Okta
Okta Workforce Identity Cloud is the industry-leading platform for enterprise workforce identity management. Mandaitor integrates with Okta to enable employees within organizations to delegate authority to AI agents with full lifecycle management.
When to Use Okta
Okta is the right choice when your users are employees within an enterprise. Typical scenarios:
- Employees delegating authority to AI agents within their organization
- Enterprise customers with Okta as their primary identity provider
- Organizations requiring SCIM-based user lifecycle management
- Workforce scenarios with group-based delegation authority
Configuration
1. Create a Custom Authorization Server
In Okta Admin Console, create a custom authorization server for Mandaitor:
- Name: Mandaitor Delegation Registry
- Audience:
https://api.mandaitor.eu - Custom scopes:
delegation:create,delegation:read,delegation:revoke
2. Configure Mandaitor
curl -X PUT https://api.mandaitor.io/v1/tenants/{tenantId}/identity-providers \
-H "Authorization: Bearer $TOKEN" \
-d '{
"enabled_providers": ["API_KEY", "COGNITO", "OKTA"],
"okta": {
"issuer": "https://your-org.okta.com/oauth2/mandaitor-server",
"audience": "https://api.mandaitor.eu"
}
}'
Token Validation
- Provider detection: Authorizer detects
*.okta.comissuer - JWKS verification: Signature verified against Okta's JWKS
- Claims extraction:
uid,sub,groups,scp, and custom claims - Identity resolution: Mapped to
oidc:okta:<uid>canonical subject ID
On-Behalf-Of (Token Exchange)
Okta supports OAuth 2.0 Token Exchange (RFC 8693) for delegation chains:
// Employee authenticates via Okta SSO
const oktaToken = getOktaAccessToken();
// Exchange for a delegation token
const delegationToken = await mandaitorClient.exchangeToken({
subject_token: oktaToken,
mandate_id: "mdt_abc123",
scope: "construction.validation.approve",
});
The resulting delegation token preserves the original employee's identity while granting the AI agent scoped access.
SCIM Provisioning
Mandaitor supports SCIM 2.0 for automated user lifecycle management with Okta:
| Endpoint | Method | Description |
|---|---|---|
/scim/v2/Users | GET | List provisioned users |
/scim/v2/Users | POST | Provision new user |
/scim/v2/Users/{id} | PUT | Update user |
/scim/v2/Users/{id} | PATCH | Partial update |
/scim/v2/Users/{id} | DELETE | Deprovision (revokes all mandates) |
Automatic Mandate Revocation
When an employee is deprovisioned or deactivated via SCIM, all their active mandates are automatically revoked. This ensures delegations never outlive their organizational context.
Setting Up SCIM in Okta
- In Okta Admin, go to Applications > Mandaitor > Provisioning
- Enable SCIM provisioning
- Set the SCIM base URL:
https://api.mandaitor.io/v1/scim/v2 - Set the authentication: Bearer Token with your API key
- Enable Push Users and Push Groups
Group-Based Delegation Authority
Map Okta groups to delegation authority in Mandaitor:
| Okta Group | Delegation Authority |
|---|---|
Managers | Can delegate to direct reports' agents |
IT Admins | Can register and manage AI agents |
Executives | Can approve high-value delegations |
The groups claim from Okta tokens is available in the resolved identity for authorization decisions.
Event Hooks
Okta Event Hooks can synchronize lifecycle events to Mandaitor:
- user.lifecycle.deactivate → Revoke all active mandates
- user.lifecycle.suspend → Freeze all mandates
- group.user_membership.remove → Re-evaluate delegation authority
- user.account.update_profile → Sync profile changes