Docs
Open app

integrations

Okta

Sync users, groups, and app assignments from Okta.

Connect Okta when Doow needs users, groups, app assignments, and sign-in activity from your Okta organization.

What you need

  • An Okta organization that manages your company users and apps.
  • Your Okta domain URL, such as https://yourcompany.okta.com.
  • An Okta admin who can create an API Services application and grant Okta API scopes.
  • A client ID and client secret from that API Services application.

Use a dedicated Okta API Services app

Create a separate Okta API Services app for Doow instead of reusing an existing automation credential. This makes the scopes easier to review and the integration easier to revoke later.

What Doow reads

FieldDescription
UsersFull name, primary work email, Okta profile fields, and account status
GroupsGroup names, IDs, and memberships where the approved scopes allow it
App assignmentsOkta app assignments and app catalog references where available
Sign-in activitySystem Log events for app sign-ins and related identity activity
OrganizationOkta org domain used to scope imported records to your company

What Doow does not read

  • Passwords, MFA factors, or authentication secrets
  • Session tokens or personal credentials
  • Application secrets or SAML signing material
  • Message content, files, or data inside connected applications
  • Data outside the approved user, group, app, and log scopes

Create an API Services application

Doow connects using OAuth 2.0 client credentials. Create an Okta API Services application before connecting Okta in Doow.

  1. Sign in to the Okta Admin Console.
  2. Go to Applications, then Applications.
  3. Select Create App Integration.
  4. Select API Services, then Next.
  5. Name the app something identifiable, such as Doow identity read.
  6. Select Save.
  7. On the General tab, copy the Client ID and Client Secret.
  8. Open Okta API Scopes.
  9. Grant these scopes:
    • okta.users.read
    • okta.groups.read
    • okta.apps.read
    • okta.logs.read

How to connect

  1. Go to Company Settings, then Integrations in your Doow workspace.
  2. Find Okta and select Connect.
  3. Enter your Okta domain URL.
  4. Paste the client ID.
  5. Paste the client secret.
  6. Select Connect.
  7. Wait for Doow to verify the credentials and begin the initial sync.

Permissions required

Doow uses the following Okta API scopes via client credentials:

ScopePurpose
okta.users.readRead user profiles and account status
okta.groups.readRead group memberships
okta.apps.readRead application assignments
okta.logs.readRead system log and sign-in activity

These scopes are read-only. Doow cannot create, modify, or delete data in your Okta organization.

Webhooks

If your Doow workspace asks you to enable Okta event hooks, Okta requires the endpoint to be verified before it can receive events. Event hooks can help Doow receive identity changes sooner, but scheduled sync remains the source to check when event hooks are not enabled.

Confirm the sync worked

After connecting, open the integration detail page from Company Settings, then Integrations. A healthy Okta sync shows a connected state, a recent sync timestamp, imported users, groups, app assignments, and sign-in activity where Okta provides it.

If the connection succeeds but no users appear, verify that the domain, client ID, and client secret belong to the same Okta API Services application.

Troubleshooting

Use these checks when Okta data is missing or incomplete:

  • Confirm the Okta domain points to the intended organization.
  • Confirm the client ID and client secret come from the same API Services app.
  • Confirm the app has the required Okta API scopes granted.
  • Check the integration event log for permission or sync errors.

Okta-specific checks

SymptomLikely causeNext action
Client credentials are rejectedDomain, client ID, or client secret does not match the API Services applicationRe-copy all three values from the same Okta application
Users sync but groups are missingThe API Services app does not have okta.groups.read grantedGrant the scope and reconnect if needed
App assignments are missingThe API Services app does not have okta.apps.read grantedGrant the scope and rerun the sync
Sign-in activity is missingThe API Services app does not have okta.logs.read granted or matching System Log events are outside the sync rangeGrant the scope and check a broader date range
Event hook updates do not arriveEvent hooks are not enabled or verifiedUse scheduled sync until the Okta event hook is verified

Disconnecting

Go to Company Settings, then Integrations, find Okta, and select Disconnect. Doow deletes the stored credentials immediately. Delete or deactivate the Okta API Services application when you want to remove provider-side access too.

Next steps

After Okta users and assignments appear, connect HRIS if Doow needs department, manager, or employment status. Connect a usage source when Doow needs to compare access against AI, cloud, or app usage.

Was this page helpful?