> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-configuration/okta-environment-setup.md).

# Okta Environment Setup

## Okta Environment Overview <a href="#iam-admin-user" id="iam-admin-user"></a>

Users and Groups in your Okta environment can be managed by a Keeper Gateway using a specified API User and API Key configured in the PAM Configuration record. This guide provides step-by-step instructions for configuring the PAM Configuration for your Okta tenant, enabling the Keeper Gateway to manage users and groups within it.

### Prerequisites

1. Prior to proceeding with this guide, make sure to [install and configure your Keeper Gateway](/keeperpam/privileged-access-manager/getting-started/gateways/one-time-access-token.md).
2. Create a service user which has administrative privileges to manage users and groups
3. An API key that has been provisioned for that service user

For API Key creation, see [Okta's documention here](https://developer.okta.com/docs/guides/create-an-api-token/main/).

<figure><img src="/files/LBU1yMgxRt3bQzt2gFkQ" alt=""><figcaption></figcaption></figure>

## Setting up Okta Environment Permissions

The easiest way to manage permission sets is to assign users to a group, and assign permission sets to the group. Then users can then be added and removed to the group when elevation starts and ends. The steps below will guide you on how to setup an adminstrative group with user and group management permissions, but you can use this to setup other permission sets within Okta.

### Create a Custom Role

The first step in managing users and groups in Okta is to create a custom role that can be used to manage the users and groups.

In the Okta Admin panel:

1. Navigate to Security > Administrators > Roles
2. Create a new role and give it a meaningful name and description
3. Add the following permissions to the role:
   1. Manage Users
   2. Manage Groups
4. Save the role

### Create a Custom Resource Set

Before we can create a group with role assignment, we need to add a resource set that specifies which resources the role can manage.

In the Okta Admin panel:

1. Navigate to Security > Administrators > Resources
2. Create a new resource set and give it a meaningful name and description
3. Add resource to the resource set:
   1. Users > specify either all users, or a selection
   2. Groups > specify either all groups, or a selection
4. Save the resource set

### Create a Group and Add a Role

In the Okta Admin panel:

1. Navigate to Directory > Groups
2. Create a group and give it a meaningful name and description
3. Assign an administrative role to the group ("Administrative Roles" tab)
   1. Edit group assignments
   2. Add assignment
   3. Select the custom role from [#create-a-custom-role](#create-a-custom-role "mention")
   4. Select the custom resource set from [#create-a-custom-resource-set](#create-a-custom-resource-set "mention")
   5. Save the assignment
4. Save the group

### Assign a Service User to the Group

Once a group has been created that has management permissions for users and groups, you can either create a new service user for this feature, or add an existing user into the group to act as the service user. It's recommended to create a specific user or select one that is a service account.

1. Navigate to Directory > Groups
2. Edit the group from [#create-a-group-and-add-a-role](#create-a-group-and-add-a-role "mention")
3. Assign people to the group

## Setting up Okta PAM Configuration

In order to integrate Okta into Keeper and manage the users and groups through KeeperPAM, the following information is needed:

1. Okta Tenant Name
2. Okta Tenant URL
3. Okta API User
4. Okta API Key

The Okta tenant name in our example will be "KeeperPAM Okta Example" and the tenant url will be set to "<https://kpcexample.okta.com>"

### Creating an API Key for the service user account

For API Key creation, see [Okta's documention here](https://developer.okta.com/docs/guides/create-an-api-token/main/). In the Okta admin panel:

1. Login to the admin panel as the service user account
2. Navigate to Security > API
3. Click "Create Token"
4. Give the token a meaningful name and description
5. Copy the token after creation

### Create an Okta PAM Configuration

Once all the steps above have been taken, add a new PAM Configuration for Okta

* Okta Tenant Name: a useful name
* Okta Tenant URL: <https://kpcexample.okta.com>
* Okta API User: service account user from above
* Okta API Key: API key from above

<figure><img src="/files/srbodiLR1100cJFABY8b" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-configuration/okta-environment-setup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.