 Update user profile attributes
INLINE_CODE_55 Bulk import users from JSON file

Operaciones de Grupo y Aplicaciones

Command Description
INLINE_CODE_56 List all groups via API
INLINE_CODE_57 Assign user to group via API
INLINE_CODE_58 List all applications via API
INLINE_CODE_59 Assign application to user
INLINE_CODE_60 List active sessions for user

Configuración

API Token Configuration

Guarde su Okta API token de forma segura en variables ambientales:

# Linux/macOS
export OKTA_API_TOKEN="your_api_token_here"
export OKTA_DOMAIN="https://dev-123456.okta.com"

# Windows PowerShell
$env:OKTA_API_TOKEN="your_api_token_here"
$env:OKTA_DOMAIN="https://dev-123456.okta.com"

Okta CLI Configuration File

Ubicación: ~/.okta/okta.yaml

okta:
  client:
    orgUrl: "https://dev-123456.okta.com"
    token: "your_api_token_here"
    connectionTimeout: 30
    requestTimeout: 0
    rateLimit:
      maxRetries: 4

OAuth 2.0 Configuración de aplicaciones

{
  "client_id": "0oa2abc3def4GHI5j6k7",
  "client_secret": "your_client_secret",
  "redirect_uris": [
    "https://yourapp.com/callback"
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "response_types": [
    "code"
  ],
  "token_endpoint_auth_method": "client_secret_post"
}

LDAP Agent Configuration

Ubicación: /opt/OktaLDAPAgent/conf/OktaLDAPAgent.conf

# Okta Organization Settings
okta.domain=dev-123456.okta.com
okta.apiToken=your_api_token

# LDAP Server Settings
ldap.host=ldap.example.com
ldap.port=389
ldap.baseDN=dc=example,dc=com
ldap.bindDN=cn=admin,dc=example,dc=com
ldap.bindPassword=encrypted_password

# Agent Settings
agent.pollInterval=60
agent.logLevel=INFO

Active Directory Agent Configuration

Ubicación: C:\Program Files\Okta\Okta AD Agent\OktaADAgent.exe.config

<configuration>
  <appSettings>
    <add key="OktaDomain" value="dev-123456.okta.com" />
    <add key="ApiToken" value="your_api_token" />
    <add key="ADDomain" value="corp.example.com" />
    <add key="SyncInterval" value="300" />
    <add key="LogLevel" value="Information" />
  </appSettings>
</configuration>

Common Use Cases

Use Case 1: Onboard New Employee

# Step 1: Create user account
curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=false" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{
    "profile": {
      "firstName": "Alice",
      "lastName": "Johnson",
      "email": "alice.johnson@example.com",
      "login": "alice.johnson@example.com",
      "department": "Engineering",
      "title": "Software Engineer"
    }
  }'

# Step 2: Add to relevant groups
curl -X PUT "https://{yourOktaDomain}/api/v1/groups/{engineeringGroupId}/users/{userId}" \
  -H "Authorization: SSWS {apiToken}"

# Step 3: Assign applications
curl -X POST "https://{yourOktaDomain}/api/v1/apps/{slackAppId}/users" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{"id":"{userId}","scope":"USER"}'

# Step 4: Activate user and send welcome email
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/activate?sendEmail=true" \
  -H "Authorization: SSWS {apiToken}"

Use Case 2: Offboard Employee

# Step 1: Suspend user account immediately
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/suspend" \
  -H "Authorization: SSWS {apiToken}"

# Step 2: List user's active sessions
curl -X GET "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" \
  -H "Authorization: SSWS {apiToken}"

# Step 3: Clear all sessions
curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" \
  -H "Authorization: SSWS {apiToken}"

# Step 4: After retention period, deactivate
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/deactivate" \
  -H "Authorization: SSWS {apiToken}"

# Step 5: Finally delete user
curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}" \
  -H "Authorization: SSWS {apiToken}"

Use Case 3: Bulk User Import from CSV

# Step 1: Convert CSV to JSON
cat users.csv | jq -R -s -f csv_to_json.jq > users.json

# Step 2: Import users in batch
for user in $(cat users.json | jq -c '.[]'); do
  curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=true" \
    -H "Authorization: SSWS {apiToken}" \
    -H "Content-Type: application/json" \
    -d "$user"
  sleep 1  # Rate limiting
done

Use Case 4: Implement MFA for High-Risk Users

# Step 1: Search for admin users
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.role eq \"Admin\"" \
  -H "Authorization: SSWS {apiToken}" > admin_users.json

# Step 2: Enroll users in MFA factor
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/factors" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{
    "factorType": "token:software:totp",
    "provider": "OKTA"
  }'

# Step 3: Create policy requiring MFA for admins
curl -X POST "https://{yourOktaDomain}/api/v1/policies" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "MFA_ENROLL",
    "name": "Admin MFA Policy",
    "status": "ACTIVE",
    "conditions": {
      "people": {
        "groups": {
          "include": ["{adminGroupId}"]
        }
      }
    }
  }'

Use Case 5: Generar Access Report

# Step 1: Get all active users
curl -X GET "https://{yourOktaDomain}/api/v1/users?filter=status eq \"ACTIVE\"&limit=200" \
  -H "Authorization: SSWS {apiToken}" > active_users.json

# Step 2: For each user, get assigned applications
while read userId; do
  curl -X GET "https://{yourOktaDomain}/api/v1/apps?filter=user.id eq \"${userId}\"" \
    -H "Authorization: SSWS {apiToken}" >> user_apps_report.json
done < <(jq -r '.[].id' active_users.json)

# Step 3: Get last login information
curl -X GET "https://{yourOktaDomain}/api/v1/logs?filter=eventType eq \"user.session.start\"&limit=1000" \
  -H "Authorization: SSWS {apiToken}" > login_report.json

# Step 4: Combine and format report
jq -s '.[0] + .[1]' active_users.json login_report.json > complete_access_report.json

Buenas prácticas

  • Utilice las fichas de API de forma segura: Almacene las fichas de API en variables ambientales o bóvedas seguras, nunca las codifica en scripts o se compromete a controlar versiones
  • Implement Rate Limiting: Okta impone límites de tasa (varios por punto final). Implementar retroceso exponencial y respeto X-Rate-Limit-*_cabezadores para evitar la ruptura
  • Habilitar MFA para todos los usuarios: Exigir autenticación multifactorial para todos los usuarios, especialmente administradores y cuentas privilegiadas, para mejorar la postura de seguridad Use Grupos para la Gestión del Acceso: Asignar solicitudes y permisos a grupos en lugar de usuarios individuales para una gestión y consistencia más fáciles Implement Least Privilege: Grant users only the minimum permissions necessary for their role. Auditoría periódica y eliminación del acceso innecesario ** Registros del Sistema de Monitor**: Revisión periódica Registros del sistema Okta para actividades sospechosas, intentos de ingreso fallidos y patrones de acceso no autorizados
  • Manejo automático del ciclo de vida* Utilice Okta Workflows o APIs para automatizar el suministro de usuarios, desprovisionamiento y acceso a revisiones para reducir errores manuales
  • Test in Developer Environment: Siempre prueba cambios de configuración, integraciones y scripts en un desarrollo Okta org antes de desplegarse en producción
  • Incorporaciones de Documentos: Mantener documentación completa de integraciones de API personalizadas, juegos web y scripts de automatización para compartir conocimientos de equipo
  • Políticas de aplicación de la sesión: Configure los plazos apropiados de sesión y los plazos inactivos basados en los requisitos de seguridad y las necesidades de experiencia del usuario ** Auditorías de Seguridad Regional**: Realizar exámenes trimestrales de acceso a los usuarios, asignaciones de aplicaciones, miembros de grupos y configuraciones de políticas

Troubleshooting

Issue Solution
401 Unauthorized Error Verify API token is valid and not expired. Check token has appropriate scopes: INLINE_CODE_65
429 Rate Limit Exceeded Implement exponential backoff. Check INLINE_CODE_66 header for reset time. Reduce request frequency or contact Okta to increase limits
User Cannot Login Check user status: INLINE_CODE_67. Verify account is ACTIVE, not SUSPENDED or LOCKED_OUT. Unlock if needed: INLINE_CODE_68
MFA Factor Not Working Reset MFA factors: INLINE_CODE_69. User must re-enroll
Application Not Appearing Verify user is assigned to application: INLINE_CODE_70. Check application is ACTIVE
AD/LDAP Agent Not Syncing Check agent service status. Review logs at INLINE_CODE_71 (Linux) or INLINE_CODE_72 (Windows). Verify network connectivity and credentials
SSO Integration Failing Verify SAML/OIDC configuration. Check certificate validity, ACS URL, and entity ID. Use Okta's SAML debugger or browser developer tools to inspect authentication flow
API Returns Empty Results Check query syntax and filters. Verify pagination with INLINE_CODE_73 and INLINE_CODE_74 parameters: INLINE_CODE_75
Password Reset Email Not Sent Verify email settings in Okta admin console. Check user's email address is valid. Review email server logs and Okta system logs for delivery failures
_ Temas de tiempo de la sesión de la sesión de revisión** Silencio en la consola de administración de Okta. Ajuste el tiempo libre y la duración máxima de la sesión. Considere la posibilidad de implementar la rotación de token refrescante para las sesiones de larga duración