Overview

The Okta integration monitors your organization’s identity management: user accounts, MFA enrollment, password policies, application assignments, group memberships, and authentication logs. LowerPlane uses read-only access to collect compliance evidence automatically.

Authentication

Okta supports two authentication methods:

What LowerPlane Collects

User Accounts

All Okta users with profile data: name, email, department, title, status (active, deprovisioned, suspended), and last login timestamp.

MFA Status

Per-user MFA enrollment status. Checks whether each user has at least one active MFA factor (authenticator app, SMS, hardware key, etc.).

Application Access

Per-user application assignments showing which Okta-integrated apps each user can access. Used for access review campaigns.

Group Memberships

Group membership for each user. Maps to roles and access levels for compliance reporting.

MFA & Password Policies

MFA enrollment policies and password complexity policies configured in your Okta org.

System Logs

Authentication and access events from the Okta System Log (last 7 days by default, configurable). Provides audit trail evidence.

Security Tests

LowerPlane runs 4 automated tests against your Okta organization:
TestSeverityApplies ToDescription
MFA Enabled for All UsersCriticalEach userVerifies every active user has at least one MFA factor enrolled and active
Password Policy ComplianceHighOrganizationChecks password policies meet minimum complexity, length, and rotation requirements
Inactive User AccountsMediumEach userIdentifies accounts that have been inactive for more than 90 days
Application Access ReviewMediumEach applicationVerifies applications have appropriate access controls and undergo regular review

Cross-IdP MFA Passthrough

When Okta enforces MFA at the organization level, LowerPlane automatically passes MFA-related tests for downstream services (e.g., if a user authenticates to GitHub via Okta SSO with MFA, the GitHub MFA test passes automatically).

Connecting

1

Generate an API Token in Okta

  1. Log in to the Okta Admin Console
  2. Go to Security > API > Tokens
  3. Click Create Token
  4. Name it LowerPlane (or any descriptive name)
  5. Copy the token value immediately — it is only shown once
2

Find Your Okta Domain

Click your account name in the top-right corner of the Okta Admin Console. Your domain is shown as company.okta.com. Do not use the -admin URL.
3

Connect in LowerPlane

Go to Settings > Integrations, find Okta under Identity Providers, and click Connect. Enter your Okta domain and API token.
4

Initial Sync

LowerPlane performs an initial sync of users, groups, applications, policies, and logs. This typically takes 2-5 minutes depending on your organization size.

Settings

After connecting, configure Okta-specific settings from the integration detail page:
SettingDefaultDescription
Auto SyncEnabledAutomatically sync users, groups, and policies on a schedule
Sync IntervalEvery 6 hoursHow often LowerPlane re-syncs data from Okta
System Log Window7 daysHow many days of system log history to collect on each sync

Evidence Artifacts

Each sync generates the following compliance evidence artifacts, automatically mapped to your active frameworks:
ArtifactDescriptionFrameworks
Okta UsersComplete user inventory with status and last loginSOC 2, ISO 27001, HIPAA, GDPR
User App AssignmentsPer-user application access for access certificationSOC 2, ISO 27001, HIPAA
Applications InventoryAll Okta-integrated applicationsSOC 2, ISO 27001
MFA PoliciesMFA enrollment policy configurationsSOC 2, ISO 27001, HIPAA, PCI-DSS
Password PoliciesPassword complexity and rotation policiesSOC 2, ISO 27001, HIPAA, PCI-DSS
System LogsAuthentication and access eventsSOC 2, ISO 27001, HIPAA

Compliance Mapping

FrameworkControlsWhat Okta Evidence Satisfies
SOC 2CC6.1, CC6.2, CC6.3Logical access controls, user provisioning, MFA enforcement
ISO 27001A.9.2, A.9.4User access management, system access control
HIPAA164.312(d)Person or entity authentication
GDPRArt. 32Security of processing (access controls)
NIST CSFPR.AC-1, PR.AC-7Identity management and access control

Data Access

Data TypeAccess
User profiles and statusRead
MFA enrollment statusRead
Group membershipsRead
Application assignmentsRead
Password and MFA policiesRead
System logs (auth events)Read
User passwords or secretsNo access
Email contentsNo access
Application dataNo access

Troubleshooting

Ensure you entered your Okta domain correctly. It should be in the format company.okta.com (not company-admin.okta.com). If you copied the URL from the Admin Console address bar, remove the -admin part.
LowerPlane validates that the domain ends with .okta.com, .okta-emea.com, or .oktapreview.com. Check for typos in your domain. Custom domains are not supported — use the standard Okta-issued domain.
The API token may have been revoked or expired. Go to Security > API > Tokens in the Okta Admin Console to verify the token is active. Generate a new token if needed and update the credentials in LowerPlane.
The MFA test checks per-user factor enrollment, not just org-level policy. Some users may not have completed MFA setup even if the policy is enforced. Check the test entity list to see which specific users are failing.
Large organizations (5,000+ users) may take longer to sync due to per-user MFA and app assignment lookups. LowerPlane enforces a 5-minute timeout per sync. If syncs consistently timeout, contact support to optimize the sync configuration.