Home Explore Help
Register Sign In
AFS
/
infrastructure-notes
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 883a468866
Branches Tags
infrastructure-...
/
Okta Notes.md

Okta Notes.md 2.5 KB
History Raw

Okta Notes

Okta -> Admin -> input username -> assign applications

Okta Assign Applications

OKTA API Tokens

Don't use the GUI for Okta tokens. Chris can generate a new Okta token with the correct user and access. Also, better to look in the bash history for Okta tokens

How to Reset ldap.read OKTA user

ldap.read@defpoint.com is the Okta user that has the API token that Splunk uses to auth to Okta and pull logs. If the ldap.read account is suspended, the API token is suspended as well. The ldap.read account's password expires after 60 days. To see when the password will expire, go to Reports -> Okta Password Health. Don't open with EXCEL! Add 60 days to the date in the last column.

  • Be on prod VPN.
  • Log into OKTA in an Incognito window using the ldap.read username and the current password from Vault (engineering/root). Three failed logins will lock the user. MFA is disabled for the account.
  • Once the password has been updated, update Vault in this location, engineering/root with a key of ldap.read@defpoint.com. You will have to create a new version of engineering/root to save the password.
  • Set reminder in your calendar to reset the password in less than 60 days or OKTA logs will stop flowing.

Password expiration report

OKTA -> Reports -> Okta Password Health Open with Text editor Not excel

Okta Reports

Okta and Terraform

Fred ignored the above advice and created an okta API key for himself (Web UI: Admin->Security->API->Create Token)

Okta API to create token

Then:

export OKTA_API_TOKEN=[token here]
terragrunt apply

Okta Rate Limiting

Okta will rate limit us if we hit the API to frequently. This causes users to not be able to VPN in because the OpenVPN server cannot connect to the OKTA API in a timely manner. To see if this is happening you can log into OKTA and look for a banner indicating the rate limiting. We also pull logs into Moose Splunk via the OKTA API so you can run this Splunk search on Moose to see if we are getting errors. Finally, if you log into the OpenVPN and see timeout errors that is an indicator that OKTA is rate limiting us on the OKTA API.

index=_internal host=moose-splunk-hf* source=*okta* rate limit pausing operations
|  timechart count

Okta Splunk Search

#Okta user create log index=auth sourcetype="OktaIM2:log" "Create okta user"