Styra and Okta Collaborate on New Okta Identity Integration for Enhanced Policy-as-Code Authorization

As organizations rapidly transform the way they build and deploy applications in pursuit of greater business agility and increased speed to market, they face significant challenges implementing effective authorization controls throughout microservices environments and the infrastructure they run on. 

For Identity and Access Management (IAM) teams, stitching together different data sources and transforming them for authorization purposes is complex and time-consuming. This is a major impediment to both building fine-grained access control for entitlements, and to using Okta identity data for Open Policy Agents (OPA) deployed throughout applications and infrastructure.

To support this need, Styra collaborated with Okta, the leading independent provider of identity to build the Styra Declarative Authorization Service (DAS) Okta Identity Integration. This integration enhances authorization management by facilitating fine-grained access control for entitlements, as well as for other system types. The integration allows for push-button import of an organization’s Okta identity stores (Okta users, groups, roles, and applications) to the Styra DAS platform. That data is then brought into an entitlements object model. 

Without a pre-built integration such as this one, users would need to implement their own code to access their IAM database, translate the data into JSON, and expose it via an API. Then they would need to configure Styra DAS to access this data, and finally write a transform to convert the data to be structured appropriate for use with their system type of choice (such as Entitlements). This process could require considerable time and effort even for a skilled engineering team. By providing a pre-made integration between Okta and Styra DAS, what could be days, weeks, or months of effort is simply a few clicks.

Under the hood, the Styra DAS Okta Identity Integration works by retrieving various object types from Okta using Okta’s API. The  retrieved data is stored in as close of a format as possible to how it was received from Okta.  This supports power-user use cases requiring access not needed for the Entitlements object model, such as users wishing to use the Okta datasource with custom Styra DAS systems. To support users, an out-of-the-box transform is supplied to convert the data retrieved from Okta into the proper format for use with the Entitlements system type. This means users wishing to utilize the Okta datasource with an Entitlements system do not need to write any of their own Rego code.

Styra DAS queries the data in a centralized location before including it in bundles distributed to the user’s fleet of OPA instances. This means that when authorization decisions need to be made, they can query the copy of the IAM data retrieved from Okta stored at the edge within the loaded OPA bundle rather than waiting on a round-trip API request to Okta. This can allow authorization decisions to be made with much lower latency, and without concern for Okta’s API rate limits.

Deeper insights into the Okta identity data are surfaced through Styra DAS snippets, such as:

— What can a specific user do?

— Wo are all the users belonging to a specific group?

— Which users are permitted to do a specific action?

— Which users have access to a specific resource?

Such a snippet may look like:

{

    ”subject”: “bob",

     “action": "read",

    "resource": "/cars",

  }

By using Okta as a datasource for the Styra DAS entitlements system, users can easily implement complex RBAC and/or ABAC authorization policies leveraging the existing data they already have in Okta with minimal additional effort.

“Okta’s independence and neutrality offers the tools to create a single point of truth for authentication data. Customers can continue to use the same solution they already know and trust while adding on the power of the Styra Entitlements system type,” says John Baldo, Senior Product Manager at Okta.

“This integration will save users significant time and effort spent manually importing identity data sources and writing the policy code required to use that data,” says Jeff Broberg, Senior Director of Product Management at Styra. 

Want to try integrating your Okta datasource into Styra DAS? Give it a try for free! If you’d like to read a step-by-step guide on how to integrate an Okta datasource, give our documentation a read.

John Baldo is Senior Product Manager at Okta, where he works on platform in the Okta Integration Network (OIN) group.

Jeff Broberg is Senior Director of Product Management at Styra.