Set up Okta spoke

Australia Workflow Data Fabric

Release

australia

ft:locale

en-US

ft:publication_title

Australia Workflow Data Fabric

ft:clusterId

crint

bundleId

crint

workflow

Creator

Set up Okta spoke

Release version: Australia

Updated March 12, 2026

6 minutes to read

Integrate the Okta spoke with Okta to automate various actions on Okta. For example, you can automate the activation of a user on Okta. To integrate, connect your ServiceNow instance and Okta using an API key or OAuth authentication.

Before you begin

Request Integration Hub subscription.
Activate the Okta spoke on your ServiceNow instance.
Account with the Okta developers portal.
Role required: admin.

About this task

Depending on your requirement, you can set up the spoke using an API key or OAuth credentials. However, you can use only one alias at a time for a ServiceNow domain.

Set up Okta spoke using API key

Integrate the ServiceNow instance and your Okta account using an API key to authenticate ServiceNow requests.

Generate an API key to request authentication

Generate an API key on your Okta organization or developer account to have the connection record authenticated by the Okta developer's or organizational account.

Before you begin

Okta requirements:

Okta organization or developer account
Role required: Okta administrator

About this task

The API key enables the Okta organization or developer account to authenticate an access request from your ServiceNow instance.

Procedure

Log in to https://developer.okta.com/login/.
On the left panel, navigate to Security > API.
On the API page, select Tokens.
Select Create token.
In the Create token window, enter a name for the token.
Select Create token.
The token is created.
Copy the API token and store at a secured place.
Note the expiry date of the token.

Create an API Key credential record for the Okta spoke

Create Credential records to the Okta application that you created. The Okta spoke connection and credential alias uses these credentials to authorize actions.

Before you begin

Role required: admin.

Procedure

Navigate to All > Connections & Credentials > Credentials.
Select New.
Select API Key Credentials.

Fill the form.


Field	Value required
Name	A custom name that uniquely identifies the record. For example, `Okta Credentials`.
Active	Activates the credential record so that it's used to connect to the Okta account.
API Key	API token that you had generated in your Okta account in the format `SSWS <API token>`. Replace `<API token>` with the API token. To learn how to generate an API token, see Generate an API key to request authentication.
Applies to	MID Server that can use this credential. For example, select All MID Servers.
Order	Order (sequence) in which this credential is used as it attempts to access the Okta API. The smaller the number, the higher in the list this credential appears. Establish credential order when using large numbers of credentials or when security locks out users after three failed login attempts. If all the credentials have the same order number (or none), the instance tries the credentials in a random order. For example, enter `100`.
Credential alias	The credential alias for Okta spoke that resolves in runtime when connecting to the Okta API.

Select Submit.

Create a connection record for the Okta spoke

Create a Connection record to the Okta API. The Okta spoke connection and credential alias uses these connections to perform actions in Okta.

Before you begin

Role required: admin.

Procedure

Navigate to All > Connections & Credentials > Connection & Credential Aliases.
Open for the record for Okta.
From the Connections tab, select New.

Fill the form.


Field	Value required
Name	Enter any name to uniquely identify the connection record. For example, enter `Okta Connection`.
Credential	Select the Credential record that you created for Okta. For example, select Okta Credentials.
Connection URL	Enter your Okta organization URL. For example, `https://dev-418994.oktapreview.com`.

Select Submit.

Set up Okta using OAuth credentials

Integrate the ServiceNow instance and your Okta account by creating a custom OAuth application in Okta to authenticate the ServiceNow requests.

Before you begin

Access to the Okta Developer Console
Role required: admin

Create an OAuth application in Okta

Create a custom OAuth application in your Okta developer's account to enable OAuth 2.0 authentication of the requests from your ServiceNow instance.

Before you begin

Role required: admin

Administrator access to Okta Developer's or Organization account

Procedure

Log in to https://developer.okta.com/login/.
On the left panel, select Applications > Applications > .
On the Applications page, select Create App Integration.
On the Create a new app integration window, select OIDC - OpenID Connect.
Select
- OIDC - OpenID Connect
- Web Application
Select Next.

Fill the form.

Table 1. New Web App Integration
Field	Description
App integration name	Custom name of the OAuth application.
Logo	Logo of the OAuth application. Uploading a logo is optional.
Grant type	The type of OAuth 2.0 flow to use depending on the type of application you're building. To learn how to select the appropriate option, see https://developer.okta.com/docs/concepts/oauth-openid/#openid-connect. Select the options: Authorization Code Refresh Token Implicit (Hybrid) Allow ID Token with implicit grant type Allow access token with implicit grant type
Sign-in redirect URIs	The URI that receives the authentication response and ID token from Okta. Enter your ServiceNow instance URL in the format `https://<instance-name>.service-now.com/oauth_redirect.do`.
Sign-out redirect URIs	The URI that contacts Okta to close a user session. Enter your ServiceNow instance URL in the format `https://<instance-name>.service-now.com/oauth_redirect.do`
Base URIs	URI of the self-hosted Okta widget. Providing the base URI is optional.
Controlled access	Option to assign access to Okta integration in your organization. To assign access: To assign access to everyone in the organization, select Allow everyone in your organization to access. To assign access to selected groups, select Limit access to selected groups and enter the group names in the Selected group(s) field. To assign access after integration, select Skip group assignment for now.

Select Save.
The OAuth application is created.
Grant permissions to access Okta APIs.
1. Select Okta API Scopes.
2. Under Actions, select Grant for the APIs.
  Note:
  These are all the OAuth scopes required for all the spoke actions to work. If you are only using a subset of the available spoke actions, you can select only the scopes required, based on your own security requirements.
  - okta.users.manage
  - okta.apps.manage
  - okta.logs.read
  - okta.groups.read
  - okta.groups.manage
  - okta.users.read
  - okta.apps.read
  - okta.eventHooks.read
  - okta.eventHooks.manage
  For more information about the API scopes, see Define allowed scopes in Okta Developer Documentation.

Create a connection record for Okta Spoke

Create a connection record that contains the information to connect to the Okta server. Your ServiceNow instance uses this form to send authentication requests to the OAuth application.

Before you begin

Important:

If you have configured different OAuth scopes as mentioned in step 9 of Create an OAuth application in Okta, do not perform this procedure. Instead, perform the steps outlined in Connect to a third-party OAuth provider and add the corresponding OAuth scopes that align with your Okta Web Application that are granted in step 9 of Create an OAuth application in Okta.

Role required: admin.

Procedure

Navigate to All > Process Automation > Workflow Studio.
Select the Integrations tab.
In the Search all connections field, enter Okta.
Note:
The Outbound tab is enabled by default. Confirm that it's enabled.
On the Okta spoke tile, select View Details.
Select Configure.

On the form, fill these values.

Table 2. Configure Connection
Field	Description
Name	Name of the connection established with the Okta instance. The first connection's default name is automatically assigned to match the name specified in the Connections and Credentials form on the Connection & Credential Aliases page. To provide your custom name, create a connection record by selecting Add Connection.
Connection URL	The URL to connect to the Okta server. The URL format is https://[yourOktaDomain].com.
API Version	The version of the Okta APIs.
Authorization URL	The URL that the OAuth application at Okta provides to seek authorization to access the Okta resource server. The format is `https://{youroktadomain}.com/oauth2/{API version}/authorize`.
Token URL	The URL to obtain the access token. The format is `https://{youroktadomain}.com/oauth2/{API version}/token`.
Token Revocation URL	The URL provided by the OAuth authorization server that enables a client application to request the revocation or cancellation of access tokens and refresh tokens that were previously issued. The format is `https://{youroktadomain}.com/oauth2/{API version}/revoke`.
OAuth Client ID	The client ID generated in the Okta developer's account.
OAuth Client Secret	The client secret generated in the Okta developer's account.
OAuth Redirect URL	Redirect the URL to your ServiceNow instance. The format is `https://{instance-name}.service-now.com/oauth_redirect.do`.

Select Configure and Get OAuth Token.
The OAuth Access token is generated for the Okta spoke.
Note:
You must log in to Okta before the OAuth access token is granted.