FortiSIEM can integrate with Okta as a single sign-on service for FortiSIEM users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single sign-on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, FortiSIEM will begin to monitor Okta events.
- What is Discovered and Monitored
- Event Types
- Access Credentials in FortiSIEM
- Sample Okta Event
- Adding Users from Okta
- Configuring Okta Authentication
- Logging In to Okta
- Setting Up External Authentication
What is Discovered and Monitored
|Protocol||Information Discovered||Metrics Collected||Used For|
In ADMIN > Device Support > Event Types, search for "okta" to see the event types associated with this device.
- In Okta Administartion -> Security -> API, create a token. Note, tokens generated by this mechanism will have the permissions of the user who generated them.
- Tokens are valid for 30 days and automatically refresh with each API call. Tokens that are not used for 30 days will expire. The token lifetime is currently fixed and cannot be changed.
Access Credentials in FortiSIEM
|Device Type||OKTA.com OKTA|
|Access Protocol||OKTA API|
|Domain||The name of your OKTA domain|
|Security Token||The token that has been created in Okta|
|Organization||Select an organization from the drop-down list.|
Sample Okta Event
Mon Jul 21 15:50:26 2014 FortiSIEM-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME [actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 [actors/0/ipAddress]=220.127.116.11 [actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client [eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000 [eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z [requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=a_name [targets/0/id]=00uvdkhrxcPNGYWISAGK [targets/0/login]=email@example.com [targets/0/objectType]=User