From 401d60a0c4876c3fceaea0ea74ec15a5dfa500a7 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Tue, 31 Mar 2026 12:06:01 +0200 Subject: [PATCH 01/11] add og-docs-automation submodule --- .gitignore | 1 + .gitmodules | 3 +++ docs/og-docs-automation | 1 + docs/og-docs.json | 12 ++++++++++++ 4 files changed, 17 insertions(+) create mode 100644 .gitmodules create mode 160000 docs/og-docs-automation create mode 100644 docs/og-docs.json diff --git a/.gitignore b/.gitignore index 868a217..0e7e0a7 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ output graph logs .vscode +docs/official-docs/ # Byte-compiled / optimized / DLL files __pycache__/ diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..c297b02 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "docs/og-docs-automation"] + path = docs/og-docs-automation + url = https://github.com/SpecterOps/og-docs-automation diff --git a/docs/og-docs-automation b/docs/og-docs-automation new file mode 160000 index 0000000..caef4a1 --- /dev/null +++ b/docs/og-docs-automation @@ -0,0 +1 @@ +Subproject commit caef4a156d45ea94140e3570a1e263464e8a2ea0 diff --git a/docs/og-docs.json b/docs/og-docs.json new file mode 100644 index 0000000..cdfd37e --- /dev/null +++ b/docs/og-docs.json @@ -0,0 +1,12 @@ +{ + "extensionSchemaPath": "extension/schema.json", + "gitHubBaseUrl": "https://github.com/SpecterOps/openhound-okta", + "stripTitlePrefix": "Okta: ", + "savedSearchesDir": "extension/saved_searches", + "zoneRulesDir": "extension/privilege_zone_rules", + "nodeDescriptionsDir": "descriptions/nodes", + "edgeDescriptionsDir": "descriptions/edges", + "imagesDir": "descriptions/images", + "iconSize": 32, + "iconScale": 0.55 +} From 12bbac8da53879973e2b159b1e1a16f9b48f010b Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 8 Apr 2026 15:24:33 +0200 Subject: [PATCH 02/11] update queries and descriptions based on OktaHound repo changes --- descriptions/edges/Okta_AddMember.md | 10 + descriptions/edges/Okta_AgentMemberOf.md | 11 + descriptions/edges/Okta_AgentPoolFor.md | 23 ++ descriptions/edges/Okta_AppAssignment.md | 8 +- descriptions/edges/Okta_GroupAdmin.md | 2 +- descriptions/edges/Okta_GroupPush.md | 2 +- descriptions/edges/Okta_HasRole.md | 2 +- descriptions/edges/Okta_HasRoleAssignment.md | 2 +- descriptions/edges/Okta_IdpGroupAssignment.md | 6 +- descriptions/edges/Okta_PasswordSync.md | 24 +- descriptions/edges/Okta_ResetPassword.md | 20 ++ .../edges/Okta_ResourceSetContains.md | 2 +- descriptions/edges/Okta_ScopedTo.md | 2 +- descriptions/edges/Okta_UserPull.md | 4 +- descriptions/nodes/Okta_Agent.md | 16 ++ descriptions/nodes/Okta_AgentPool.md | 11 + .../nodes/Okta_ApiServiceIntegration.md | 27 ++ descriptions/nodes/Okta_ApiToken.md | 16 ++ descriptions/nodes/Okta_Application.md | 248 +++++++++++++++++- .../nodes/Okta_AuthorizationServer.md | 16 ++ descriptions/nodes/Okta_ClientSecret.md | 12 + descriptions/nodes/Okta_CustomRole.md | 13 + descriptions/nodes/Okta_Device.md | 47 ++++ descriptions/nodes/Okta_Group.md | 41 +++ descriptions/nodes/Okta_IdentityProvider.md | 17 ++ descriptions/nodes/Okta_JWK.md | 15 ++ descriptions/nodes/Okta_Organization.md | 13 + descriptions/nodes/Okta_Policy.md | 14 + descriptions/nodes/Okta_Realm.md | 16 ++ descriptions/nodes/Okta_ResourceSet.md | 12 + descriptions/nodes/Okta_Role.md | 25 ++ descriptions/nodes/Okta_RoleAssignment.md | 14 + descriptions/nodes/Okta_User.md | 29 ++ extension/saved_searches/ad-agents.json | 2 +- .../saved_searches/admin-console-access.json | 2 +- extension/saved_searches/app-assignments.json | 2 +- extension/saved_searches/app-credentials.json | 2 +- extension/saved_searches/devices.json | 4 +- extension/saved_searches/group-members.json | 2 +- extension/saved_searches/hybrid-inbound.json | 2 +- extension/saved_searches/hybrid-outbound.json | 2 +- extension/saved_searches/hybrid-sync.json | 2 +- .../identity-providers-direct-privileged.json | 2 +- ...dentity-providers-indirect-privileged.json | 2 +- .../saved_searches/identity-providers.json | 2 +- extension/saved_searches/org-chart.json | 2 +- .../org-trust-relationships.json | 4 +- .../password-and-mfa-permissions.json | 2 +- .../privileged-app-unrotated-access-keys.json | 2 +- extension/saved_searches/privileged-apps.json | 2 +- .../privileged-hybrid-inbound-direct.json | 2 +- .../privileged-hybrid-inbound-indirect.json | 4 +- .../privileged-principals-hybrid-direct.json | 2 +- ...privileged-principals-hybrid-indirect.json | 2 +- .../privileged-users-no-mfa-direct.json | 2 +- .../privileged-users-no-mfa-indirect.json | 2 +- ...privileged-users-old-passwords-direct.json | 2 +- ...ivileged-users-old-passwords-indirect.json | 2 +- ...ileged-users-unexpected-status-direct.json | 2 +- ...eged-users-unexpected-status-indirect.json | 2 +- .../saved_searches/read-client-secrets.json | 2 +- .../saved_searches/realm-membership.json | 2 +- .../resource-set-membership.json | 2 +- extension/saved_searches/role-app-admins.json | 2 +- .../saved_searches/role-assignments.json | 2 +- .../role-custom-assignments.json | 2 +- .../role-direct-assignments.json | 2 +- .../saved_searches/role-group-admins.json | 2 +- .../saved_searches/scim-read-passwords.json | 2 +- .../service-integration-creators.json | 2 +- .../stale-privileged-accounts-direct.json | 2 +- .../stale-privileged-accounts-indirect.json | 2 +- .../saved_searches/swa-applications.json | 2 +- .../sync-relationships-inbound.json | 2 +- .../sync-relationships-outbound.json | 2 +- extension/saved_searches/tier0.json | 2 +- .../saved_searches/users-api-tokens.json | 2 +- 77 files changed, 746 insertions(+), 68 deletions(-) diff --git a/descriptions/edges/Okta_AddMember.md b/descriptions/edges/Okta_AddMember.md index 428a633..d856ad5 100644 --- a/descriptions/edges/Okta_AddMember.md +++ b/descriptions/edges/Okta_AddMember.md @@ -3,3 +3,13 @@ The traversable `Okta_AddMember` edges represent custom role permissions that allow a principal (user, group, or application) to add or remove members in scoped Okta groups. These edges are created when a custom role includes the `okta.groups.members.manage` or `okta.groups.manage` permissions. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + g1("Okta_Group Finance") + g2("Okta_Group Tier 0 Admins") + app1("Okta_Application Automation") + u1 -- Okta_AddMember --> g1 + app1 -- Okta_AddMember --> g2 +``` diff --git a/descriptions/edges/Okta_AgentMemberOf.md b/descriptions/edges/Okta_AgentMemberOf.md index 9568559..d8b6bf0 100644 --- a/descriptions/edges/Okta_AgentMemberOf.md +++ b/descriptions/edges/Okta_AgentMemberOf.md @@ -4,6 +4,17 @@ Active Directory Agent Pools and their agents can be visualized in BloodHound as follows: +```mermaid +graph LR + ap1("Okta_AgentPool contoso.com") + ap2("Okta_AgentPool adatum.com") + a1("Okta_Agent CONTOSO-SRV1") + a2("Okta_Agent CONTOSO-SRV2") + a3("Okta_Agent ADATUM-SRV1") + a1 -- Okta_AgentMemberOf --> ap1 + a2 -- Okta_AgentMemberOf --> ap1 + a3 -- Okta_AgentMemberOf --> ap2 +``` > [!WARNING] > Traversable edges between the `Okta_AgentPool` and AD `Domain` nodes are not created in the current version of `OktaHound`. diff --git a/descriptions/edges/Okta_AgentPoolFor.md b/descriptions/edges/Okta_AgentPoolFor.md index 3656bab..f69650e 100644 --- a/descriptions/edges/Okta_AgentPoolFor.md +++ b/descriptions/edges/Okta_AgentPoolFor.md @@ -1,3 +1,26 @@ ## General Information `Okta_AgentPoolFor` edges connect an AD `Okta_AgentPool` to the backing `Okta_Application` used for directory integration. +```mermaid +graph TB + subgraph Active Directory + d1("Domain contoso.com") + c1("Computer CONTOSO-SRV1$") + c2("Computer CONTOSO-SRV2$") + d1 -- Contains --> c1 + d1 -- Contains --> c2 + end + + subgraph Okta + ap1("Okta_AgentPool contoso.com") + a1("Okta_Agent CONTOSO-SRV1") + a2("Okta_Agent CONTOSO-SRV2") + app1("Okta_Application AD contoso.com") + a1 -- Okta_AgentMemberOf --> ap1 + a2 -- Okta_AgentMemberOf --> ap1 + ap1 -- Okta_AgentPoolFor --> app1 + end + + c1 -- Okta_HostsAgent --> a1 + c2 -- Okta_HostsAgent --> a2 +``` diff --git a/descriptions/edges/Okta_AppAssignment.md b/descriptions/edges/Okta_AppAssignment.md index 1941504..6da4fce 100644 --- a/descriptions/edges/Okta_AppAssignment.md +++ b/descriptions/edges/Okta_AppAssignment.md @@ -16,14 +16,14 @@ graph LR a1("Okta_Application SalesForce") a2("Okta_Application GitHub") a3("Okta_Application VPN") - e -- Okta_AppAssignment --> a1 + e -. Okta_AppAssignment .-> a1 u1 -- Okta_MemberOf --> e u2 -- Okta_MemberOf --> e u3 -- Okta_MemberOf --> e u4 -- Okta_MemberOf --> e u3 -- Okta_MemberOf --> g1 u4 -- Okta_MemberOf --> g1 - g1 -- Okta_AppAssignment --> a2 - u4 -- Okta_AppAssignment --> a3 - u5 -- Okta_AppAssignment --> a3 + g1 -. Okta_AppAssignment .-> a2 + u4 -. Okta_AppAssignment .-> a3 + u5 -. Okta_AppAssignment .-> a3 ``` diff --git a/descriptions/edges/Okta_GroupAdmin.md b/descriptions/edges/Okta_GroupAdmin.md index d59c085..6cf3c64 100644 --- a/descriptions/edges/Okta_GroupAdmin.md +++ b/descriptions/edges/Okta_GroupAdmin.md @@ -10,7 +10,7 @@ graph LR g1("Okta_Group Marketing") u1 -- Okta_GroupAdmin --> u2 u1 -- Okta_GroupAdmin --> g1 - u2-. Okta_MemberOf .-> g1 + u2 -- Okta_MemberOf --> g1 ``` Target group memberships are flattened when the assignment is evaluated. diff --git a/descriptions/edges/Okta_GroupPush.md b/descriptions/edges/Okta_GroupPush.md index c0ae5f8..185faf4 100644 --- a/descriptions/edges/Okta_GroupPush.md +++ b/descriptions/edges/Okta_GroupPush.md @@ -7,5 +7,5 @@ This indicates group provisioning and membership synchronization from Okta to ex graph LR g1("Okta_Group Engineering") app1("Okta_Application contoso.com") - g1 -- Okta_GroupPush --> app1 + g1 -. Okta_GroupPush .-> app1 ``` diff --git a/descriptions/edges/Okta_HasRole.md b/descriptions/edges/Okta_HasRole.md index b228c0e..46b0260 100644 --- a/descriptions/edges/Okta_HasRole.md +++ b/descriptions/edges/Okta_HasRole.md @@ -14,5 +14,5 @@ graph LR g1 -. Okta_HasRole .-> r1 g1 -. Okta_HasRole .-> r2 a1 -. Okta_HasRole .-> r2 - u2 -. Okta_MemberOf .-> g1 + u2 -- Okta_MemberOf --> g1 ``` diff --git a/descriptions/edges/Okta_HasRoleAssignment.md b/descriptions/edges/Okta_HasRoleAssignment.md index 6d11d49..f6a820d 100644 --- a/descriptions/edges/Okta_HasRoleAssignment.md +++ b/descriptions/edges/Okta_HasRoleAssignment.md @@ -21,7 +21,7 @@ graph TB g1 -. Okta_HasRole .-> r1 g1 -- Okta_HelpDeskAdmin --> u3 u3 -- Okta_MemberOf --> g2 - ra1 -- Okta_ScopedTo --> g2 + ra1 -. Okta_ScopedTo .-> g2 u2 -. Okta_HasRoleAssignment .-> ra2 ra2 -. Okta_ScopedTo .-> org u2 -- Okta_SuperAdmin --> org diff --git a/descriptions/edges/Okta_IdpGroupAssignment.md b/descriptions/edges/Okta_IdpGroupAssignment.md index fbc9719..88a186f 100644 --- a/descriptions/edges/Okta_IdpGroupAssignment.md +++ b/descriptions/edges/Okta_IdpGroupAssignment.md @@ -8,7 +8,7 @@ graph LR g1("Okta_Group Contractors") g2("Okta_Group Employees") g3("Okta_Group Entra ID Users") - idp1 -- Okta_IdpGroupAssignment --> g1 - idp1 -- Okta_IdpGroupAssignment --> g2 - idp1 -- Okta_IdpGroupAssignment --> g3 + idp1 -. Okta_IdpGroupAssignment .-> g1 + idp1 -. Okta_IdpGroupAssignment .-> g2 + idp1 -. Okta_IdpGroupAssignment .-> g3 ``` diff --git a/descriptions/edges/Okta_PasswordSync.md b/descriptions/edges/Okta_PasswordSync.md index cda202c..5449143 100644 --- a/descriptions/edges/Okta_PasswordSync.md +++ b/descriptions/edges/Okta_PasswordSync.md @@ -1,11 +1,29 @@ ## General Information -The traversable `Okta_PasswordSync` edge represents password synchronization between Okta users across organizations in Org2Org setups. -This indicates that credentials are synchronized from a source Okta user to a target Okta user. +The traversable `Okta_PasswordSync` edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user. -> ![WARNING] +In **Active Directory** hybrid setups, this edge is created between `User` (AD) and `Okta_User` when delegated authentication or password push is enabled. +In **Org2Org** setups, this edge is created between `Okta_User` nodes across organizations when password synchronization is configured. + +> [!WARNING] > The Okta API does not indicate if the actual password or a randomly generated value is pushed to the other organization. +### Active Directory Hybrid + +```mermaid +graph LR + subgraph ad["Active Directory"] + adu1("User john\@contoso.com") + end + subgraph okta["Okta"] + u1("Okta_User john\@contoso.com") + adu1 -->|Okta_PasswordSync| u1 + adu1 .->|Okta_UserSync| u1 + end +``` + +### Org2Org + ```mermaid graph LR subgraph source_org["Okta Org Contoso"] diff --git a/descriptions/edges/Okta_ResetPassword.md b/descriptions/edges/Okta_ResetPassword.md index d0dc9ab..ea63709 100644 --- a/descriptions/edges/Okta_ResetPassword.md +++ b/descriptions/edges/Okta_ResetPassword.md @@ -15,3 +15,23 @@ graph LR g1 -- Okta_ResetFactors --> u2 app1 -- Okta_ResetPassword --> u1 ``` + +The edge is calculated based on custom role scoping. + +```mermaid +graph TD + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Help Desk") + rs("Okta_ResourceSet Frontline Workers") + a("Okta_RoleAssignment Authentication Admins") + r("Okta_CustomRole Authentication Admins") + g1 -. Okta_HasRole .-> r + a -. Okta_ScopedTo .-> rs + g1 -. Okta_HasRoleAssignment .-> a + rs -- Okta_ResourceSetContains --> u2 + u1 -- Okta_MemberOf --> g1 + g1 -- Okta_ResetPassword --> u2 + g1 -- Okta_ResetFactors --> u2 +``` + diff --git a/descriptions/edges/Okta_ResourceSetContains.md b/descriptions/edges/Okta_ResourceSetContains.md index 434982a..7b12f3f 100644 --- a/descriptions/edges/Okta_ResourceSetContains.md +++ b/descriptions/edges/Okta_ResourceSetContains.md @@ -11,7 +11,7 @@ graph LR a1("Okta_Application GitHub") d1("Okta_Device John's MacBook") rs1 -- Okta_ResourceSetContains --> u1 - rs1 -. Okta_ResourceSetContains .-> g1 + rs1 -- Okta_ResourceSetContains --> g1 rs1 -- Okta_ResourceSetContains --> a1 rs1 -- Okta_ResourceSetContains --> d1 u2 -- Okta_MemberOf --> g1 diff --git a/descriptions/edges/Okta_ScopedTo.md b/descriptions/edges/Okta_ScopedTo.md index 6d11d49..f6a820d 100644 --- a/descriptions/edges/Okta_ScopedTo.md +++ b/descriptions/edges/Okta_ScopedTo.md @@ -21,7 +21,7 @@ graph TB g1 -. Okta_HasRole .-> r1 g1 -- Okta_HelpDeskAdmin --> u3 u3 -- Okta_MemberOf --> g2 - ra1 -- Okta_ScopedTo --> g2 + ra1 -. Okta_ScopedTo .-> g2 u2 -. Okta_HasRoleAssignment .-> ra2 ra2 -. Okta_ScopedTo .-> org u2 -- Okta_SuperAdmin --> org diff --git a/descriptions/edges/Okta_UserPull.md b/descriptions/edges/Okta_UserPull.md index 861b681..2ebe974 100644 --- a/descriptions/edges/Okta_UserPull.md +++ b/descriptions/edges/Okta_UserPull.md @@ -7,6 +7,6 @@ graph LR app1("Okta_Application Workday") u1("Okta_User john\@contoso.com") u2("Okta_User alice\@contoso.com") - app1 -- Okta_UserPull --> u1 - app1 -- Okta_UserPull --> u2 + app1 -. Okta_UserPull .-> u1 + app1 -. Okta_UserPull .-> u2 ``` diff --git a/descriptions/nodes/Okta_Agent.md b/descriptions/nodes/Okta_Agent.md index f8e0643..307de66 100644 --- a/descriptions/nodes/Okta_Agent.md +++ b/descriptions/nodes/Okta_Agent.md @@ -6,3 +6,19 @@ Okta Agents facilitate communication between the Okta cloud and on-premises appl One or more agents are grouped into Agent Pools, represented by the [Okta_AgentPool](Okta_AgentPool.md) nodes, to provide redundancy and load balancing. ![Active Directory Agent in BloodHound](../Images/bloodhound-ad-agent.png) + +## Sample Property Values + +```yaml +id: a53xfufl4rqWcHhQo697 +name: LON-SRV01 +displayName: LON-SRV01 +poolId: 0oaxg9rhdd7ncGCXv697 +oktaDomain: contoso.okta.com +poolName: contoso.local +operationalStatus: DISRUPTED +updateStatus: Cancelled +type: AD +version: 3.22.0 +lastConnection: 2026-01-15T02:29:40+00:00 +``` diff --git a/descriptions/nodes/Okta_AgentPool.md b/descriptions/nodes/Okta_AgentPool.md index 7540e34..9ce143d 100644 --- a/descriptions/nodes/Okta_AgentPool.md +++ b/descriptions/nodes/Okta_AgentPool.md @@ -17,3 +17,14 @@ The following agent pool types are supported by Okta: The most common agent pool type is the Active Directory (AD) Agent Pool, which consists of one or more AD Agents that facilitate bi-directional object synchronization between Okta and on-premises Active Directory environments. ![Okta AD Agent Pools displayed in BloodHound](../Images/bloodhound-ad-agent-pool.png) + +## Sample Property Values + +```yaml +id: 0oaxg9rhdd7ncGCXv697_pool +name: contoso.local +displayName: contoso.local +oktaDomain: contoso.okta.com +operationalStatus: DISRUPTED +type: AD +``` diff --git a/descriptions/nodes/Okta_ApiServiceIntegration.md b/descriptions/nodes/Okta_ApiServiceIntegration.md index 9543632..6104c44 100644 --- a/descriptions/nodes/Okta_ApiServiceIntegration.md +++ b/descriptions/nodes/Okta_ApiServiceIntegration.md @@ -13,6 +13,33 @@ API service integrations in Okta represent OAuth 2.0 service (daemon) applicatio In `OktaHound`, API service integrations are represented as `Okta_ApiServiceIntegration` nodes. +## Sample Property Values + +```yaml +id: 0oaz7jy5f2oXnvtmN697 +name: Falcon Shield +displayName: Falcon Shield +oktaDomain: contoso.okta.com +appType: falconshieldapiservice +oauthScopes: + - okta.users.read + - okta.oauthIntegrations.read + - okta.threatInsights.read + - okta.devices.read + - okta.apiTokens.read + - okta.roles.read + - okta.logs.read + - okta.groups.read + - okta.apps.read + - okta.domains.read + - okta.factors.read + - okta.authenticators.read + - okta.policies.read + - okta.networkZones.read + - okta.features.read +createdAt: 2026-01-15T12:25:42.000Z +``` + ## Integration OAuth 2.0 Scopes Each API service integration comes with a pre-defined set of OAuth 2.0 scopes to access Okta APIs: diff --git a/descriptions/nodes/Okta_ApiToken.md b/descriptions/nodes/Okta_ApiToken.md index ff940a7..6e69b18 100644 --- a/descriptions/nodes/Okta_ApiToken.md +++ b/descriptions/nodes/Okta_ApiToken.md @@ -7,3 +7,19 @@ These tokens are always associated with a specific user in Okta, and the permiss The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers. In `OktaHound`, API tokens are represented as `Okta_ApiToken` nodes. + +## Sample Property Values + +```yaml +id: 00T36fk75smeJybKx697 +name: Postman +displayName: Postman +oktaDomain: contoso.okta.com +userId: 00uw0o8iizq37KgKP697 +clientName: Okta API +created: 2025-10-03T10:08:09+00:00 +lastUpdated: 2026-01-31T20:22:42+00:00 +expiresAt: 2026-03-02T20:22:42+00:00 +networkConnection: ANYWHERE +tokenWindow: 30.00:00:00 +``` diff --git a/descriptions/nodes/Okta_Application.md b/descriptions/nodes/Okta_Application.md index 0cba845..21b1b35 100644 --- a/descriptions/nodes/Okta_Application.md +++ b/descriptions/nodes/Okta_Application.md @@ -6,6 +6,150 @@ With the exception of API Service applications, Okta users and groups can be ass In `OktaHound`, applications are represented as `Okta_Application` nodes. +## Sample Property Values + +### Github Cloud + +```yaml +id: 0oawyp12cjglrkfId697 +name: Github Contoso +appType: githubcloud +displayName: Github Contoso +features: [] +githubOrg: Contoso +hasRoleAssignments: false +oktaDomain: contoso.okta.com +signOnMode: SAML_2_0 +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-10-31T06:08:00+00:00 +lastUpdated: 2025-10-31T06:08:01+00:00 +``` + +### Google Workspace + +```yaml +id: 0oax4r57x0V5NHL2W697 +afwOnly: false +appType: google +displayName: Google Workspace +domain: contoso.com +features: [] +hasRoleAssignments: false +name: Google Workspace +oktaDomain: contoso.okta.com +signOnMode: SAML_2_0 +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-11-05T09:06:48+00:00 +lastUpdated: 2025-11-05T09:07:21+00:00 +``` + +### Jamf Pro SAML + +```yaml +id: 0oax4r3ud0J2WjlNh697 +appType: jamfsoftwareserver +displayName: Jamf Pro SAML +domain: contoso.jamfcloud.com +features: [] +hasRoleAssignments: false +name: Jamf Pro SAML +oktaDomain: contoso.okta.com +signOnMode: SAML_2_0 +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-11-05T09:10:52+00:00 +lastUpdated: 2026-01-19T14:33:39+00:00 +``` + +### OktaHound + +```yaml +id: 0oaw0pujq5WtBiMYD697 +name: OktaHound +appType: oidc_client +clientType: service +displayName: OktaHound +features: [] +grantTypes: + - client_credentials +hasRoleAssignments: true +oauthScopes: + - okta.trustedOrigins.read + - okta.policies.read + - okta.linkedObjects.read + - okta.authModes.read + - okta.templates.read + - okta.apiTokens.read + - okta.factors.read + - okta.brands.read + - okta.authenticators.read + - okta.uischemas.read + - okta.logs.read + - okta.groups.read + - okta.identitySources.read + - okta.users.read + - okta.orgs.read + - okta.threatInsights.read + - okta.pushProviders.read + - okta.apps.read + - ssf.read + - okta.roles.read + - okta.networkZones.read + - okta.emailDomains.read + - okta.manifests.read + - okta.oauthIntegrations.read + - okta.domains.read + - okta.deviceAssurance.read + - okta.reports.read + - okta.authorizationServers.read + - okta.enduser.read + - okta.schemas.read + - okta.idps.read + - okta.agentPools.read + - okta.appGrants.read + - okta.inlineHooks.read + - okta.certificateAuthorities.read + - okta.devices.read + - okta.behaviors.read + - okta.profileMappings.read + - okta.captchas.read + - okta.clients.read + - okta.features.read + - okta.sessions.read + - okta.userTypes.read +oktaDomain: integrator-5415459.okta.com +signOnMode: OPENID_CONNECT +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-10-02T10:11:20+00:00 +lastUpdated: 2025-10-02T10:26:27+00:00 +``` + +### Active Directory Integration + +```yaml +id: 0oaxg9rhdd7ncGCXv697 +name: contoso.local +appType: active_directory +displayName: contoso.local +domainSid: S-1-5-21-71365889-924527929-2677699343 +features: + - IMPORT_PROFILE_UPDATES + - PROFILE_MASTERING + - OUTBOUND_DEL_AUTH + - IMPORT_USER_SCHEMA + - IMPORT_NEW_USERS +filterGroupsByOU: false +hasRoleAssignments: false +namingContext: contoso.local +oktaDomain: contoso.okta.com +status: ACTIVE +created: 2025-11-14T12:50:42+00:00 +lastUpdated: 2026-01-31T15:12:24+00:00 +``` + ## User Name Mapping User name mapping from Okta to SAML 2.0, OpenID Connect (OIDC), and Secure Web Authentication (SWA) applications is configurable in the Okta Admin Console, with the default setting being the Okta username pass-through, i.e., `${source.login}`. @@ -61,8 +205,8 @@ graph TB org -- Okta_Contains --> g1 u1 -- Okta_MemberOf --> g1 u2 -- Okta_AppAdmin --> gha - g1 -- Okta_AppAssignment --> gha - u1 -- Okta_AppAssignment --> jmfa + g1 -. Okta_AppAssignment .-> gha + u1 -. Okta_AppAssignment .-> jmfa end subgraph gh["GitHub Enterprise Cloud"] direction LR @@ -75,11 +219,107 @@ graph TB jamft("jamf_SSOIntegration contoso.jamfcloud.com-SSO") jmfu1("jamf_Account john\@contoso.com") end - adu1 -- Okta_UserSync --> u1 - adu2 -- Okta_UserSync --> u2 + adu1 -. Okta_UserSync .-> u1 + adu2 -. Okta_UserSync .-> u2 adg1 -- Okta_MembershipSync --> g1 gha -- Okta_OutboundOrgSSO --> ghorg jmfa -- Okta_OutboundOrgSSO --> jamft u1 -- Okta_OutboundSSO --> ghu1 u1 -- Okta_OutboundSSO --> jmfu1 ``` + +### Active Directory Synchronization + +When Okta's Active Directory (AD) integration is configured for user and group synchronization, +the connected AD domain is represented as an `Okta_Application` node in BloodHound. +This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. + +The synchronization is performed by domain-joined servers with the Okta AD Agent installed. +This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, +making it a high-value target for attackers. + +![Okta AD agent settings](../Images/okta-ad-agent.png) + +Authentication can be delegated from Okta to AD in multiple ways: + +- [Agentless Desktop SSO](https://help.okta.com/oie/en-us/content/topics/directory/ad-dsso-about-workflow.htm) +- [Password Synchronization](https://help.okta.com/oie/en-us/content/topics/directory/installing_configuring_active_directory_password_sync_agent.htm) +- Active Directory Federation Services (ADFS) integration with Okta as a SAML IdP + +> [!WARNING] +> There is no documented API available to determine the authentication delegation method(s) configured for an AD-backed Okta application. +> OktaHound therefore performs some heuristics that might not be 100% accurate in all cases. + +### GitHub Enterprise Cloud Organizations + +When integrating Okta with GitHub Enterprise Cloud, each GitHub organization connected to Okta is represented as a separate `Okta_Application` node in BloodHound. + +![Properties of the GitHub Application node](../Images/bloodhound-github-properties.png) + +### Jamf Pro + +When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate `Okta_Application` node in BloodHound. +The differentiator is the `domainFQDN` property: + +![Jamf Pro SAML application in BloodHound](../Images/bloodhound-jamf-saml-properties.png) + +It is also possible to integrate Jamf Pro with Okta using Secure Web Authentication (SWA), but this option is less secure. + +![Jamf Pro SWA settings](../Images/app-jamf-swa.png) + +## Google Workspace + +Similarly to the Jamf Pro SAML applications, each Google Workspace (formerly G Suite) instance connected to Okta using SAML 2.0 is represented as a separate `Okta_Application` node in BloodHound and is identified by the `domainFQDN` property: + +![Google Workspace SAML application in BloodHound](../Images/bloodhound-google-saml-properties.png) + +The SAML 2.0 protocol should always be preferred to SWA when integrating Okta with Google Workspace: + +![Google Workspace sign-in protocol settings](../Images/app-google-protocol-selector.png) + +## Generic SAML 2.0 Applications + +The assertion consumer service (ACS) URLs of generic (non-Catalog) Okta SAML 2.0 applications are exposed via the `url` attribute in BloodHound. + +![Okta SAML application in BloodHound](../Images/bloodhound-app-saml.png) + +## Generic Secure Web Authentication (SWA) Applications + +Secure Web Authentication (SWA) is an Okta technology that provides Single Sign-On (SSO) functionality to external web applications that don't support federated protocols. SWA applications store user credentials in Okta and automatically fill them in when users access the application through the Okta dashboard. + +The app's login page URL is exposed via the `url` attribute in BloodHound. + +![Okta SWA application in BloodHound](../Images/bloodhound-app-swa.png) + +## Generic OpenID Connect (OIDC) Applications + +Okta supports three types of OIDC applications: + +- Web Application +- Single-Page Application (SPA) +- Native Application + +The default redirect URI of generic (non-Catalog) Okta OIDC single-page applications (SPAs) starts with `http://localhost:8080/`, making it hard to identify the actual application address. The optional Okta-initiated sign-in flow URL is therefore exposed in the `url` attribute in BloodHound instead, if configured. + +OIDC applications can be granted OAuth 2.0 scopes to access Okta APIs on behalf of users: + +![Okta application OIDC grants](../Images/app-oidc-grants.png) + +## SCIM-Enabled Applications + +The `features` attribute of `Okta_Application` nodes may contain the following SCIM-related values, +indicating if SCIM is enabled and which protocol capabilities are supported: + +| Feature | Description | +|------------------------------|--------------------------------------------------------------------------------| +| PUSH_NEW_USERS | Supports pushing new users from Okta to the application | +| PUSH_PASSWORD_UPDATES | Supports pushing password updates from Okta to the application | +| PUSH_PENDING_USERS | Supports pushing users from Okta to the application in pending state | +| PUSH_PROFILE_UPDATES | Supports pushing profile updates from Okta to the application | +| PUSH_USER_DEACTIVATION | Supports pushing user deactivation from Okta to the application | +| REACTIVATE_USERS | Supports reactivating users in the application from Okta | +| IMPORT_NEW_USERS | Supports importing new users into Okta from the application | +| OPP_SCIM_INCREMENTAL_IMPORTS | Supports incremental imports of users from the application into Okta | +| IMPORT_PROFILE_UPDATES | Updates a linked user's app profile in Okta during manual or scheduled imports | +| GROUP_PUSH | Supports pushing groups and group memberships from Okta to the application | +| PROFILE_MASTERING | Supports profile mastering in Okta, allowing the application to be the source of truth for user profiles | diff --git a/descriptions/nodes/Okta_AuthorizationServer.md b/descriptions/nodes/Okta_AuthorizationServer.md index 6241165..2ae5e45 100644 --- a/descriptions/nodes/Okta_AuthorizationServer.md +++ b/descriptions/nodes/Okta_AuthorizationServer.md @@ -6,3 +6,19 @@ In `OktaHound`, authorization servers are represented as `Okta_AuthorizationServ > [!WARNING] > The relationships between authorization servers and applications are currently not evaluated by `OktaHound`. + +## Sample Property Values + +```yaml +id: ausz6ipkn4u0hDzyf697 +name: app creation +displayName: app creation +oktaDomain: contoso.okta.com +status: INACTIVE +issuer: https://contoso.okta.com/oauth2/ausz6ipkn4u0hDzyf697 +issuerMode: DYNAMIC +audiences: + - test +created: 2026-01-14T15:41:28+00:00 +lastUpdated: 2026-01-14T16:09:30+00:00 +``` diff --git a/descriptions/nodes/Okta_ClientSecret.md b/descriptions/nodes/Okta_ClientSecret.md index 86e60da..59e34d7 100644 --- a/descriptions/nodes/Okta_ClientSecret.md +++ b/descriptions/nodes/Okta_ClientSecret.md @@ -13,3 +13,15 @@ Client secrets are represented as `Okta_ClientSecret` nodes in BloodHound. > [!NOTE] > For security reasons, the OktaHound collector does not write cleartext client secrets > to the OpenGraph JSON, only their hashed identifiers. + +## Sample Property Values + +```yaml +id: ocsxqwizfyqsf0aVG697 +name: T1e6fl4jGqvPkgd94NKx5g +displayName: T1e6fl4jGqvPkgd94NKx5g +oktaDomain: contoso.okta.com +status: ACTIVE +created: 2025-11-24T12:24:08.000Z +lastUpdated: 2025-11-24T12:24:08.000Z +``` diff --git a/descriptions/nodes/Okta_CustomRole.md b/descriptions/nodes/Okta_CustomRole.md index 3ac2b28..3d265b8 100644 --- a/descriptions/nodes/Okta_CustomRole.md +++ b/descriptions/nodes/Okta_CustomRole.md @@ -10,6 +10,19 @@ and then assigned to [users](Okta_User.md), [groups](Okta_Group.md), and [applic Custom roles are represented as `Okta_CustomRole` and `Okta_RoleAssignment` nodes in `OktaHound`, similar to built-in roles. +## Sample Property Values + +```yaml +id: cr0wwdjuk0w96MpFr697 +name: IAM Readers +displayName: IAM Readers +oktaDomain: contoso.okta.com +created: 2025-10-29T12:45:55+00:00 +lastUpdated: 2025-10-30T13:35:36+00:00 +permissions: + - okta.iam.read +``` + ## Abusable Permissions of Custom Roles in Okta The following Okta permissions are particularly interesting from an offensive security perspective, diff --git a/descriptions/nodes/Okta_Device.md b/descriptions/nodes/Okta_Device.md index 274629f..d534e0a 100644 --- a/descriptions/nodes/Okta_Device.md +++ b/descriptions/nodes/Okta_Device.md @@ -3,3 +3,50 @@ Devices in Okta represent the physical or virtual devices that users use to authenticate and access the Okta organization. Devices can optionally be managed by 3rd party MDM solutions, which allow administrators to enforce security compliance policies. In `OktaHound`, devices are represented as `Okta_Device` nodes. + +## Sample Property Values + +Windows device: + +```yaml +id: 4C4C4544-0057-4C10-8057-C8C04F573934@contoso.okta.com +name: PC01 +displayName: PC01 +oktaDomain: contoso.okta.com +oktaId: guoxrzqh8jBxYxEeJ697 +created: 2025-11-25T11:01:53+00:00 +lastUpdated: 2026-02-17T08:55:45+00:00 +status: ACTIVE +resourceType: UDDevice +platform: WINDOWS +manufacturer: Dell Inc. +model: XPS 14 9440 +osVersion: 10.0.26200.7623 +registered: true +secureHardwarePresent: true +jailBreak: false +udid: 4C4C4544-0057-4C10-8057-C8C04F573934 +objectSid: S-1-5-21-1084505731-826279434-3585917670 +serialNumber: HWLWW94 +``` + +iOS device: + +```yaml +id: guowq18eyhZaDlkkA697 +name: John's iPhone +displayName: John's iPhone +oktaDomain: contoso.okta.com +oktaId: guowq18eyhZaDlkkA697 +status: ACTIVE +resourceType: UDDevice +platform: IOS +manufacturer: APPLE +model: iPhone17,1 +osVersion: 18.6.2 +registered: true +secureHardwarePresent: true +jailBreak: false +created: 2025-10-23T17:16:46+00:00 +lastUpdated: 2025-10-23T17:16:47+00:00 +``` diff --git a/descriptions/nodes/Okta_Group.md b/descriptions/nodes/Okta_Group.md index c0b864f..656b6da 100644 --- a/descriptions/nodes/Okta_Group.md +++ b/descriptions/nodes/Okta_Group.md @@ -5,6 +5,47 @@ The built-in **Everyone** group always contains all users in the Okta organizati In `OktaHound`, groups are represented as `Okta_Group` nodes. +## Sample Property Values + +Example of a group created directly in Okta: + +```yaml +id: 00gxg12p4kFOkyXLb697 +name: Engineering +displayName: Engineering +description: Engineering department group +oktaDomain: contoso.okta.com +hasRoleAssignments: false +oktaGroupType: OKTA_GROUP +objectClass: okta:user_group +created: 2025-11-14T08:00:25+00:00 +lastUpdated: 2025-11-14T08:00:25+00:00 +lastMembershipUpdated: 2025-11-14T08:00:25+00:00 +``` + +Example of a group synchronized from Active Directory: + +```yaml +id: 00gxga7s3yDJ71OzW697 +name: Sales +displayName: Sales +description: Sales department group +oktaDomain: contoso.okta.com +hasRoleAssignments: false +oktaGroupType: APP_GROUP +objectClass: okta:windows_security_principal +objectSid: S-1-5-21-71365889-924527929-2677699343-2536 +distinguishedName: CN=Sales,CN=Groups,DC=contoso,DC=local +samAccountName: Sales +domainQualifiedName: CONTOSO\Sales +groupScope: Global +groupType: Security +objectGuid: 4ab65ef0-ab82-4017-b5ee-1c20facd4d6a +created: 2025-11-14T12:58:13+00:00 +lastUpdated: 2025-11-14T13:05:44+00:00 +lastMembershipUpdated: 2025-11-14T12:58:13+00:00 +``` + ## Synchronization with External Directories Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes, which are then collected by `OktaHound`: diff --git a/descriptions/nodes/Okta_IdentityProvider.md b/descriptions/nodes/Okta_IdentityProvider.md index b26cb5d..039eba9 100644 --- a/descriptions/nodes/Okta_IdentityProvider.md +++ b/descriptions/nodes/Okta_IdentityProvider.md @@ -8,3 +8,20 @@ In `OktaHound`, identity providers are represented as `Okta_IdentityProvider` no > [!WARNING] > The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated by `OktaHound`. + +## Sample Property Values + +```yaml +id: 0oazpi53t1cRNcPL4697 +name: Microsoft Entra ID +displayName: Microsoft Entra ID +oktaDomain: contoso.okta.com +created: 2026-01-31T15:21:37+00:00 +issuerMode: DYNAMIC +type: MICROSOFT +enabled: false +autoUserProvisioning: true +governedGroupIds: [] +protocolType: OIDC +url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize +``` diff --git a/descriptions/nodes/Okta_JWK.md b/descriptions/nodes/Okta_JWK.md index e9ec6bf..a5e4828 100644 --- a/descriptions/nodes/Okta_JWK.md +++ b/descriptions/nodes/Okta_JWK.md @@ -5,3 +5,18 @@ This is an asymmetric authentication mechanism where the application possesses a A service application can have multiple JWKs configured for key rotation purposes. JWKs are represented as `Okta_JWK` nodes in BloodHound. + +## Sample Property Values + +```yaml +id: pksw0py294dQ80EdI697 +name: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 +displayName: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 +oktaDomain: contoso.okta.com +status: ACTIVE +kid: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 +kty: RSA +use: sig +created: 2025-10-02T10:14:44Z +lastUpdated: 2025-10-02T10:26:27Z +``` diff --git a/descriptions/nodes/Okta_Organization.md b/descriptions/nodes/Okta_Organization.md index a926067..a4b79f2 100644 --- a/descriptions/nodes/Okta_Organization.md +++ b/descriptions/nodes/Okta_Organization.md @@ -3,3 +3,16 @@ The Organization entity represents the Okta tenant itself. It contains general information about the organization, such as its name, domain, and settings. In `OktaHound`, the organization is represented as a single `Okta_Organization` node. + +## Sample Property Values + +```yaml +id: 00ow0o8if0CNwsKmk697 +name: contoso.okta.com +displayName: Contoso +oktaDomain: contoso.okta.com +subdomain: contoso +status: ACTIVE +created: 2025-10-02T09:21:31+00:00 +lastUpdated: 2025-12-09T23:04:15+00:00 +``` diff --git a/descriptions/nodes/Okta_Policy.md b/descriptions/nodes/Okta_Policy.md index 666e966..e92af51 100644 --- a/descriptions/nodes/Okta_Policy.md +++ b/descriptions/nodes/Okta_Policy.md @@ -4,6 +4,20 @@ Policies in Okta define the rules and conditions that govern authentication, aut In `OktaHound`, policies are represented as `Okta_Policy` nodes. +## Sample Property Values + +```yaml +id: rstw0o8il8ktUxo3t697 +name: Okta Account Management Policy +displayName: Okta Account Management Policy +oktaDomain: contoso.okta.com +description: This policy defines how users must authenticate for authenticator enrollment, password reset, or unlock account. Password policy rules control whether to enforce this policy for password reset and unlock account. +type: ACCESS_POLICY +priority: 1 +system: false +created: 2025-10-02T09:21:37+00:00 +``` + ## Policy Types The following [policy types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) are supported by Okta: diff --git a/descriptions/nodes/Okta_Realm.md b/descriptions/nodes/Okta_Realm.md index 197d274..b4e71aa 100644 --- a/descriptions/nodes/Okta_Realm.md +++ b/descriptions/nodes/Okta_Realm.md @@ -6,3 +6,19 @@ In `OktaHound`, Okta Realms are represented as `Okta_Realm` nodes. > [!WARNING] > Okta Realms are currently not supported by `OktaHound` due to licensing restrictions. + +## Sample Property Values + +```yaml +id: guor3k19x7pVQ6Abc0g7 +name: Car Co +displayName: Car Co +oktaDomain: contoso.okta.com +type: PARTNER +isDefault: false +domains: + - atko.com + - user.com +created: 2025-06-01T08:00:00.0000000+00:00 +lastUpdated: 2026-02-20T07:45:12.0000000+00:00 +``` diff --git a/descriptions/nodes/Okta_ResourceSet.md b/descriptions/nodes/Okta_ResourceSet.md index 4828469..d756fa7 100644 --- a/descriptions/nodes/Okta_ResourceSet.md +++ b/descriptions/nodes/Okta_ResourceSet.md @@ -29,3 +29,15 @@ A resource set can contain the following object types: ![Okta Resource Set displayed in BloodHound](../Images/bloodhound-resource-set.png) In `OktaHound`, resource sets are represented as `Okta_ResourceSet` nodes. + +## Sample Property Values + +```yaml +id: WORKFLOWS_IAM_POLICY@contoso.okta.com +name: Workflows Resource Set +displayName: Workflows Resource Set +oktaDomain: contoso.okta.com +description: A resource set managed by Workflows Administrator +created: 2025-10-22T13:29:26+00:00 +lastUpdated: 2025-10-22T13:29:26+00:00 +``` diff --git a/descriptions/nodes/Okta_Role.md b/descriptions/nodes/Okta_Role.md index 0c43f9f..bcb0d00 100644 --- a/descriptions/nodes/Okta_Role.md +++ b/descriptions/nodes/Okta_Role.md @@ -26,6 +26,31 @@ The following roles can either be scoped to specific resources or assigned organ In `OktaHound`, built-in roles are represented as `Okta_Role` nodes. +## Sample Property Values + +```yaml +id: APP_ADMIN@contoso.okta.com +name: Application Administrator +displayName: Application Administrator +oktaDomain: contoso.okta.com +permissions: + - okta.apps.manage + - okta.apps.read + - okta.apps.assignment.manage + - okta.apps.clientCredentials.read + - okta.users.appAssignment.manage + - okta.groups.appAssignment.manage + - okta.policies.manage + - okta.policies.read + - okta.users.read + - okta.groups.read + - okta.users.userprofile.manage + - okta.users.userprofile.read + - okta.profilesources.import.run + - okta.agents.register + - okta.realms.read +``` + ## Built-In Role Identifiers When working with roles using the Okta API, the built-in roles are referenced by the following identifiers: diff --git a/descriptions/nodes/Okta_RoleAssignment.md b/descriptions/nodes/Okta_RoleAssignment.md index af38863..689ebdf 100644 --- a/descriptions/nodes/Okta_RoleAssignment.md +++ b/descriptions/nodes/Okta_RoleAssignment.md @@ -1,3 +1,17 @@ ## Overview To help visualize role assignments in BloodHound, `OktaHound` creates `Okta_RoleAssignment` nodes for each role assignment in Okta. These nodes represent the relationship between a [user](Okta_User.md), [group](Okta_Group.md), or [application](Okta_Application.md) and a role ([built-in](Okta_Role.md) or [custom](Okta_CustomRole.md)). + +## Sample Property Values + +```yaml +id: irbwnwe8vjjXl4FbX697_00uw2sodowQc75SUm697 +name: Workflows Administrator +displayName: Workflows Administrator +oktaDomain: contoso.okta.com +assignmentType: USER +type: WORKFLOWS_ADMIN +status: ACTIVE +created: 2025-10-22T13:29:26+00:00 +lastUpdated: 2025-10-22T13:29:26+00:00 +``` diff --git a/descriptions/nodes/Okta_User.md b/descriptions/nodes/Okta_User.md index 055c804..2b78196 100644 --- a/descriptions/nodes/Okta_User.md +++ b/descriptions/nodes/Okta_User.md @@ -4,6 +4,35 @@ User objects (AKA People) represent individuals who have access to the Okta orga In `OktaHound`, users are represented as `Okta_User` nodes. +## Sample Property Values + +```yaml +id: 00uw2sodn4ZPJJQyx697 +name: john.doe@contoso.com +displayName: John Doe +oktaDomain: contoso.okta.com +login: john.doe@contoso.com +email: john.doe@contoso.com +firstName: John +lastName: Doe +title: Senior Identity Engineer +department: Security Engineering +city: Seattle +state: WA +countryCode: US +status: ACTIVE +enabled: true +hasRoleAssignments: false +credentialProviderName: OKTA +credentialProviderType: OKTA +managerId: joe.smith@contoso.com +created: 2025-10-03T18:45:57+00:00 +activated: 2025-10-03T19:02:11+00:00 +passwordChanged: 2026-01-12T14:27:03+00:00 +lastLogin: 2026-02-20T09:41:55+00:00 +lastUpdated: 2025-10-29T11:09:47+00:00 +``` + ## User Status User status can have [multiple values](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User), as illustrated below: diff --git a/extension/saved_searches/ad-agents.json b/extension/saved_searches/ad-agents.json index 05113fc..7ce321a 100644 --- a/extension/saved_searches/ad-agents.json +++ b/extension/saved_searches/ad-agents.json @@ -1,5 +1,5 @@ { "name": "Okta: Agents, Agent Pools, and Host Servers", "description": "Lists Okta agents, their associated agent pools, and the AD servers hosting each agent.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(:Okta_Agent:Computer)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(agent)\nWHERE agent:Okta_Agent OR agent:Computer\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/admin-console-access.json b/extension/saved_searches/admin-console-access.json index f8c4cb5..2d326ec 100644 --- a/extension/saved_searches/admin-console-access.json +++ b/extension/saved_searches/admin-console-access.json @@ -1,5 +1,5 @@ { "name": "Okta: Principals with Admin Console Access", "description": "Identifies principals with access to the Okta Admin Console.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(c:Okta_Application)\nWHERE c.appType = \"saasure\"\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(console:Okta_Application)\nWHERE console.appType = \"saasure\"\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/app-assignments.json b/extension/saved_searches/app-assignments.json index 854cc71..4bea94e 100644 --- a/extension/saved_searches/app-assignments.json +++ b/extension/saved_searches/app-assignments.json @@ -1,5 +1,5 @@ { "name": "Okta: Application Assignments", "description": "List all application assignments.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/app-credentials.json b/extension/saved_searches/app-credentials.json index 721d626..278182c 100644 --- a/extension/saved_searches/app-credentials.json +++ b/extension/saved_searches/app-credentials.json @@ -1,5 +1,5 @@ { "name": "Okta: Application Credentials", "description": "Lists all service application secrets and JWTs.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(:Okta_ClientSecret:Okta_JWK)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(credential)\nWHERE credential:Okta_ClientSecret OR credential:Okta_JWK\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/devices.json b/extension/saved_searches/devices.json index 9bb8c39..ccf3f5b 100644 --- a/extension/saved_searches/devices.json +++ b/extension/saved_searches/devices.json @@ -1,5 +1,7 @@ { "name": "Okta: Devices", "description": "List all devices, their owners, and any mobile admins.", - "query": "MATCH p = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)\nOPTIONAL MATCH q = (:Okta_User:Okta_Group:Okta_Application)-[:Okta_MobileAdmin]->(:Okta_Device)\nRETURN p,q\nLIMIT 1000" + "query": "MATCH path = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User)\nOPTIONAL MATCH adminPath = (admin)-[:Okta_MobileAdmin]->(:Okta_Device)\nWHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application\nRETURN path,adminPath\nLIMIT 1000" } + + diff --git a/extension/saved_searches/group-members.json b/extension/saved_searches/group-members.json index fa6eb94..cce39b4 100644 --- a/extension/saved_searches/group-members.json +++ b/extension/saved_searches/group-members.json @@ -1,5 +1,5 @@ { "name": "Okta: Group Membership", "description": "Retrieves all group membership relationships.", - "query": "MATCH p = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/hybrid-inbound.json b/extension/saved_searches/hybrid-inbound.json index 18cf9c3..f7b3603 100644 --- a/extension/saved_searches/hybrid-inbound.json +++ b/extension/saved_searches/hybrid-inbound.json @@ -1,5 +1,5 @@ { "name": "Okta: Hybrid Relationships Inbound", "description": "Retrieves all hybrid relationships from external systems to Okta.", - "query": "MATCH p = (n)-[]->(:Okta)\nWHERE NOT n:Okta\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (source)-[]->(:Okta)\nWHERE NOT source:Okta\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/hybrid-outbound.json b/extension/saved_searches/hybrid-outbound.json index 6ed7911..f187c4f 100644 --- a/extension/saved_searches/hybrid-outbound.json +++ b/extension/saved_searches/hybrid-outbound.json @@ -1,5 +1,5 @@ { "name": "Okta: Hybrid Relationships Outbound", "description": "Retrieves all hybrid relationships from Okta to external systems.", - "query": "MATCH p = (:Okta)-[]->(n)\nWHERE NOT n:Okta\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta)-[]->(target)\nWHERE NOT target:Okta\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/hybrid-sync.json b/extension/saved_searches/hybrid-sync.json index fbc8b75..8e74034 100644 --- a/extension/saved_searches/hybrid-sync.json +++ b/extension/saved_searches/hybrid-sync.json @@ -1,5 +1,5 @@ { "name": "Okta: Security Principal Synchronization", "description": "Retrieves all users and groups that are synchronized TO or FROM Okta.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/identity-providers-direct-privileged.json b/extension/saved_searches/identity-providers-direct-privileged.json index 15874d0..7a5be86 100644 --- a/extension/saved_searches/identity-providers-direct-privileged.json +++ b/extension/saved_searches/identity-providers-direct-privileged.json @@ -1,5 +1,5 @@ { "name": "Okta: Identity Provider Assignments - Direct Privileged Access", "description": "Identity providers associated with users or groups that hold direct privileged role assignments in Okta.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta_User:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE assignee:Okta_User OR assignee:Okta_Group\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/identity-providers-indirect-privileged.json b/extension/saved_searches/identity-providers-indirect-privileged.json index 36e10a5..e625973 100644 --- a/extension/saved_searches/identity-providers-indirect-privileged.json +++ b/extension/saved_searches/identity-providers-indirect-privileged.json @@ -1,5 +1,5 @@ { "name": "Okta: Identity Provider Assignments - Indirect Privileged Access", "description": "Identity providers associated with users who hold privileged role assignments through group membership in Okta.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/identity-providers.json b/extension/saved_searches/identity-providers.json index 995f3a0..739f905 100644 --- a/extension/saved_searches/identity-providers.json +++ b/extension/saved_searches/identity-providers.json @@ -1,5 +1,5 @@ { "name": "Okta: Identity Provider Assignments", "description": "Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta_User:Okta_Group)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)\nWHERE assignee:Okta_User OR assignee:Okta_Group\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/org-chart.json b/extension/saved_searches/org-chart.json index 15e118d..8fd5b8d 100644 --- a/extension/saved_searches/org-chart.json +++ b/extension/saved_searches/org-chart.json @@ -1,5 +1,5 @@ { "name": "Okta: Organizational Structure", "description": "Retrieves all manager relationships.", - "query": "MATCH p = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/org-trust-relationships.json b/extension/saved_searches/org-trust-relationships.json index 380c059..14ae160 100644 --- a/extension/saved_searches/org-trust-relationships.json +++ b/extension/saved_searches/org-trust-relationships.json @@ -1,5 +1,5 @@ { "name": "Okta: Org Trust Relationships", "description": "Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants.", - "query": "MATCH p = (:Okta_Application:Okta_IdentityProvider)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()\nRETURN p\nLIMIT 1000" -} + "query": "MATCH path = (source)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-()\nWHERE source:Okta_Application OR source:Okta_IdentityProvider\nRETURN path\nLIMIT 1000" +} \ No newline at end of file diff --git a/extension/saved_searches/password-and-mfa-permissions.json b/extension/saved_searches/password-and-mfa-permissions.json index d02fd5e..4f6b2dc 100644 --- a/extension/saved_searches/password-and-mfa-permissions.json +++ b/extension/saved_searches/password-and-mfa-permissions.json @@ -1,5 +1,5 @@ { "name": "Okta: Password and MFA Permissions", "description": "Lists permissions to reset passwords and MFA factors.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(actor)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User)\nWHERE actor:Okta_User OR actor:Okta_Group OR actor:Okta_Application\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-app-unrotated-access-keys.json b/extension/saved_searches/privileged-app-unrotated-access-keys.json index e9cf56b..cb2f813 100644 --- a/extension/saved_searches/privileged-app-unrotated-access-keys.json +++ b/extension/saved_searches/privileged-app-unrotated-access-keys.json @@ -1,5 +1,5 @@ { "name": "Okta: Unrotated Active Access Keys on Privileged Apps", "description": "Finds active JWKs or client secrets older than 365 days on applications that have role assignments.", - "query": "MATCH p = (s:Okta_JWK:Okta_ClientSecret)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE s.status = \"ACTIVE\" AND datetime(s.created) <= datetime() - duration(\"P365D\")\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (credential)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE (credential:Okta_JWK OR credential:Okta_ClientSecret) AND credential.status = \"ACTIVE\" AND datetime(credential.created) <= datetime() - duration(\"P365D\")\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-apps.json b/extension/saved_searches/privileged-apps.json index ea03c20..414fafd 100644 --- a/extension/saved_searches/privileged-apps.json +++ b/extension/saved_searches/privileged-apps.json @@ -1,5 +1,5 @@ { "name": "Okta: Applications with Role Assignments", "description": "Applications that have roles assigned.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-hybrid-inbound-direct.json b/extension/saved_searches/privileged-hybrid-inbound-direct.json index 3e25a1c..de3599a 100644 --- a/extension/saved_searches/privileged-hybrid-inbound-direct.json +++ b/extension/saved_searches/privileged-hybrid-inbound-direct.json @@ -1,5 +1,5 @@ { "name": "Okta: Synced Principals with Privileged Access (Direct) - Hybrid Edges", "description": "Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta.", - "query": "MATCH p = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE principal:Okta_User OR principal:Okta_Group OR principal:Okta_Application\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-hybrid-inbound-indirect.json b/extension/saved_searches/privileged-hybrid-inbound-indirect.json index 9104170..4821d84 100644 --- a/extension/saved_searches/privileged-hybrid-inbound-indirect.json +++ b/extension/saved_searches/privileged-hybrid-inbound-indirect.json @@ -1,5 +1,5 @@ { "name": "Okta: Synced Principals with Privileged Access (Indirect) - Hybrid Edges", "description": "Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta.", - "query": "MATCH p = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(:Okta_User:Okta_Application)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" -} + "query": "MATCH path = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE principal:Okta_User OR principal:Okta_Application\nRETURN path\nLIMIT 1000" +} \ No newline at end of file diff --git a/extension/saved_searches/privileged-principals-hybrid-direct.json b/extension/saved_searches/privileged-principals-hybrid-direct.json index 0dd79c2..14ccbee 100644 --- a/extension/saved_searches/privileged-principals-hybrid-direct.json +++ b/extension/saved_searches/privileged-principals-hybrid-direct.json @@ -1,5 +1,5 @@ { "name": "Okta: Synced Principals with Privileged Access (Direct) - Okta Edges", "description": "Users and groups synchronized from external sources that have privileged role assignments.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application:Okta_IdentityProvider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE provider:Okta_Application OR provider:Okta_IdentityProvider\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-principals-hybrid-indirect.json b/extension/saved_searches/privileged-principals-hybrid-indirect.json index 15a817e..e2e8bcf 100644 --- a/extension/saved_searches/privileged-principals-hybrid-indirect.json +++ b/extension/saved_searches/privileged-principals-hybrid-indirect.json @@ -1,5 +1,5 @@ { "name": "Okta: Synced Principals with Privileged Access (Indirect) - Okta Edges", "description": "Users synchronized from external sources that hold privileged role assignments through group membership in Okta.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application:Okta_IdentityProvider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE provider:Okta_Application OR provider:Okta_IdentityProvider\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-users-no-mfa-direct.json b/extension/saved_searches/privileged-users-no-mfa-direct.json index 36b105e..a2a6540 100644 --- a/extension/saved_searches/privileged-users-no-mfa-direct.json +++ b/extension/saved_searches/privileged-users-no-mfa-direct.json @@ -1,5 +1,5 @@ { "name": "Okta: Privileged Users without MFA (Direct)", "description": "Users who do not have multi-factor authentication enabled and directly hold privileged role assignments.", - "query": "MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.authenticationFactors = 0\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.authenticationFactors = 0\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-users-no-mfa-indirect.json b/extension/saved_searches/privileged-users-no-mfa-indirect.json index 20dacf0..6126b9c 100644 --- a/extension/saved_searches/privileged-users-no-mfa-indirect.json +++ b/extension/saved_searches/privileged-users-no-mfa-indirect.json @@ -1,5 +1,5 @@ { "name": "Okta: Privileged Users without MFA (Indirect)", "description": "Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership.", - "query": "MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.authenticationFactors = 0\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.authenticationFactors = 0\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-users-old-passwords-direct.json b/extension/saved_searches/privileged-users-old-passwords-direct.json index 3435bd5..5edd2b2 100644 --- a/extension/saved_searches/privileged-users-old-passwords-direct.json +++ b/extension/saved_searches/privileged-users-old-passwords-direct.json @@ -1,5 +1,5 @@ { "name": "Okta: Privileged Users with Old Passwords (Direct)", "description": "Finds users whose last password change was more than a year ago and directly hold privileged role assignments.", - "query": "MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.passwordChanged IS NOT NULL AND datetime(u.passwordChanged) <= datetime() - duration(\"P365D\")\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration(\"P365D\")\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-users-old-passwords-indirect.json b/extension/saved_searches/privileged-users-old-passwords-indirect.json index cbd6114..d5b6436 100644 --- a/extension/saved_searches/privileged-users-old-passwords-indirect.json +++ b/extension/saved_searches/privileged-users-old-passwords-indirect.json @@ -1,5 +1,5 @@ { "name": "Okta: Privileged Users with Old Passwords (Indirect)", "description": "Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership.", - "query": "MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.passwordChanged IS NOT NULL AND datetime(u.passwordChanged) <= datetime() - duration(\"P365D\")\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration(\"P365D\")\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-users-unexpected-status-direct.json b/extension/saved_searches/privileged-users-unexpected-status-direct.json index 67af0eb..c8c65d7 100644 --- a/extension/saved_searches/privileged-users-unexpected-status-direct.json +++ b/extension/saved_searches/privileged-users-unexpected-status-direct.json @@ -1,5 +1,5 @@ { "name": "Okta: Privileged Users with Non-Active Status (Direct)", "description": "Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts.", - "query": "MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.status <> \"ACTIVE\"\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.status <> \"ACTIVE\"\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/privileged-users-unexpected-status-indirect.json b/extension/saved_searches/privileged-users-unexpected-status-indirect.json index be2c15c..86a789e 100644 --- a/extension/saved_searches/privileged-users-unexpected-status-indirect.json +++ b/extension/saved_searches/privileged-users-unexpected-status-indirect.json @@ -1,5 +1,5 @@ { "name": "Okta: Privileged Users with Non-Active Status (Indirect)", "description": "Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts.", - "query": "MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.status <> \"ACTIVE\"\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.status <> \"ACTIVE\"\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/read-client-secrets.json b/extension/saved_searches/read-client-secrets.json index 990348e..4f04cff 100644 --- a/extension/saved_searches/read-client-secrets.json +++ b/extension/saved_searches/read-client-secrets.json @@ -1,5 +1,5 @@ { "name": "Okta: Read Client Secrets of Privileged Applications", "description": "Searches for client secrets associated with privileged applications that are readable to non-Super Admins.", - "query": "MATCH p = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/realm-membership.json b/extension/saved_searches/realm-membership.json index 9ea6c40..3f6f40e 100644 --- a/extension/saved_searches/realm-membership.json +++ b/extension/saved_searches/realm-membership.json @@ -1,5 +1,5 @@ { "name": "Okta: Realm Membership", "description": "Lists all Okta realms and the users assigned to them.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/resource-set-membership.json b/extension/saved_searches/resource-set-membership.json index 7a6befb..8683647 100644 --- a/extension/saved_searches/resource-set-membership.json +++ b/extension/saved_searches/resource-set-membership.json @@ -1,5 +1,5 @@ { "name": "Okta: Resource Set Membership", "description": "Lists all resource sets and their associated members.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/role-app-admins.json b/extension/saved_searches/role-app-admins.json index 59f7fc0..335b0f7 100644 --- a/extension/saved_searches/role-app-admins.json +++ b/extension/saved_searches/role-app-admins.json @@ -1,5 +1,5 @@ { "name": "Okta: Application Administrators and Managers", "description": "List all Application Administrators and Managers.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_AppAdmin|Okta_ManageApp]->(:Okta_Application:Okta_ApiServiceIntegration)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_AppAdmin|Okta_ManageApp]->(app)\nWHERE (admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application) AND (app:Okta_Application OR app:Okta_ApiServiceIntegration)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/role-assignments.json b/extension/saved_searches/role-assignments.json index 2bc90ca..e94a235 100644 --- a/extension/saved_searches/role-assignments.json +++ b/extension/saved_searches/role-assignments.json @@ -1,5 +1,5 @@ { "name": "Okta: Role Assignments - Role Assignments and Scope", "description": "Lists all role assignments and scope, including transitive group membership.", - "query": "MATCH p = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/role-custom-assignments.json b/extension/saved_searches/role-custom-assignments.json index 5b9c5e5..2095f27 100644 --- a/extension/saved_searches/role-custom-assignments.json +++ b/extension/saved_searches/role-custom-assignments.json @@ -1,5 +1,5 @@ { "name": "Okta: Role Assignments - All Custom Roles", "description": "Lists all role assignments, linking principals to their assigned custom roles.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRole]->(:Okta_CustomRole)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_CustomRole)\nWHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/role-direct-assignments.json b/extension/saved_searches/role-direct-assignments.json index 2c70ebb..915460c 100644 --- a/extension/saved_searches/role-direct-assignments.json +++ b/extension/saved_searches/role-direct-assignments.json @@ -1,5 +1,5 @@ { "name": "Okta: Role Assignments - All Built-in Roles", "description": "Lists all role assignments, linking principals to their assigned built-in roles.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_HasRole]->(:Okta_Role)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_Role)\nWHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/role-group-admins.json b/extension/saved_searches/role-group-admins.json index 7d5c53b..0e1edb4 100644 --- a/extension/saved_searches/role-group-admins.json +++ b/extension/saved_searches/role-group-admins.json @@ -1,5 +1,5 @@ { "name": "Okta: Role Assignments - Group Administrators", "description": "List all Group Administrators and Group Membership Administrators.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_User:Okta_Group:Okta_Application)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group)\nWHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/scim-read-passwords.json b/extension/saved_searches/scim-read-passwords.json index e819cca..d2a3e4c 100644 --- a/extension/saved_searches/scim-read-passwords.json +++ b/extension/saved_searches/scim-read-passwords.json @@ -1,5 +1,5 @@ { "name": "Okta: SCIM Apps Receiving Password Updates", "description": "Lists application-to-user assignments where the app receives password updates.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/service-integration-creators.json b/extension/saved_searches/service-integration-creators.json index f66a70a..db9a6a9 100644 --- a/extension/saved_searches/service-integration-creators.json +++ b/extension/saved_searches/service-integration-creators.json @@ -1,5 +1,5 @@ { "name": "Okta: API Service Integration Creators", "description": "Lists all API service integrations and their creators.", - "query": "MATCH p = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration)\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/stale-privileged-accounts-direct.json b/extension/saved_searches/stale-privileged-accounts-direct.json index 4faf90e..0c3a2fe 100644 --- a/extension/saved_searches/stale-privileged-accounts-direct.json +++ b/extension/saved_searches/stale-privileged-accounts-direct.json @@ -1,5 +1,5 @@ { "name": "Okta: Stale Privileged Users (Direct)", "description": "Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments.", - "query": "MATCH p = (u:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.lastLogin IS NULL OR datetime(u.lastLogin) <= datetime() - duration(\"P180D\")\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration(\"P180D\")\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/stale-privileged-accounts-indirect.json b/extension/saved_searches/stale-privileged-accounts-indirect.json index 15be028..80d51fb 100644 --- a/extension/saved_searches/stale-privileged-accounts-indirect.json +++ b/extension/saved_searches/stale-privileged-accounts-indirect.json @@ -1,5 +1,5 @@ { "name": "Okta: Stale Privileged Users (Indirect)", "description": "Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership.", - "query": "MATCH p = (u:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE u.lastLogin IS NULL OR datetime(u.lastLogin) <= datetime() - duration(\"P180D\")\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta)\nWHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration(\"P180D\")\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/swa-applications.json b/extension/saved_searches/swa-applications.json index 7154142..121ff78 100644 --- a/extension/saved_searches/swa-applications.json +++ b/extension/saved_searches/swa-applications.json @@ -1,5 +1,5 @@ { "name": "Okta: Secure Web Authentication Applications", "description": "Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications.", - "query": "MATCH p = (:Okta_User)-[:Okta_SWA]->(n)\nWHERE NOT n:Okta\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_User)-[:Okta_SWA]->(target)\nWHERE NOT target:Okta\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/sync-relationships-inbound.json b/extension/saved_searches/sync-relationships-inbound.json index 71efbff..4176fe0 100644 --- a/extension/saved_searches/sync-relationships-inbound.json +++ b/extension/saved_searches/sync-relationships-inbound.json @@ -1,5 +1,5 @@ { "name": "Okta: Inbound User and Group Synchronization", "description": "Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups.", - "query": "MATCH p = (n)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(:Okta_User:Okta_Group)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target)\nWHERE target:Okta_User OR target:Okta_Group\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/sync-relationships-outbound.json b/extension/saved_searches/sync-relationships-outbound.json index a786b5f..f32aab0 100644 --- a/extension/saved_searches/sync-relationships-outbound.json +++ b/extension/saved_searches/sync-relationships-outbound.json @@ -1,5 +1,5 @@ { "name": "Okta: Outbound User and Group Synchronization", "description": "Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups.", - "query": "MATCH p = (:Okta_User:Okta_Group)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(n)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target)\nWHERE source:Okta_User OR source:Okta_Group\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/tier0.json b/extension/saved_searches/tier0.json index 0b0e953..46d8079 100644 --- a/extension/saved_searches/tier0.json +++ b/extension/saved_searches/tier0.json @@ -1,5 +1,5 @@ { "name": "Okta: Tier Zero Principals and Devices", "description": "Principals with SUPER_ADMIN or ORG_ADMIN role assignments and their associated devices.", - "query": "MATCH p = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization)\nWHERE r.type = \"SUPER_ADMIN\"\nOR r.type = \"ORG_ADMIN\"\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(role:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization)\nWHERE role.type = \"SUPER_ADMIN\"\nOR role.type = \"ORG_ADMIN\"\nRETURN path\nLIMIT 1000" } diff --git a/extension/saved_searches/users-api-tokens.json b/extension/saved_searches/users-api-tokens.json index b278b81..6a15d8b 100644 --- a/extension/saved_searches/users-api-tokens.json +++ b/extension/saved_searches/users-api-tokens.json @@ -1,5 +1,5 @@ { "name": "Okta: Users with API Tokens", "description": "Retrieves all (privileged) users who have been assigned API tokens.", - "query": "MATCH p = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization)\nRETURN p\nLIMIT 1000" + "query": "MATCH path = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization)\nRETURN path\nLIMIT 1000" } From ef6ea57af751d61a28e3febf7aef4161407ef06b Mon Sep 17 00:00:00 2001 From: JonasBK Date: Wed, 8 Apr 2026 17:03:01 +0200 Subject: [PATCH 03/11] add codex to gitignore --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 0e7e0a7..1626df3 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,9 @@ logs .vscode docs/official-docs/ +# Codex +.codex + # Byte-compiled / optimized / DLL files __pycache__/ *.py[codz] From 8201200a9c66dec1cee62c5b16fdcfb37fbcf398 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Thu, 16 Apr 2026 14:26:38 +0200 Subject: [PATCH 04/11] bump og-docs-automation --- docs/og-docs-automation | 2 +- docs/og-docs.json | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/og-docs-automation b/docs/og-docs-automation index caef4a1..400bd30 160000 --- a/docs/og-docs-automation +++ b/docs/og-docs-automation @@ -1 +1 @@ -Subproject commit caef4a156d45ea94140e3570a1e263464e8a2ea0 +Subproject commit 400bd3010e6b106b77991ad6eb2eb586cb627862 diff --git a/docs/og-docs.json b/docs/og-docs.json index cdfd37e..390b413 100644 --- a/docs/og-docs.json +++ b/docs/og-docs.json @@ -1,11 +1,13 @@ { "extensionSchemaPath": "extension/schema.json", + "extensionShortName": "Okta", "gitHubBaseUrl": "https://github.com/SpecterOps/openhound-okta", "stripTitlePrefix": "Okta: ", "savedSearchesDir": "extension/saved_searches", "zoneRulesDir": "extension/privilege_zone_rules", "nodeDescriptionsDir": "descriptions/nodes", "edgeDescriptionsDir": "descriptions/edges", + "openHoundStructure": true, "imagesDir": "descriptions/images", "iconSize": 32, "iconScale": 0.55 From 98876cc80f1bd1b3e9eb9db3d752410bd839d7da Mon Sep 17 00:00:00 2001 From: JonasBK Date: Thu, 16 Apr 2026 14:26:56 +0200 Subject: [PATCH 05/11] rm GitHound and JamfHound refs --- descriptions/edges/Okta_OrgSWA.md | 5 ++--- descriptions/edges/Okta_OutboundOrgSSO.md | 7 +++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/descriptions/edges/Okta_OrgSWA.md b/descriptions/edges/Okta_OrgSWA.md index 894206b..db50b4c 100644 --- a/descriptions/edges/Okta_OrgSWA.md +++ b/descriptions/edges/Okta_OrgSWA.md @@ -10,12 +10,11 @@ graph LR app1("Okta_Application Jamf Pro SWA") o -- Okta_Contains --> app1 end - subgraph "JamfHound" + subgraph "Jamf" direction TB jamf("jamf_SSOIntegration contoso.jamfcloud.com-SSO") app1 -. Okta_OrgSWA .-> jamf end ``` -The respective BloodHound collectors, e.g., `GitHound` for GitHub organizations and `JamfHound` for Jamf Pro tenants, -must be used to gather the external node information. +The respective BloodHound collectors, e.g., OpenHound Github for GitHub organizations and OpenHound Jamf for Jamf Pro tenants, must be used to gather the external node information. diff --git a/descriptions/edges/Okta_OutboundOrgSSO.md b/descriptions/edges/Okta_OutboundOrgSSO.md index 0e70d61..f8305cf 100644 --- a/descriptions/edges/Okta_OutboundOrgSSO.md +++ b/descriptions/edges/Okta_OutboundOrgSSO.md @@ -12,17 +12,16 @@ graph LR o -- Okta_Contains --> app1 o -- Okta_Contains --> app2 end - subgraph "GitHound" + subgraph "GitHub" direction TB ghorg("GH_Organization Contoso") app1 -- Okta_OutboundOrgSSO --> ghorg end - subgraph "JamfHound" + subgraph "Jamf" direction TB jamf("jamf_SSOIntegration contoso.jamfcloud.com-SSO") app2 -- Okta_OutboundOrgSSO --> jamf end ``` -The respective BloodHound collectors, e.g., `GitHound` for GitHub organizations and `JamfHound` for Jamf Pro tenants, -must be used to gather the external node information. +The respective BloodHound collectors, e.g., OpenHound Github for GitHub organizations and OpenHound Jamf for Jamf Pro tenants, must be used to gather the external node information. From da68e71096ffa7165b15549fbbab68e4b151902c Mon Sep 17 00:00:00 2001 From: JonasBK Date: Fri, 17 Apr 2026 09:42:52 +0200 Subject: [PATCH 06/11] flattened the unintended soft-wrapped prose in descriptions --- descriptions/edges/Okta_AddMember.md | 4 +--- descriptions/edges/Okta_AppAdmin.md | 3 +-- descriptions/edges/Okta_GroupAdmin.md | 3 +-- descriptions/edges/Okta_GroupMembershipAdmin.md | 3 +-- descriptions/edges/Okta_GroupPush.md | 3 +-- descriptions/edges/Okta_HasRoleAssignment.md | 3 +-- descriptions/edges/Okta_HelpDeskAdmin.md | 3 +-- descriptions/edges/Okta_KeyOf.md | 3 +-- descriptions/edges/Okta_ManageApp.md | 3 +-- descriptions/edges/Okta_ManagerOf.md | 3 +-- descriptions/edges/Okta_MobileAdmin.md | 3 +-- descriptions/edges/Okta_OrgAdmin.md | 3 +-- descriptions/edges/Okta_PasswordSync.md | 3 +-- descriptions/edges/Okta_ReadClientSecret.md | 8 ++------ descriptions/edges/Okta_ResetFactors.md | 3 +-- descriptions/edges/Okta_ResetPassword.md | 6 +----- descriptions/edges/Okta_ResourceSetContains.md | 3 +-- descriptions/edges/Okta_ScopedTo.md | 3 +-- descriptions/edges/Okta_SuperAdmin.md | 3 +-- descriptions/nodes/Okta_Agent.md | 3 +-- descriptions/nodes/Okta_Application.md | 17 +++++------------ descriptions/nodes/Okta_CustomRole.md | 7 ++----- descriptions/nodes/Okta_Group.md | 3 +-- descriptions/nodes/Okta_JWK.md | 4 +--- descriptions/nodes/Okta_Policy.md | 3 +-- descriptions/nodes/Okta_ResourceSet.md | 3 +-- descriptions/nodes/Okta_Role.md | 5 +---- descriptions/nodes/Okta_User.md | 6 +----- 28 files changed, 34 insertions(+), 83 deletions(-) diff --git a/descriptions/edges/Okta_AddMember.md b/descriptions/edges/Okta_AddMember.md index d856ad5..8ac83d6 100644 --- a/descriptions/edges/Okta_AddMember.md +++ b/descriptions/edges/Okta_AddMember.md @@ -1,8 +1,6 @@ ## General Information -The traversable `Okta_AddMember` edges represent custom role permissions that allow a principal (user, group, or application) -to add or remove members in scoped Okta groups. These edges are created when a custom role includes -the `okta.groups.members.manage` or `okta.groups.manage` permissions. +The traversable `Okta_AddMember` edges represent custom role permissions that allow a principal (user, group, or application) to add or remove members in scoped Okta groups. These edges are created when a custom role includes the `okta.groups.members.manage` or `okta.groups.manage` permissions. ```mermaid graph LR diff --git a/descriptions/edges/Okta_AppAdmin.md b/descriptions/edges/Okta_AppAdmin.md index 12d25bf..83cb13a 100644 --- a/descriptions/edges/Okta_AppAdmin.md +++ b/descriptions/edges/Okta_AppAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_AppAdmin` edges represent Application Administrator role assignments. -Application Administrators can manage application configurations, user assignments, and provisioning settings for their assigned applications. +The traversable `Okta_AppAdmin` edges represent Application Administrator role assignments. Application Administrators can manage application configurations, user assignments, and provisioning settings for their assigned applications. ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupAdmin.md b/descriptions/edges/Okta_GroupAdmin.md index 6cf3c64..4256823 100644 --- a/descriptions/edges/Okta_GroupAdmin.md +++ b/descriptions/edges/Okta_GroupAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_GroupAdmin` edges represent Group Administrator (also known as User Administrator) role assignments. -Group Administrators can manage users and groups within their assigned scope. +The traversable `Okta_GroupAdmin` edges represent Group Administrator (also known as User Administrator) role assignments. Group Administrators can manage users and groups within their assigned scope. ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupMembershipAdmin.md b/descriptions/edges/Okta_GroupMembershipAdmin.md index f1ed923..6bc3ab2 100644 --- a/descriptions/edges/Okta_GroupMembershipAdmin.md +++ b/descriptions/edges/Okta_GroupMembershipAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_GroupMembershipAdmin` edges represent Group Membership Administrator role assignments. -Group Membership Administrators can add and remove members from groups within their assigned scope but cannot modify the groups themselves. +The traversable `Okta_GroupMembershipAdmin` edges represent Group Membership Administrator role assignments. Group Membership Administrators can add and remove members from groups within their assigned scope but cannot modify the groups themselves. ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupPush.md b/descriptions/edges/Okta_GroupPush.md index 185faf4..e1e5886 100644 --- a/descriptions/edges/Okta_GroupPush.md +++ b/descriptions/edges/Okta_GroupPush.md @@ -1,7 +1,6 @@ ## General Information -The non-traversable `Okta_GroupPush` edges represent the group push assignments to applications. -This indicates group provisioning and membership synchronization from Okta to external applications. +The non-traversable `Okta_GroupPush` edges represent the group push assignments to applications. This indicates group provisioning and membership synchronization from Okta to external applications. ```mermaid graph LR diff --git a/descriptions/edges/Okta_HasRoleAssignment.md b/descriptions/edges/Okta_HasRoleAssignment.md index f6a820d..f6ee566 100644 --- a/descriptions/edges/Okta_HasRoleAssignment.md +++ b/descriptions/edges/Okta_HasRoleAssignment.md @@ -1,7 +1,6 @@ ## General Information -The `Okta_HasRoleAssignment` edges connect users, groups, and applications to their respective `Okta_RoleAssignment` nodes. -The `Okta_ScopedTo` edges connect the `Okta_RoleAssignment` nodes to the resources they are scoped to, such as the organization or specific groups or applications. +The `Okta_HasRoleAssignment` edges connect users, groups, and applications to their respective `Okta_RoleAssignment` nodes. The `Okta_ScopedTo` edges connect the `Okta_RoleAssignment` nodes to the resources they are scoped to, such as the organization or specific groups or applications. ```mermaid graph TB diff --git a/descriptions/edges/Okta_HelpDeskAdmin.md b/descriptions/edges/Okta_HelpDeskAdmin.md index 22ebb91..7ddeda7 100644 --- a/descriptions/edges/Okta_HelpDeskAdmin.md +++ b/descriptions/edges/Okta_HelpDeskAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_HelpDeskAdmin` edges represent Help Desk Administrator role assignments. -Help Desk Administrators can perform password resets, unlock accounts, and reset MFA factors for users within their assigned scope. +The traversable `Okta_HelpDeskAdmin` edges represent Help Desk Administrator role assignments. Help Desk Administrators can perform password resets, unlock accounts, and reset MFA factors for users within their assigned scope. ```mermaid graph LR diff --git a/descriptions/edges/Okta_KeyOf.md b/descriptions/edges/Okta_KeyOf.md index 3f6c110..5aa7f6f 100644 --- a/descriptions/edges/Okta_KeyOf.md +++ b/descriptions/edges/Okta_KeyOf.md @@ -14,5 +14,4 @@ graph LR key3 -- Okta_KeyOf --> app2 ``` -Possession of the private key corresponding to a JWK allows an attacker to authenticate as the application. -The `Okta_KeyOf` edge can be used in BloodHound to understand which applications use JWK-based authentication and trace potential attack paths involving compromised private keys. +Possession of the private key corresponding to a JWK allows an attacker to authenticate as the application. The `Okta_KeyOf` edge can be used in BloodHound to understand which applications use JWK-based authentication and trace potential attack paths involving compromised private keys. diff --git a/descriptions/edges/Okta_ManageApp.md b/descriptions/edges/Okta_ManageApp.md index fec936f..6b4e7f8 100644 --- a/descriptions/edges/Okta_ManageApp.md +++ b/descriptions/edges/Okta_ManageApp.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_ManageApp` edges correspond to the `okta.apps.manage` custom role permissions -that allow a principal (user, group, or application) to fully manage Okta applications and their members. +The traversable `Okta_ManageApp` edges correspond to the `okta.apps.manage` custom role permissions that allow a principal (user, group, or application) to fully manage Okta applications and their members. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ManagerOf.md b/descriptions/edges/Okta_ManagerOf.md index 91ec27c..76b6d8c 100644 --- a/descriptions/edges/Okta_ManagerOf.md +++ b/descriptions/edges/Okta_ManagerOf.md @@ -2,8 +2,7 @@ Okta uses the `Manager` and `ManagerId` user profile attributes to represent managerial relationships. Unfortunately, these attributes can have any arbitrary value and their referential integrity is not enforced by Okta. They are not even synchronized from external directories by default. -Our recommendation is to map the `ManagerId` attribute to the login of the manager in Okta. When synchronizing users from Active Directory, -the `getManagerUser("active_directory").login` mapping expression can be used to achieve this. Such values are automatically recognized by `OktaHound`. +Our recommendation is to map the `ManagerId` attribute to the login of the manager in Okta. When synchronizing users from Active Directory, the `getManagerUser("active_directory").login` mapping expression can be used to achieve this. Such values are automatically recognized by `OktaHound`. The **non-traversable** `Okta_ManagerOf` edges represent the organizational structure in BloodHound: diff --git a/descriptions/edges/Okta_MobileAdmin.md b/descriptions/edges/Okta_MobileAdmin.md index 7dba2cb..a312723 100644 --- a/descriptions/edges/Okta_MobileAdmin.md +++ b/descriptions/edges/Okta_MobileAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_MobileAdmin` edges represent Mobile Administrator role assignments. -Mobile Administrators can manage mobile device settings and configurations within their assigned scope. +The traversable `Okta_MobileAdmin` edges represent Mobile Administrator role assignments. Mobile Administrators can manage mobile device settings and configurations within their assigned scope. ```mermaid graph LR diff --git a/descriptions/edges/Okta_OrgAdmin.md b/descriptions/edges/Okta_OrgAdmin.md index 4d8e3e4..8d8b93d 100644 --- a/descriptions/edges/Okta_OrgAdmin.md +++ b/descriptions/edges/Okta_OrgAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_OrgAdmin` edges represent Organization Administrator role assignments. -Organization Administrators can manage most organizational settings except for administrative role assignments and some security settings. +The traversable `Okta_OrgAdmin` edges represent Organization Administrator role assignments. Organization Administrators can manage most organizational settings except for administrative role assignments and some security settings. ```mermaid graph LR diff --git a/descriptions/edges/Okta_PasswordSync.md b/descriptions/edges/Okta_PasswordSync.md index 5449143..fb157cc 100644 --- a/descriptions/edges/Okta_PasswordSync.md +++ b/descriptions/edges/Okta_PasswordSync.md @@ -2,8 +2,7 @@ The traversable `Okta_PasswordSync` edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user. -In **Active Directory** hybrid setups, this edge is created between `User` (AD) and `Okta_User` when delegated authentication or password push is enabled. -In **Org2Org** setups, this edge is created between `Okta_User` nodes across organizations when password synchronization is configured. +In **Active Directory** hybrid setups, this edge is created between `User` (AD) and `Okta_User` when delegated authentication or password push is enabled. In **Org2Org** setups, this edge is created between `Okta_User` nodes across organizations when password synchronization is configured. > [!WARNING] > The Okta API does not indicate if the actual password or a randomly generated value is pushed to the other organization. diff --git a/descriptions/edges/Okta_ReadClientSecret.md b/descriptions/edges/Okta_ReadClientSecret.md index fd05e26..b40bc37 100644 --- a/descriptions/edges/Okta_ReadClientSecret.md +++ b/descriptions/edges/Okta_ReadClientSecret.md @@ -1,9 +1,6 @@ ## General Information -The traversable `Okta_ReadClientSecret` edges represent permissions that allow a principal (user, group, or application) -to read OAuth client secrets for scoped Okta applications. -These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles -and for custom roles with the `okta.apps.clientCredentials.read` permission. +The traversable `Okta_ReadClientSecret` edges represent permissions that allow a principal (user, group, or application) to read OAuth client secrets for scoped Okta applications. These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles and for custom roles with the `okta.apps.clientCredentials.read` permission. ```mermaid graph TD @@ -22,5 +19,4 @@ graph TD ## Potential Attack Scenarios -An attacker with the ability to read client secrets for an application assigned the Super Administrator role -could potentially use the client secret to authenticate as that application and perform privileged actions in Okta. +An attacker with the ability to read client secrets for an application assigned the Super Administrator role could potentially use the client secret to authenticate as that application and perform privileged actions in Okta. diff --git a/descriptions/edges/Okta_ResetFactors.md b/descriptions/edges/Okta_ResetFactors.md index 71932f9..6c6275d 100644 --- a/descriptions/edges/Okta_ResetFactors.md +++ b/descriptions/edges/Okta_ResetFactors.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_ResetFactors` edges represent custom role permissions that allow a principal to reset MFA authenticators -for scoped Okta users. These edges are created when a custom role includes the `okta.users.credentials.resetFactors` or `okta.users.credentials.manage` permissions. +The traversable `Okta_ResetFactors` edges represent custom role permissions that allow a principal to reset MFA authenticators for scoped Okta users. These edges are created when a custom role includes the `okta.users.credentials.resetFactors` or `okta.users.credentials.manage` permissions. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ResetPassword.md b/descriptions/edges/Okta_ResetPassword.md index ea63709..368a6b1 100644 --- a/descriptions/edges/Okta_ResetPassword.md +++ b/descriptions/edges/Okta_ResetPassword.md @@ -1,9 +1,6 @@ ## General Information -The traversable `Okta_ResetPassword` edges represent custom role permissions that allow a principal (user, group, or application) -to reset passwords or temporary credentials for scoped Okta users. -These edges are created when a custom role includes -password management permissions such as `okta.users.credentials.resetPassword`, `okta.users.credentials.manage`, `okta.users.credentials.manageTemporaryAccessCode`, or `okta.users.manage`. +The traversable `Okta_ResetPassword` edges represent custom role permissions that allow a principal (user, group, or application) to reset passwords or temporary credentials for scoped Okta users. These edges are created when a custom role includes password management permissions such as `okta.users.credentials.resetPassword`, `okta.users.credentials.manage`, `okta.users.credentials.manageTemporaryAccessCode`, or `okta.users.manage`. ```mermaid graph LR @@ -34,4 +31,3 @@ graph TD g1 -- Okta_ResetPassword --> u2 g1 -- Okta_ResetFactors --> u2 ``` - diff --git a/descriptions/edges/Okta_ResourceSetContains.md b/descriptions/edges/Okta_ResourceSetContains.md index 7b12f3f..e4b2baf 100644 --- a/descriptions/edges/Okta_ResourceSetContains.md +++ b/descriptions/edges/Okta_ResourceSetContains.md @@ -18,5 +18,4 @@ graph LR rs1 -- Okta_ResourceSetContains --> u2 ``` -Note that users can also be members of resource sets indirectly through group memberships. -The intermediate group will not appear in the graph, but the user membership will be resolved by `OktaHound`. +Note that users can also be members of resource sets indirectly through group memberships. The intermediate group will not appear in the graph, but the user membership will be resolved by `OktaHound`. diff --git a/descriptions/edges/Okta_ScopedTo.md b/descriptions/edges/Okta_ScopedTo.md index f6a820d..f6ee566 100644 --- a/descriptions/edges/Okta_ScopedTo.md +++ b/descriptions/edges/Okta_ScopedTo.md @@ -1,7 +1,6 @@ ## General Information -The `Okta_HasRoleAssignment` edges connect users, groups, and applications to their respective `Okta_RoleAssignment` nodes. -The `Okta_ScopedTo` edges connect the `Okta_RoleAssignment` nodes to the resources they are scoped to, such as the organization or specific groups or applications. +The `Okta_HasRoleAssignment` edges connect users, groups, and applications to their respective `Okta_RoleAssignment` nodes. The `Okta_ScopedTo` edges connect the `Okta_RoleAssignment` nodes to the resources they are scoped to, such as the organization or specific groups or applications. ```mermaid graph TB diff --git a/descriptions/edges/Okta_SuperAdmin.md b/descriptions/edges/Okta_SuperAdmin.md index 4d85c59..bd527d9 100644 --- a/descriptions/edges/Okta_SuperAdmin.md +++ b/descriptions/edges/Okta_SuperAdmin.md @@ -1,7 +1,6 @@ ## General Information -The traversable `Okta_SuperAdmin` edges represent Super Administrator role assignments to the Okta organization. -Super Administrators have full access to all features and settings in the Okta organization. +The traversable `Okta_SuperAdmin` edges represent Super Administrator role assignments to the Okta organization. Super Administrators have full access to all features and settings in the Okta organization. ```mermaid graph LR diff --git a/descriptions/nodes/Okta_Agent.md b/descriptions/nodes/Okta_Agent.md index 307de66..c01d1b9 100644 --- a/descriptions/nodes/Okta_Agent.md +++ b/descriptions/nodes/Okta_Agent.md @@ -1,7 +1,6 @@ ## Overview -The `Okta_Agent` node represents an Okta Agent, which is a component used in Okta's integration with on-premises systems. -Okta Agents facilitate communication between the Okta cloud and on-premises applications or directories, enabling features such as single sign-on (SSO) and user provisioning. +The `Okta_Agent` node represents an Okta Agent, which is a component used in Okta's integration with on-premises systems. Okta Agents facilitate communication between the Okta cloud and on-premises applications or directories, enabling features such as single sign-on (SSO) and user provisioning. One or more agents are grouped into Agent Pools, represented by the [Okta_AgentPool](Okta_AgentPool.md) nodes, to provide redundancy and load balancing. diff --git a/descriptions/nodes/Okta_Application.md b/descriptions/nodes/Okta_Application.md index 21b1b35..024a586 100644 --- a/descriptions/nodes/Okta_Application.md +++ b/descriptions/nodes/Okta_Application.md @@ -176,8 +176,7 @@ This application type is the most interesting one from the security perspective, ## Hybrid Edges -For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, -OktaHound can create hybrid edges in BloodHound to represent the relationships between these external systems and Okta. +For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, OktaHound can create hybrid edges in BloodHound to represent the relationships between these external systems and Okta. ```mermaid graph TB @@ -230,13 +229,9 @@ graph TB ### Active Directory Synchronization -When Okta's Active Directory (AD) integration is configured for user and group synchronization, -the connected AD domain is represented as an `Okta_Application` node in BloodHound. -This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. +When Okta's Active Directory (AD) integration is configured for user and group synchronization, the connected AD domain is represented as an `Okta_Application` node in BloodHound. This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. -The synchronization is performed by domain-joined servers with the Okta AD Agent installed. -This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, -making it a high-value target for attackers. +The synchronization is performed by domain-joined servers with the Okta AD Agent installed. This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, making it a high-value target for attackers. ![Okta AD agent settings](../Images/okta-ad-agent.png) @@ -258,8 +253,7 @@ When integrating Okta with GitHub Enterprise Cloud, each GitHub organization con ### Jamf Pro -When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate `Okta_Application` node in BloodHound. -The differentiator is the `domainFQDN` property: +When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate `Okta_Application` node in BloodHound. The differentiator is the `domainFQDN` property: ![Jamf Pro SAML application in BloodHound](../Images/bloodhound-jamf-saml-properties.png) @@ -307,8 +301,7 @@ OIDC applications can be granted OAuth 2.0 scopes to access Okta APIs on behalf ## SCIM-Enabled Applications -The `features` attribute of `Okta_Application` nodes may contain the following SCIM-related values, -indicating if SCIM is enabled and which protocol capabilities are supported: +The `features` attribute of `Okta_Application` nodes may contain the following SCIM-related values, indicating if SCIM is enabled and which protocol capabilities are supported: | Feature | Description | |------------------------------|--------------------------------------------------------------------------------| diff --git a/descriptions/nodes/Okta_CustomRole.md b/descriptions/nodes/Okta_CustomRole.md index 3d265b8..bac5896 100644 --- a/descriptions/nodes/Okta_CustomRole.md +++ b/descriptions/nodes/Okta_CustomRole.md @@ -1,8 +1,6 @@ ## Overview -Custom roles can be created with specific [permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions/) -and then assigned to [users](Okta_User.md), [groups](Okta_Group.md), and [applications](Okta_Application.md) over [resource sets](Okta_ResourceSet.md). -[Complex conditions](https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/permission-conditions.htm) can be used if the custom admin role has one of the following permissions: +Custom roles can be created with specific [permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions/) and then assigned to [users](Okta_User.md), [groups](Okta_Group.md), and [applications](Okta_Application.md) over [resource sets](Okta_ResourceSet.md). [Complex conditions](https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/permission-conditions.htm) can be used if the custom admin role has one of the following permissions: - okta.users.read - okta.users.manage @@ -25,8 +23,7 @@ permissions: ## Abusable Permissions of Custom Roles in Okta -The following Okta permissions are particularly interesting from an offensive security perspective, -as they can be abused to escalate privileges in hybrid scenarios: +The following Okta permissions are particularly interesting from an offensive security perspective, as they can be abused to escalate privileges in hybrid scenarios: - okta.users.manage - okta.users.credentials.manage diff --git a/descriptions/nodes/Okta_Group.md b/descriptions/nodes/Okta_Group.md index 656b6da..fe4bd0e 100644 --- a/descriptions/nodes/Okta_Group.md +++ b/descriptions/nodes/Okta_Group.md @@ -1,7 +1,6 @@ ## Overview -Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. -The built-in **Everyone** group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested. +Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. The built-in **Everyone** group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested. In `OktaHound`, groups are represented as `Okta_Group` nodes. diff --git a/descriptions/nodes/Okta_JWK.md b/descriptions/nodes/Okta_JWK.md index a5e4828..e4ef300 100644 --- a/descriptions/nodes/Okta_JWK.md +++ b/descriptions/nodes/Okta_JWK.md @@ -1,8 +1,6 @@ ## Overview -JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the `private_key_jwt` client authentication method. -This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key. -A service application can have multiple JWKs configured for key rotation purposes. +JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the `private_key_jwt` client authentication method. This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key. A service application can have multiple JWKs configured for key rotation purposes. JWKs are represented as `Okta_JWK` nodes in BloodHound. diff --git a/descriptions/nodes/Okta_Policy.md b/descriptions/nodes/Okta_Policy.md index e92af51..b752eb2 100644 --- a/descriptions/nodes/Okta_Policy.md +++ b/descriptions/nodes/Okta_Policy.md @@ -34,5 +34,4 @@ The following [policy types](https://developer.okta.com/docs/api/openapi/okta-ma | POST_AUTH_SESSION | [Identity Threat Protection policies](https://help.okta.com/oie/en-us/content/topics/itp/overview.htm) | | ENTITY_RISK | [Entity risk policies](https://help.okta.com/oie/en-us/content/topics/itp/entity-risk-policy.htm) | -The `OktaHound` collector specifically reads the `IDP_DISCOVERY` policies to check -if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy. +The `OktaHound` collector specifically reads the `IDP_DISCOVERY` policies to check if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy. diff --git a/descriptions/nodes/Okta_ResourceSet.md b/descriptions/nodes/Okta_ResourceSet.md index d756fa7..ff44b2c 100644 --- a/descriptions/nodes/Okta_ResourceSet.md +++ b/descriptions/nodes/Okta_ResourceSet.md @@ -1,7 +1,6 @@ ## Overview -Resource sets are collections of entities that can be used to scope custom role assignments in Okta. -A resource set can contain the following object types: +Resource sets are collections of entities that can be used to scope custom role assignments in Okta. A resource set can contain the following object types: - [x] [Users](Okta_User.md) - [x] [Groups](Okta_Group.md) diff --git a/descriptions/nodes/Okta_Role.md b/descriptions/nodes/Okta_Role.md index bcb0d00..5b06735 100644 --- a/descriptions/nodes/Okta_Role.md +++ b/descriptions/nodes/Okta_Role.md @@ -74,7 +74,4 @@ To make the role identifiers unique, the `OktaHound` collector adds the organiza ## Built-In Role Permissions -Unlike custom roles, built-in roles have fixed permissions that cannot be changed. -However, the exact OAuth 2.0 scopes granted to each built-in role are not publicly documented by Okta and cannot even be retrieved via the API. -We therefore did the mapping by ourselves based on the role descriptions in the Okta documentation. -Hence, the resulting permissions ingested to BloodHound are best-effort approximations and may not be 100% accurate. +Unlike custom roles, built-in roles have fixed permissions that cannot be changed. However, the exact OAuth 2.0 scopes granted to each built-in role are not publicly documented by Okta and cannot even be retrieved via the API. We therefore did the mapping by ourselves based on the role descriptions in the Okta documentation. Hence, the resulting permissions ingested to BloodHound are best-effort approximations and may not be 100% accurate. diff --git a/descriptions/nodes/Okta_User.md b/descriptions/nodes/Okta_User.md index 2b78196..8267983 100644 --- a/descriptions/nodes/Okta_User.md +++ b/descriptions/nodes/Okta_User.md @@ -58,11 +58,7 @@ To simplify analysis in BloodHound, the `OktaHound` collector maps the **Status* ## Authentication Factors -Okta supports various authentication factors for multi-factor authentication (MFA), -such as SMS, email, push notifications, and hardware tokens. -In case of mobile and desktop applications, these authentication factors are associated with the [Device](Okta_Device.md) entities. -Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, -but the number of enrolled factors is stored in the `authenticationFactors` attribute of the `Okta_User` nodes. +Okta supports various authentication factors for multi-factor authentication (MFA), such as SMS, email, push notifications, and hardware tokens. In case of mobile and desktop applications, these authentication factors are associated with the [Device](Okta_Device.md) entities. Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, but the number of enrolled factors is stored in the `authenticationFactors` attribute of the `Okta_User` nodes. ## Synchronization with External Directories From c27cb2f0f52e0430ca59d80c28ed8c97cbbe00a3 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Fri, 17 Apr 2026 10:46:24 +0200 Subject: [PATCH 07/11] update node and edge descriptions --- descriptions/edges/Okta_AddMember.md | 2 +- descriptions/edges/Okta_AgentMemberOf.md | 7 +++--- descriptions/edges/Okta_AgentPoolFor.md | 2 +- descriptions/edges/Okta_ApiTokenFor.md | 2 +- descriptions/edges/Okta_AppAdmin.md | 2 +- descriptions/edges/Okta_AppAssignment.md | 2 +- descriptions/edges/Okta_Contains.md | 2 +- descriptions/edges/Okta_CreatorOf.md | 2 +- descriptions/edges/Okta_DeviceOf.md | 2 +- descriptions/edges/Okta_GroupAdmin.md | 2 +- .../edges/Okta_GroupMembershipAdmin.md | 2 +- descriptions/edges/Okta_GroupPull.md | 2 +- descriptions/edges/Okta_GroupPush.md | 2 +- descriptions/edges/Okta_HasRole.md | 2 +- descriptions/edges/Okta_HasRoleAssignment.md | 2 +- descriptions/edges/Okta_HelpDeskAdmin.md | 2 +- descriptions/edges/Okta_HostsAgent.md | 2 +- .../edges/Okta_IdentityProviderFor.md | 2 +- descriptions/edges/Okta_IdpGroupAssignment.md | 2 +- descriptions/edges/Okta_InboundOrgSSO.md | 2 +- descriptions/edges/Okta_InboundSSO.md | 2 +- descriptions/edges/Okta_KerberosSSO.md | 2 +- descriptions/edges/Okta_KeyOf.md | 6 ++--- descriptions/edges/Okta_ManageApp.md | 2 +- descriptions/edges/Okta_ManagerOf.md | 4 +-- descriptions/edges/Okta_MemberOf.md | 2 +- descriptions/edges/Okta_MembershipSync.md | 2 +- descriptions/edges/Okta_MobileAdmin.md | 2 +- descriptions/edges/Okta_OrgAdmin.md | 2 +- descriptions/edges/Okta_OrgSWA.md | 4 +-- descriptions/edges/Okta_OutboundOrgSSO.md | 4 +-- descriptions/edges/Okta_OutboundSSO.md | 2 +- descriptions/edges/Okta_PasswordSync.md | 4 +-- descriptions/edges/Okta_PolicyMapping.md | 6 ++--- descriptions/edges/Okta_ReadClientSecret.md | 2 +- .../edges/Okta_ReadPasswordUpdates.md | 2 +- descriptions/edges/Okta_RealmContains.md | 6 ++--- descriptions/edges/Okta_ResetFactors.md | 2 +- descriptions/edges/Okta_ResetPassword.md | 2 +- .../edges/Okta_ResourceSetContains.md | 4 +-- descriptions/edges/Okta_SWA.md | 2 +- descriptions/edges/Okta_ScopedTo.md | 2 +- descriptions/edges/Okta_SecretOf.md | 2 +- descriptions/edges/Okta_SuperAdmin.md | 2 +- descriptions/edges/Okta_UserPull.md | 2 +- descriptions/edges/Okta_UserPush.md | 2 +- descriptions/edges/Okta_UserSync.md | 2 +- descriptions/nodes/Okta_Agent.md | 2 +- descriptions/nodes/Okta_AgentPool.md | 2 +- .../nodes/Okta_ApiServiceIntegration.md | 2 +- descriptions/nodes/Okta_ApiToken.md | 2 +- descriptions/nodes/Okta_Application.md | 25 +++++++++---------- .../nodes/Okta_AuthorizationServer.md | 6 ++--- descriptions/nodes/Okta_ClientSecret.md | 5 ++-- descriptions/nodes/Okta_CustomRole.md | 4 +-- descriptions/nodes/Okta_Device.md | 2 +- descriptions/nodes/Okta_Group.md | 4 +-- descriptions/nodes/Okta_IdentityProvider.md | 6 ++--- descriptions/nodes/Okta_JWK.md | 2 +- descriptions/nodes/Okta_Organization.md | 2 +- descriptions/nodes/Okta_Policy.md | 4 +-- descriptions/nodes/Okta_Realm.md | 6 ++--- descriptions/nodes/Okta_ResourceSet.md | 5 ++-- descriptions/nodes/Okta_Role.md | 4 +-- descriptions/nodes/Okta_RoleAssignment.md | 2 +- descriptions/nodes/Okta_User.md | 9 +++---- 66 files changed, 105 insertions(+), 110 deletions(-) diff --git a/descriptions/edges/Okta_AddMember.md b/descriptions/edges/Okta_AddMember.md index 8ac83d6..2006bb7 100644 --- a/descriptions/edges/Okta_AddMember.md +++ b/descriptions/edges/Okta_AddMember.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_AddMember` edges represent custom role permissions that allow a principal (user, group, or application) to add or remove members in scoped Okta groups. These edges are created when a custom role includes the `okta.groups.members.manage` or `okta.groups.manage` permissions. +The traversable Okta_AddMember edges represent custom role permissions that allow a principal (user, group, or application) to add or remove members in scoped Okta groups. These edges are created when a custom role includes the `okta.groups.members.manage` or `okta.groups.manage` permissions. ```mermaid graph LR diff --git a/descriptions/edges/Okta_AgentMemberOf.md b/descriptions/edges/Okta_AgentMemberOf.md index d8b6bf0..8bd612c 100644 --- a/descriptions/edges/Okta_AgentMemberOf.md +++ b/descriptions/edges/Okta_AgentMemberOf.md @@ -1,6 +1,6 @@ ## General Information -`Okta_AgentMemberOf` edges represent membership of an `Okta_Agent` in an `Okta_AgentPool`. +Okta_AgentMemberOf edges represent membership of an Okta_Agent in an Okta_AgentPool. Active Directory Agent Pools and their agents can be visualized in BloodHound as follows: @@ -16,6 +16,5 @@ graph LR a3 -- Okta_AgentMemberOf --> ap2 ``` -> [!WARNING] -> Traversable edges between the `Okta_AgentPool` and AD `Domain` nodes are not created in the current version of `OktaHound`. -> This functionality is planned for a future release. +> [!NOTE] +> Traversable edges between Okta_AgentPool and AD Domain nodes are not modeled in the current version of the Okta BloodHound extension. Support for this is planned for a future release. \ No newline at end of file diff --git a/descriptions/edges/Okta_AgentPoolFor.md b/descriptions/edges/Okta_AgentPoolFor.md index f69650e..826930a 100644 --- a/descriptions/edges/Okta_AgentPoolFor.md +++ b/descriptions/edges/Okta_AgentPoolFor.md @@ -1,6 +1,6 @@ ## General Information -`Okta_AgentPoolFor` edges connect an AD `Okta_AgentPool` to the backing `Okta_Application` used for directory integration. +Okta_AgentPoolFor edges connect an AD Okta_AgentPool to the backing Okta_Application used for directory integration. ```mermaid graph TB subgraph Active Directory diff --git a/descriptions/edges/Okta_ApiTokenFor.md b/descriptions/edges/Okta_ApiTokenFor.md index 48b8e2a..ea7aecc 100644 --- a/descriptions/edges/Okta_ApiTokenFor.md +++ b/descriptions/edges/Okta_ApiTokenFor.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ApiTokenFor` edges represent the API token assignments for users in Okta, represented by the [Okta_User](../Nodes/Okta_User.md) nodes: +The traversable Okta_ApiTokenFor edges represent the API token assignments for users in Okta, represented by the Okta_User nodes: ```mermaid graph LR diff --git a/descriptions/edges/Okta_AppAdmin.md b/descriptions/edges/Okta_AppAdmin.md index 83cb13a..a175958 100644 --- a/descriptions/edges/Okta_AppAdmin.md +++ b/descriptions/edges/Okta_AppAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_AppAdmin` edges represent Application Administrator role assignments. Application Administrators can manage application configurations, user assignments, and provisioning settings for their assigned applications. +The traversable Okta_AppAdmin edges represent Application Administrator role assignments. Application Administrators can manage application configurations, user assignments, and provisioning settings for their assigned applications. ```mermaid graph LR diff --git a/descriptions/edges/Okta_AppAssignment.md b/descriptions/edges/Okta_AppAssignment.md index 6da4fce..45d520f 100644 --- a/descriptions/edges/Okta_AppAssignment.md +++ b/descriptions/edges/Okta_AppAssignment.md @@ -2,7 +2,7 @@ Only users that are assigned to applications can access them. Users can be assigned to applications directly or indirectly through group memberships. -The non-traversable `Okta_AppAssignment` edges represent the application assignments for users and groups in Okta: +The non-traversable Okta_AppAssignment edges represent the application assignments for users and groups in Okta: ```mermaid graph LR diff --git a/descriptions/edges/Okta_Contains.md b/descriptions/edges/Okta_Contains.md index 79d0513..4d940de 100644 --- a/descriptions/edges/Okta_Contains.md +++ b/descriptions/edges/Okta_Contains.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_Contains` edges represent the containment relationships between the organization and other entities in Okta. The organization node will have `Okta_Contains` edges to all other nodes in the graph, with some exceptions. +The traversable Okta_Contains edges represent the containment relationships between the organization and other entities in Okta. The organization node will have Okta_Contains edges to all other nodes in the graph, with some exceptions. ```mermaid graph LR diff --git a/descriptions/edges/Okta_CreatorOf.md b/descriptions/edges/Okta_CreatorOf.md index accbe0b..ad8fd45 100644 --- a/descriptions/edges/Okta_CreatorOf.md +++ b/descriptions/edges/Okta_CreatorOf.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `Okta_CreatorOf` edges represent the creator relationships between API Service Integration instances and users in Okta: +The non-traversable Okta_CreatorOf edges represent the creator relationships between API Service Integration instances and users in Okta: ```mermaid graph LR diff --git a/descriptions/edges/Okta_DeviceOf.md b/descriptions/edges/Okta_DeviceOf.md index ae61f55..dc69cec 100644 --- a/descriptions/edges/Okta_DeviceOf.md +++ b/descriptions/edges/Okta_DeviceOf.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `Okta_DeviceOf` edges represent the ownership relationships between users and devices in Okta: +The non-traversable Okta_DeviceOf edges represent the ownership relationships between users and devices in Okta: ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupAdmin.md b/descriptions/edges/Okta_GroupAdmin.md index 4256823..29bc892 100644 --- a/descriptions/edges/Okta_GroupAdmin.md +++ b/descriptions/edges/Okta_GroupAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_GroupAdmin` edges represent Group Administrator (also known as User Administrator) role assignments. Group Administrators can manage users and groups within their assigned scope. +The traversable Okta_GroupAdmin edges represent Group Administrator (also known as User Administrator) role assignments. Group Administrators can manage users and groups within their assigned scope. ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupMembershipAdmin.md b/descriptions/edges/Okta_GroupMembershipAdmin.md index 6bc3ab2..6586dc7 100644 --- a/descriptions/edges/Okta_GroupMembershipAdmin.md +++ b/descriptions/edges/Okta_GroupMembershipAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_GroupMembershipAdmin` edges represent Group Membership Administrator role assignments. Group Membership Administrators can add and remove members from groups within their assigned scope but cannot modify the groups themselves. +The traversable Okta_GroupMembershipAdmin edges represent Group Membership Administrator role assignments. Group Membership Administrators can add and remove members from groups within their assigned scope but cannot modify the groups themselves. ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupPull.md b/descriptions/edges/Okta_GroupPull.md index e3af785..ca6193a 100644 --- a/descriptions/edges/Okta_GroupPull.md +++ b/descriptions/edges/Okta_GroupPull.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_GroupPull` edges represent the group synchronization relationships from applications to Okta: +The traversable Okta_GroupPull edges represent the group synchronization relationships from applications to Okta: ```mermaid graph LR diff --git a/descriptions/edges/Okta_GroupPush.md b/descriptions/edges/Okta_GroupPush.md index e1e5886..e5b283b 100644 --- a/descriptions/edges/Okta_GroupPush.md +++ b/descriptions/edges/Okta_GroupPush.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `Okta_GroupPush` edges represent the group push assignments to applications. This indicates group provisioning and membership synchronization from Okta to external applications. +The non-traversable Okta_GroupPush edges represent the group push assignments to applications. This indicates group provisioning and membership synchronization from Okta to external applications. ```mermaid graph LR diff --git a/descriptions/edges/Okta_HasRole.md b/descriptions/edges/Okta_HasRole.md index 46b0260..837deb8 100644 --- a/descriptions/edges/Okta_HasRole.md +++ b/descriptions/edges/Okta_HasRole.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `Okta_HasRole` edges represent the role assignments for users in Okta: +The non-traversable Okta_HasRole edges represent the role assignments for users in Okta: ```mermaid graph LR diff --git a/descriptions/edges/Okta_HasRoleAssignment.md b/descriptions/edges/Okta_HasRoleAssignment.md index f6ee566..3274acb 100644 --- a/descriptions/edges/Okta_HasRoleAssignment.md +++ b/descriptions/edges/Okta_HasRoleAssignment.md @@ -1,6 +1,6 @@ ## General Information -The `Okta_HasRoleAssignment` edges connect users, groups, and applications to their respective `Okta_RoleAssignment` nodes. The `Okta_ScopedTo` edges connect the `Okta_RoleAssignment` nodes to the resources they are scoped to, such as the organization or specific groups or applications. +The Okta_HasRoleAssignment edges connect users, groups, and applications to their respective Okta_RoleAssignment nodes. The Okta_ScopedTo edges connect the Okta_RoleAssignment nodes to the resources they are scoped to, such as the organization or specific groups or applications. ```mermaid graph TB diff --git a/descriptions/edges/Okta_HelpDeskAdmin.md b/descriptions/edges/Okta_HelpDeskAdmin.md index 7ddeda7..08d3859 100644 --- a/descriptions/edges/Okta_HelpDeskAdmin.md +++ b/descriptions/edges/Okta_HelpDeskAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_HelpDeskAdmin` edges represent Help Desk Administrator role assignments. Help Desk Administrators can perform password resets, unlock accounts, and reset MFA factors for users within their assigned scope. +The traversable Okta_HelpDeskAdmin edges represent Help Desk Administrator role assignments. Help Desk Administrators can perform password resets, unlock accounts, and reset MFA factors for users within their assigned scope. ```mermaid graph LR diff --git a/descriptions/edges/Okta_HostsAgent.md b/descriptions/edges/Okta_HostsAgent.md index dfd9bc7..5a62cc5 100644 --- a/descriptions/edges/Okta_HostsAgent.md +++ b/descriptions/edges/Okta_HostsAgent.md @@ -1,6 +1,6 @@ ## General Information -Hybrid `Okta_HostsAgent` edges connect an AD `Computer` node to the `Okta_Agent` running on that host. +Hybrid Okta_HostsAgent edges connect an AD Computer node to the Okta_Agent running on that host. ```mermaid graph LR diff --git a/descriptions/edges/Okta_IdentityProviderFor.md b/descriptions/edges/Okta_IdentityProviderFor.md index b3836ae..80038dd 100644 --- a/descriptions/edges/Okta_IdentityProviderFor.md +++ b/descriptions/edges/Okta_IdentityProviderFor.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_IdentityProviderFor` edges represent the relationships between identity providers and the users who authenticate through them: +The traversable Okta_IdentityProviderFor edges represent the relationships between identity providers and the users who authenticate through them: ```mermaid graph LR diff --git a/descriptions/edges/Okta_IdpGroupAssignment.md b/descriptions/edges/Okta_IdpGroupAssignment.md index 88a186f..5b8bf78 100644 --- a/descriptions/edges/Okta_IdpGroupAssignment.md +++ b/descriptions/edges/Okta_IdpGroupAssignment.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `Okta_IdpGroupAssignment` edges represent groups automatically assigned to users based on identity provider attributes or user claims: +The non-traversable Okta_IdpGroupAssignment edges represent groups automatically assigned to users based on identity provider attributes or user claims: ```mermaid graph LR diff --git a/descriptions/edges/Okta_InboundOrgSSO.md b/descriptions/edges/Okta_InboundOrgSSO.md index 793a8a0..6f7b9fa 100644 --- a/descriptions/edges/Okta_InboundOrgSSO.md +++ b/descriptions/edges/Okta_InboundOrgSSO.md @@ -1,6 +1,6 @@ ## General Information -The `Okta_InboundOrgSSO` and `Okta_InboundSSO` hybrid edges connect external tenants and users to Okta entities: +The Okta_InboundOrgSSO and Okta_InboundSSO hybrid edges connect external tenants and users to Okta entities: ```mermaid graph LR diff --git a/descriptions/edges/Okta_InboundSSO.md b/descriptions/edges/Okta_InboundSSO.md index 793a8a0..6f7b9fa 100644 --- a/descriptions/edges/Okta_InboundSSO.md +++ b/descriptions/edges/Okta_InboundSSO.md @@ -1,6 +1,6 @@ ## General Information -The `Okta_InboundOrgSSO` and `Okta_InboundSSO` hybrid edges connect external tenants and users to Okta entities: +The Okta_InboundOrgSSO and Okta_InboundSSO hybrid edges connect external tenants and users to Okta entities: ```mermaid graph LR diff --git a/descriptions/edges/Okta_KerberosSSO.md b/descriptions/edges/Okta_KerberosSSO.md index 8b8ca08..25b9182 100644 --- a/descriptions/edges/Okta_KerberosSSO.md +++ b/descriptions/edges/Okta_KerberosSSO.md @@ -1,6 +1,6 @@ ## General Information -Hybrid traversable `Okta_KerberosSSO` edges represent [agentless desktop SSO](https://help.okta.com/en-us/content/topics/directory/ad-dsso-about-workflow.htm) trust from an on-prem AD `User` account to an AD-backed `Okta_Application`. +Hybrid traversable Okta_KerberosSSO edges represent [agentless desktop SSO](https://help.okta.com/en-us/content/topics/directory/ad-dsso-about-workflow.htm) trust from an on-prem AD User account to an AD-backed Okta_Application. ```mermaid graph LR diff --git a/descriptions/edges/Okta_KeyOf.md b/descriptions/edges/Okta_KeyOf.md index 5aa7f6f..973c9d4 100644 --- a/descriptions/edges/Okta_KeyOf.md +++ b/descriptions/edges/Okta_KeyOf.md @@ -1,10 +1,10 @@ ## General Information -The traversable `Okta_KeyOf` edges represent the relationships between applications ([Okta_Application](../Nodes/Okta_Application.md)) and their JWKs: +The traversable Okta_KeyOf edges represent the relationships between applications Okta_Application and their JWKs: ```mermaid graph LR - app1("Okta_Application OktaHound Collector") + app1("Okta_Application OpenHound Okta Collector") app2("Okta_Application Security Scanner") key1("Okta_JWK ABC123") key2("Okta_JWK DEF456") @@ -14,4 +14,4 @@ graph LR key3 -- Okta_KeyOf --> app2 ``` -Possession of the private key corresponding to a JWK allows an attacker to authenticate as the application. The `Okta_KeyOf` edge can be used in BloodHound to understand which applications use JWK-based authentication and trace potential attack paths involving compromised private keys. +Possession of the private key corresponding to a JWK allows an attacker to authenticate as the application. The Okta_KeyOf edge can be used in BloodHound to understand which applications use JWK-based authentication and trace potential attack paths involving compromised private keys. diff --git a/descriptions/edges/Okta_ManageApp.md b/descriptions/edges/Okta_ManageApp.md index 6b4e7f8..bfc9659 100644 --- a/descriptions/edges/Okta_ManageApp.md +++ b/descriptions/edges/Okta_ManageApp.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ManageApp` edges correspond to the `okta.apps.manage` custom role permissions that allow a principal (user, group, or application) to fully manage Okta applications and their members. +The traversable Okta_ManageApp edges correspond to the `okta.apps.manage` custom role permissions that allow a principal (user, group, or application) to fully manage Okta applications and their members. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ManagerOf.md b/descriptions/edges/Okta_ManagerOf.md index 76b6d8c..f513883 100644 --- a/descriptions/edges/Okta_ManagerOf.md +++ b/descriptions/edges/Okta_ManagerOf.md @@ -2,9 +2,9 @@ Okta uses the `Manager` and `ManagerId` user profile attributes to represent managerial relationships. Unfortunately, these attributes can have any arbitrary value and their referential integrity is not enforced by Okta. They are not even synchronized from external directories by default. -Our recommendation is to map the `ManagerId` attribute to the login of the manager in Okta. When synchronizing users from Active Directory, the `getManagerUser("active_directory").login` mapping expression can be used to achieve this. Such values are automatically recognized by `OktaHound`. +Our recommendation is to map the `ManagerId` attribute to the login of the manager in Okta. When synchronizing users from Active Directory, the `getManagerUser("active_directory").login` mapping expression can be used to achieve this. Such values are automatically recognized by the OpenHound Okta collector. -The **non-traversable** `Okta_ManagerOf` edges represent the organizational structure in BloodHound: +The **non-traversable** Okta_ManagerOf edges represent the organizational structure in BloodHound: ```mermaid graph LR diff --git a/descriptions/edges/Okta_MemberOf.md b/descriptions/edges/Okta_MemberOf.md index 6bf8471..765a9e8 100644 --- a/descriptions/edges/Okta_MemberOf.md +++ b/descriptions/edges/Okta_MemberOf.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_MemberOf` edges represent the membership relationships between users and groups in Okta: +The traversable Okta_MemberOf edges represent the membership relationships between users and groups in Okta: ```mermaid graph LR diff --git a/descriptions/edges/Okta_MembershipSync.md b/descriptions/edges/Okta_MembershipSync.md index a1a7eab..601ccdd 100644 --- a/descriptions/edges/Okta_MembershipSync.md +++ b/descriptions/edges/Okta_MembershipSync.md @@ -1,6 +1,6 @@ ## General Information -The traversable hybrid `Okta_MembershipSync` edges represent the synchronization relationships between groups in external directories and their corresponding groups in Okta: +The traversable hybrid Okta_MembershipSync edges represent the synchronization relationships between groups in external directories and their corresponding groups in Okta: ```mermaid graph TB diff --git a/descriptions/edges/Okta_MobileAdmin.md b/descriptions/edges/Okta_MobileAdmin.md index a312723..74981c5 100644 --- a/descriptions/edges/Okta_MobileAdmin.md +++ b/descriptions/edges/Okta_MobileAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_MobileAdmin` edges represent Mobile Administrator role assignments. Mobile Administrators can manage mobile device settings and configurations within their assigned scope. +The traversable Okta_MobileAdmin edges represent Mobile Administrator role assignments. Mobile Administrators can manage mobile device settings and configurations within their assigned scope. ```mermaid graph LR diff --git a/descriptions/edges/Okta_OrgAdmin.md b/descriptions/edges/Okta_OrgAdmin.md index 8d8b93d..8d44587 100644 --- a/descriptions/edges/Okta_OrgAdmin.md +++ b/descriptions/edges/Okta_OrgAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_OrgAdmin` edges represent Organization Administrator role assignments. Organization Administrators can manage most organizational settings except for administrative role assignments and some security settings. +The traversable Okta_OrgAdmin edges represent Organization Administrator role assignments. Organization Administrators can manage most organizational settings except for administrative role assignments and some security settings. ```mermaid graph LR diff --git a/descriptions/edges/Okta_OrgSWA.md b/descriptions/edges/Okta_OrgSWA.md index db50b4c..e736109 100644 --- a/descriptions/edges/Okta_OrgSWA.md +++ b/descriptions/edges/Okta_OrgSWA.md @@ -1,10 +1,10 @@ ## General Information -The non-traversable `Okta_OrgSWA` edges represent the Secure Web Authentication (SWA) relationships between Okta applications and supported external organizations or tenants. SWA stores user credentials in Okta and automatically fills them in when users access the application, which is less secure than federated SSO protocols. +The non-traversable Okta_OrgSWA edges represent the Secure Web Authentication (SWA) relationships between Okta applications and supported external organizations or tenants. SWA stores user credentials in Okta and automatically fills them in when users access the application, which is less secure than federated SSO protocols. ```mermaid graph LR - subgraph okta["OktaHound"] + subgraph okta["OpenHound Okta"] direction TB o("Okta_Organization contoso.okta.com") app1("Okta_Application Jamf Pro SWA") diff --git a/descriptions/edges/Okta_OutboundOrgSSO.md b/descriptions/edges/Okta_OutboundOrgSSO.md index f8305cf..b8af108 100644 --- a/descriptions/edges/Okta_OutboundOrgSSO.md +++ b/descriptions/edges/Okta_OutboundOrgSSO.md @@ -1,10 +1,10 @@ ## General Information -The traversable `Okta_OutboundOrgSSO` edges represent the Single Sign-On (SSO) relationships between Okta applications and supported external organizations or tenants, such as GitHub Enterprise or Jamf Pro, using SAML 2.0 or OIDC protocols. +The traversable Okta_OutboundOrgSSO edges represent the Single Sign-On (SSO) relationships between Okta applications and supported external organizations or tenants, such as GitHub Enterprise or Jamf Pro, using SAML 2.0 or OIDC protocols. ```mermaid graph LR - subgraph okta["OktaHound"] + subgraph okta["OpenHound Okta"] direction TB o("Okta_Organization contoso.okta.com") app1("Okta_Application GitHub Enterprise Cloud") diff --git a/descriptions/edges/Okta_OutboundSSO.md b/descriptions/edges/Okta_OutboundSSO.md index 3c4696e..60698f8 100644 --- a/descriptions/edges/Okta_OutboundSSO.md +++ b/descriptions/edges/Okta_OutboundSSO.md @@ -1,6 +1,6 @@ ## General Information -The traversable hybrid `Okta_OutboundSSO` edges represent Single Sign-On relationships between Okta users and their linked accounts in external applications using federated authentication (SAML 2.0 or OIDC). +The traversable hybrid Okta_OutboundSSO edges represent Single Sign-On relationships between Okta users and their linked accounts in external applications using federated authentication (SAML 2.0 or OIDC). ```mermaid graph LR diff --git a/descriptions/edges/Okta_PasswordSync.md b/descriptions/edges/Okta_PasswordSync.md index fb157cc..0a599ce 100644 --- a/descriptions/edges/Okta_PasswordSync.md +++ b/descriptions/edges/Okta_PasswordSync.md @@ -1,8 +1,8 @@ ## General Information -The traversable `Okta_PasswordSync` edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user. +The traversable Okta_PasswordSync edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user. -In **Active Directory** hybrid setups, this edge is created between `User` (AD) and `Okta_User` when delegated authentication or password push is enabled. In **Org2Org** setups, this edge is created between `Okta_User` nodes across organizations when password synchronization is configured. +In **Active Directory** hybrid setups, this edge is created between User (AD) and Okta_User when delegated authentication or password push is enabled. In **Org2Org** setups, this edge is created between Okta_User nodes across organizations when password synchronization is configured. > [!WARNING] > The Okta API does not indicate if the actual password or a randomly generated value is pushed to the other organization. diff --git a/descriptions/edges/Okta_PolicyMapping.md b/descriptions/edges/Okta_PolicyMapping.md index f6b8a51..479fe95 100644 --- a/descriptions/edges/Okta_PolicyMapping.md +++ b/descriptions/edges/Okta_PolicyMapping.md @@ -1,9 +1,9 @@ ## General Information -The non-traversable `Okta_PolicyMapping` edges represent the association between a policy and the resources to which it is applied. +The non-traversable Okta_PolicyMapping edges represent the association between a policy and the resources to which it is applied. -> [!WARNING] -> Only application targets are currently supported by `OktaHound`. +> [!NOTE] +> Only application targets are supported in the current version of the Okta BloodHound extension. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ReadClientSecret.md b/descriptions/edges/Okta_ReadClientSecret.md index b40bc37..c342a9f 100644 --- a/descriptions/edges/Okta_ReadClientSecret.md +++ b/descriptions/edges/Okta_ReadClientSecret.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ReadClientSecret` edges represent permissions that allow a principal (user, group, or application) to read OAuth client secrets for scoped Okta applications. These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles and for custom roles with the `okta.apps.clientCredentials.read` permission. +The traversable Okta_ReadClientSecret edges represent permissions that allow a principal (user, group, or application) to read OAuth client secrets for scoped Okta applications. These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles and for custom roles with the `okta.apps.clientCredentials.read` permission. ```mermaid graph TD diff --git a/descriptions/edges/Okta_ReadPasswordUpdates.md b/descriptions/edges/Okta_ReadPasswordUpdates.md index 79768cf..1b59954 100644 --- a/descriptions/edges/Okta_ReadPasswordUpdates.md +++ b/descriptions/edges/Okta_ReadPasswordUpdates.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ReadPasswordUpdates` edges represent applications that can read password updates over SCIM. +The traversable Okta_ReadPasswordUpdates edges represent applications that can read password updates over SCIM. ```mermaid graph LR diff --git a/descriptions/edges/Okta_RealmContains.md b/descriptions/edges/Okta_RealmContains.md index 7ddf8f0..ced9746 100644 --- a/descriptions/edges/Okta_RealmContains.md +++ b/descriptions/edges/Okta_RealmContains.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_RealmContains` edges represent containment relationships between realms and the users assigned to those realms. +The traversable Okta_RealmContains edges represent containment relationships between realms and the users assigned to those realms. ```mermaid graph LR @@ -14,5 +14,5 @@ graph LR r2 -- Okta_RealmContains --> u3 ``` -> [!WARNING] -> Okta Realms are currently not supported by `OktaHound` due to licensing restrictions. +> [!NOTE] +> Okta Realms are currently not supported by BloodHound due to licensing restrictions. diff --git a/descriptions/edges/Okta_ResetFactors.md b/descriptions/edges/Okta_ResetFactors.md index 6c6275d..177206f 100644 --- a/descriptions/edges/Okta_ResetFactors.md +++ b/descriptions/edges/Okta_ResetFactors.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ResetFactors` edges represent custom role permissions that allow a principal to reset MFA authenticators for scoped Okta users. These edges are created when a custom role includes the `okta.users.credentials.resetFactors` or `okta.users.credentials.manage` permissions. +The traversable Okta_ResetFactors edges represent custom role permissions that allow a principal to reset MFA authenticators for scoped Okta users. These edges are created when a custom role includes the `okta.users.credentials.resetFactors` or `okta.users.credentials.manage` permissions. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ResetPassword.md b/descriptions/edges/Okta_ResetPassword.md index 368a6b1..4d8933e 100644 --- a/descriptions/edges/Okta_ResetPassword.md +++ b/descriptions/edges/Okta_ResetPassword.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ResetPassword` edges represent custom role permissions that allow a principal (user, group, or application) to reset passwords or temporary credentials for scoped Okta users. These edges are created when a custom role includes password management permissions such as `okta.users.credentials.resetPassword`, `okta.users.credentials.manage`, `okta.users.credentials.manageTemporaryAccessCode`, or `okta.users.manage`. +The traversable Okta_ResetPassword edges represent custom role permissions that allow a principal (user, group, or application) to reset passwords or temporary credentials for scoped Okta users. These edges are created when a custom role includes password management permissions such as `okta.users.credentials.resetPassword`, `okta.users.credentials.manage`, `okta.users.credentials.manageTemporaryAccessCode`, or `okta.users.manage`. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ResourceSetContains.md b/descriptions/edges/Okta_ResourceSetContains.md index e4b2baf..5520494 100644 --- a/descriptions/edges/Okta_ResourceSetContains.md +++ b/descriptions/edges/Okta_ResourceSetContains.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_ResourceSetContains` edges represent the membership relationships between resource sets and their member entities in Okta: +The traversable Okta_ResourceSetContains edges represent the membership relationships between resource sets and their member entities in Okta: ```mermaid graph LR @@ -18,4 +18,4 @@ graph LR rs1 -- Okta_ResourceSetContains --> u2 ``` -Note that users can also be members of resource sets indirectly through group memberships. The intermediate group will not appear in the graph, but the user membership will be resolved by `OktaHound`. +Note that users can also be members of resource sets indirectly through group memberships. The intermediate group will not appear in the graph, but the user membership will be resolved by the collector. diff --git a/descriptions/edges/Okta_SWA.md b/descriptions/edges/Okta_SWA.md index 20d817a..965281f 100644 --- a/descriptions/edges/Okta_SWA.md +++ b/descriptions/edges/Okta_SWA.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable hybrid `Okta_SWA` edges represent Secure Web Authentication relationships between Okta users and their linked accounts in external applications. SWA stores user credentials in Okta and automatically fills them in, which is less secure than federated SSO. +The non-traversable hybrid Okta_SWA edges represent Secure Web Authentication relationships between Okta users and their linked accounts in external applications. SWA stores user credentials in Okta and automatically fills them in, which is less secure than federated SSO. ```mermaid graph LR diff --git a/descriptions/edges/Okta_ScopedTo.md b/descriptions/edges/Okta_ScopedTo.md index f6ee566..3274acb 100644 --- a/descriptions/edges/Okta_ScopedTo.md +++ b/descriptions/edges/Okta_ScopedTo.md @@ -1,6 +1,6 @@ ## General Information -The `Okta_HasRoleAssignment` edges connect users, groups, and applications to their respective `Okta_RoleAssignment` nodes. The `Okta_ScopedTo` edges connect the `Okta_RoleAssignment` nodes to the resources they are scoped to, such as the organization or specific groups or applications. +The Okta_HasRoleAssignment edges connect users, groups, and applications to their respective Okta_RoleAssignment nodes. The Okta_ScopedTo edges connect the Okta_RoleAssignment nodes to the resources they are scoped to, such as the organization or specific groups or applications. ```mermaid graph TB diff --git a/descriptions/edges/Okta_SecretOf.md b/descriptions/edges/Okta_SecretOf.md index 0232074..1e57807 100644 --- a/descriptions/edges/Okta_SecretOf.md +++ b/descriptions/edges/Okta_SecretOf.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_SecretOf` edges represent the relationship between service applications or API service integrations and their associated client secrets, represented by the [Okta_ClientSecret](../Nodes/Okta_ClientSecret.md) nodes. +The traversable Okta_SecretOf edges represent the relationship between service applications or API service integrations and their associated client secrets, represented by the Okta_ClientSecret nodes. ```mermaid graph LR diff --git a/descriptions/edges/Okta_SuperAdmin.md b/descriptions/edges/Okta_SuperAdmin.md index bd527d9..0a602e9 100644 --- a/descriptions/edges/Okta_SuperAdmin.md +++ b/descriptions/edges/Okta_SuperAdmin.md @@ -1,6 +1,6 @@ ## General Information -The traversable `Okta_SuperAdmin` edges represent Super Administrator role assignments to the Okta organization. Super Administrators have full access to all features and settings in the Okta organization. +The traversable Okta_SuperAdmin edges represent Super Administrator role assignments to the Okta organization. Super Administrators have full access to all features and settings in the Okta organization. ```mermaid graph LR diff --git a/descriptions/edges/Okta_UserPull.md b/descriptions/edges/Okta_UserPull.md index 2ebe974..7f6b10d 100644 --- a/descriptions/edges/Okta_UserPull.md +++ b/descriptions/edges/Okta_UserPull.md @@ -1,6 +1,6 @@ ## General Information -The `Okta_UserPull` edges represent user import relationships from external applications to Okta. +The Okta_UserPull edges represent user import relationships from external applications to Okta. ```mermaid graph LR diff --git a/descriptions/edges/Okta_UserPush.md b/descriptions/edges/Okta_UserPush.md index 2483386..024455f 100644 --- a/descriptions/edges/Okta_UserPush.md +++ b/descriptions/edges/Okta_UserPush.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable `Okta_UserPush` edges represent user provisioning relationships from Okta to external applications. When configured, Okta can automatically create, update, or deactivate user accounts in integrated applications using protocols like SCIM or LDAP. +The non-traversable Okta_UserPush edges represent user provisioning relationships from Okta to external applications. When configured, Okta can automatically create, update, or deactivate user accounts in integrated applications using protocols like SCIM or LDAP. ```mermaid graph LR diff --git a/descriptions/edges/Okta_UserSync.md b/descriptions/edges/Okta_UserSync.md index 55b8ecf..3ea406c 100644 --- a/descriptions/edges/Okta_UserSync.md +++ b/descriptions/edges/Okta_UserSync.md @@ -1,6 +1,6 @@ ## General Information -The non-traversable hybrid `Okta_UserSync` edges represent bidirectional user synchronization relationships between Okta and external directories or applications. These edges indicate that user accounts are linked and synchronized between systems. +The non-traversable hybrid Okta_UserSync edges represent bidirectional user synchronization relationships between Okta and external directories or applications. These edges indicate that user accounts are linked and synchronized between systems. ```mermaid graph LR diff --git a/descriptions/nodes/Okta_Agent.md b/descriptions/nodes/Okta_Agent.md index c01d1b9..e5d05df 100644 --- a/descriptions/nodes/Okta_Agent.md +++ b/descriptions/nodes/Okta_Agent.md @@ -1,6 +1,6 @@ ## Overview -The `Okta_Agent` node represents an Okta Agent, which is a component used in Okta's integration with on-premises systems. Okta Agents facilitate communication between the Okta cloud and on-premises applications or directories, enabling features such as single sign-on (SSO) and user provisioning. +The Okta_Agent node represents an Okta Agent, which is a component used in Okta's integration with on-premises systems. Okta Agents facilitate communication between the Okta cloud and on-premises applications or directories, enabling features such as single sign-on (SSO) and user provisioning. One or more agents are grouped into Agent Pools, represented by the [Okta_AgentPool](Okta_AgentPool.md) nodes, to provide redundancy and load balancing. diff --git a/descriptions/nodes/Okta_AgentPool.md b/descriptions/nodes/Okta_AgentPool.md index 9ce143d..8b02229 100644 --- a/descriptions/nodes/Okta_AgentPool.md +++ b/descriptions/nodes/Okta_AgentPool.md @@ -1,6 +1,6 @@ ## Overview -The `Okta_AgentPool` nodes represent Okta Agent Pools, which are collections of Okta Agents (represented as [Okta_Agent](Okta_Agent.md) nodes) that work together to provide high availability and load balancing for on-premises integrations. +The Okta_AgentPool nodes represent Okta Agent Pools, which are collections of Okta Agents (represented as [Okta_Agent](Okta_Agent.md) nodes) that work together to provide high availability and load balancing for on-premises integrations. The following agent pool types are supported by Okta: diff --git a/descriptions/nodes/Okta_ApiServiceIntegration.md b/descriptions/nodes/Okta_ApiServiceIntegration.md index 6104c44..e74299f 100644 --- a/descriptions/nodes/Okta_ApiServiceIntegration.md +++ b/descriptions/nodes/Okta_ApiServiceIntegration.md @@ -11,7 +11,7 @@ API service integrations in Okta represent OAuth 2.0 service (daemon) applicatio | Support authentication using private keys: | ✅ | ❌ | | Admins can read cleartext client secrets: | ✅ | ❌ | -In `OktaHound`, API service integrations are represented as `Okta_ApiServiceIntegration` nodes. +Okta API service integrations are represented as Okta_ApiServiceIntegration nodes. ## Sample Property Values diff --git a/descriptions/nodes/Okta_ApiToken.md b/descriptions/nodes/Okta_ApiToken.md index 6e69b18..b07330b 100644 --- a/descriptions/nodes/Okta_ApiToken.md +++ b/descriptions/nodes/Okta_ApiToken.md @@ -6,7 +6,7 @@ These tokens are always associated with a specific user in Okta, and the permiss The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers. -In `OktaHound`, API tokens are represented as `Okta_ApiToken` nodes. +Okta API tokens are represented as Okta_ApiToken nodes in BloodHound. ## Sample Property Values diff --git a/descriptions/nodes/Okta_Application.md b/descriptions/nodes/Okta_Application.md index 024a586..4c5268e 100644 --- a/descriptions/nodes/Okta_Application.md +++ b/descriptions/nodes/Okta_Application.md @@ -4,7 +4,7 @@ Applications in Okta represent the various software applications and services th With the exception of API Service applications, Okta users and groups can be assigned to applications. Users can also be synchronized TO and FROM applications in Okta, typically using the SCIM protocol. For example, when integrating with GitHub Enterprise Cloud, Okta can be configured to automatically create user accounts in GitHub when users are assigned to the GitHub application in Okta. -In `OktaHound`, applications are represented as `Okta_Application` nodes. +Okta applications are represented as Okta_Application nodes. ## Sample Property Values @@ -63,14 +63,14 @@ created: 2025-11-05T09:10:52+00:00 lastUpdated: 2026-01-19T14:33:39+00:00 ``` -### OktaHound +### OpenHound Okta Collector ```yaml id: 0oaw0pujq5WtBiMYD697 -name: OktaHound +name: OpenHound Okta Collector appType: oidc_client clientType: service -displayName: OktaHound +displayName: OpenHound Okta Collector features: [] grantTypes: - client_credentials @@ -176,7 +176,7 @@ This application type is the most interesting one from the security perspective, ## Hybrid Edges -For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, OktaHound can create hybrid edges in BloodHound to represent the relationships between these external systems and Okta. +For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, OpenHound can create hybrid edges in BloodHound to represent the relationships between these external systems and Okta. ```mermaid graph TB @@ -229,7 +229,7 @@ graph TB ### Active Directory Synchronization -When Okta's Active Directory (AD) integration is configured for user and group synchronization, the connected AD domain is represented as an `Okta_Application` node in BloodHound. This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. +When Okta's Active Directory (AD) integration is configured for user and group synchronization, the connected AD domain is represented as an Okta_Application node in BloodHound. This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. The synchronization is performed by domain-joined servers with the Okta AD Agent installed. This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, making it a high-value target for attackers. @@ -241,19 +241,18 @@ Authentication can be delegated from Okta to AD in multiple ways: - [Password Synchronization](https://help.okta.com/oie/en-us/content/topics/directory/installing_configuring_active_directory_password_sync_agent.htm) - Active Directory Federation Services (ADFS) integration with Okta as a SAML IdP -> [!WARNING] -> There is no documented API available to determine the authentication delegation method(s) configured for an AD-backed Okta application. -> OktaHound therefore performs some heuristics that might not be 100% accurate in all cases. +> [!NOTE] +> There is no documented API available to determine the authentication delegation method(s) configured for an AD-backed Okta application. The collector therefore performs some heuristics that might not be 100% accurate in all cases. ### GitHub Enterprise Cloud Organizations -When integrating Okta with GitHub Enterprise Cloud, each GitHub organization connected to Okta is represented as a separate `Okta_Application` node in BloodHound. +When integrating Okta with GitHub Enterprise Cloud, each GitHub organization connected to Okta is represented as a separate Okta_Application node in BloodHound. ![Properties of the GitHub Application node](../Images/bloodhound-github-properties.png) ### Jamf Pro -When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate `Okta_Application` node in BloodHound. The differentiator is the `domainFQDN` property: +When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate Okta_Application node in BloodHound. The differentiator is the `domainFQDN` property: ![Jamf Pro SAML application in BloodHound](../Images/bloodhound-jamf-saml-properties.png) @@ -263,7 +262,7 @@ It is also possible to integrate Jamf Pro with Okta using Secure Web Authenticat ## Google Workspace -Similarly to the Jamf Pro SAML applications, each Google Workspace (formerly G Suite) instance connected to Okta using SAML 2.0 is represented as a separate `Okta_Application` node in BloodHound and is identified by the `domainFQDN` property: +Similarly to the Jamf Pro SAML applications, each Google Workspace (formerly G Suite) instance connected to Okta using SAML 2.0 is represented as a separate Okta_Application node in BloodHound and is identified by the `domainFQDN` property: ![Google Workspace SAML application in BloodHound](../Images/bloodhound-google-saml-properties.png) @@ -301,7 +300,7 @@ OIDC applications can be granted OAuth 2.0 scopes to access Okta APIs on behalf ## SCIM-Enabled Applications -The `features` attribute of `Okta_Application` nodes may contain the following SCIM-related values, indicating if SCIM is enabled and which protocol capabilities are supported: +The `features` attribute of Okta_Application nodes may contain the following SCIM-related values, indicating if SCIM is enabled and which protocol capabilities are supported: | Feature | Description | |------------------------------|--------------------------------------------------------------------------------| diff --git a/descriptions/nodes/Okta_AuthorizationServer.md b/descriptions/nodes/Okta_AuthorizationServer.md index 2ae5e45..3db39be 100644 --- a/descriptions/nodes/Okta_AuthorizationServer.md +++ b/descriptions/nodes/Okta_AuthorizationServer.md @@ -2,10 +2,10 @@ Authorization servers in Okta are used to issue OAuth 2.0 access tokens for API access. They define the scopes, claims, and access policies that control how tokens are issued and what permissions they grant. Each Okta organization has a default authorization server, and administrators can create additional custom authorization servers for specific use cases. -In `OktaHound`, authorization servers are represented as `Okta_AuthorizationServer` nodes. +Okta authorization servers are represented as Okta_AuthorizationServer nodes. -> [!WARNING] -> The relationships between authorization servers and applications are currently not evaluated by `OktaHound`. +> [!NOTE] +> The relationships between authorization servers and applications are currently not evaluated in BloodHound. ## Sample Property Values diff --git a/descriptions/nodes/Okta_ClientSecret.md b/descriptions/nodes/Okta_ClientSecret.md index 59e34d7..6026776 100644 --- a/descriptions/nodes/Okta_ClientSecret.md +++ b/descriptions/nodes/Okta_ClientSecret.md @@ -8,11 +8,10 @@ An application can have up to two client secrets configured, to allow for secret ![Okta client secret rotation](../Images/app-client-secret-rotation.png) -Client secrets are represented as `Okta_ClientSecret` nodes in BloodHound. +Client secrets are represented as Okta_ClientSecret nodes in BloodHound. > [!NOTE] -> For security reasons, the OktaHound collector does not write cleartext client secrets -> to the OpenGraph JSON, only their hashed identifiers. +> For security reasons, the OpenHound and OktaHound collectors do not collect client secrets, only their hashed identifiers. ## Sample Property Values diff --git a/descriptions/nodes/Okta_CustomRole.md b/descriptions/nodes/Okta_CustomRole.md index bac5896..4bdbd12 100644 --- a/descriptions/nodes/Okta_CustomRole.md +++ b/descriptions/nodes/Okta_CustomRole.md @@ -6,7 +6,7 @@ Custom roles can be created with specific [permissions](https://developer.okta.c - okta.users.manage - okta.users.create -Custom roles are represented as `Okta_CustomRole` and `Okta_RoleAssignment` nodes in `OktaHound`, similar to built-in roles. +Custom roles are represented as Okta_CustomRole and Okta_RoleAssignment nodes, similar to built-in roles. ## Sample Property Values @@ -36,5 +36,5 @@ The following Okta permissions are particularly interesting from an offensive se - okta.apps.manage - okta.apps.clientCredentials.read -> [!WARNING] +> [!NOTE] > The research on abusable Okta permissions is still ongoing. diff --git a/descriptions/nodes/Okta_Device.md b/descriptions/nodes/Okta_Device.md index d534e0a..93d6b19 100644 --- a/descriptions/nodes/Okta_Device.md +++ b/descriptions/nodes/Okta_Device.md @@ -2,7 +2,7 @@ Devices in Okta represent the physical or virtual devices that users use to authenticate and access the Okta organization. Devices can optionally be managed by 3rd party MDM solutions, which allow administrators to enforce security compliance policies. -In `OktaHound`, devices are represented as `Okta_Device` nodes. +Okta devices are represented as Okta_Device nodes. ## Sample Property Values diff --git a/descriptions/nodes/Okta_Group.md b/descriptions/nodes/Okta_Group.md index fe4bd0e..fea6cd1 100644 --- a/descriptions/nodes/Okta_Group.md +++ b/descriptions/nodes/Okta_Group.md @@ -2,7 +2,7 @@ Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. The built-in **Everyone** group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested. -In `OktaHound`, groups are represented as `Okta_Group` nodes. +Okta groups are represented as Okta_Group nodes. ## Sample Property Values @@ -47,7 +47,7 @@ lastMembershipUpdated: 2025-11-14T12:58:13+00:00 ## Synchronization with External Directories -Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes, which are then collected by `OktaHound`: +Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes: ![Group synchronized from AD](../Images/bloodhound-ad-synced-group.png) diff --git a/descriptions/nodes/Okta_IdentityProvider.md b/descriptions/nodes/Okta_IdentityProvider.md index 039eba9..e014f02 100644 --- a/descriptions/nodes/Okta_IdentityProvider.md +++ b/descriptions/nodes/Okta_IdentityProvider.md @@ -4,10 +4,10 @@ Identity Providers (IdPs) in Okta represent external authentication sources that When users authenticate through an external identity provider, Okta can optionally create or link user accounts, enabling federated authentication across multiple systems. -In `OktaHound`, identity providers are represented as `Okta_IdentityProvider` nodes. +Okta identity providers are represented as Okta_IdentityProvider nodes. -> [!WARNING] -> The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated by `OktaHound`. +> [!NOTE] +> The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated. ## Sample Property Values diff --git a/descriptions/nodes/Okta_JWK.md b/descriptions/nodes/Okta_JWK.md index e4ef300..bf19535 100644 --- a/descriptions/nodes/Okta_JWK.md +++ b/descriptions/nodes/Okta_JWK.md @@ -2,7 +2,7 @@ JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the `private_key_jwt` client authentication method. This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key. A service application can have multiple JWKs configured for key rotation purposes. -JWKs are represented as `Okta_JWK` nodes in BloodHound. +JWKs are represented as Okta_JWK nodes in BloodHound. ## Sample Property Values diff --git a/descriptions/nodes/Okta_Organization.md b/descriptions/nodes/Okta_Organization.md index a4b79f2..0ce5485 100644 --- a/descriptions/nodes/Okta_Organization.md +++ b/descriptions/nodes/Okta_Organization.md @@ -2,7 +2,7 @@ The Organization entity represents the Okta tenant itself. It contains general information about the organization, such as its name, domain, and settings. -In `OktaHound`, the organization is represented as a single `Okta_Organization` node. +The Okta organization is represented as a single Okta_Organization node. ## Sample Property Values diff --git a/descriptions/nodes/Okta_Policy.md b/descriptions/nodes/Okta_Policy.md index b752eb2..aa6f4df 100644 --- a/descriptions/nodes/Okta_Policy.md +++ b/descriptions/nodes/Okta_Policy.md @@ -2,7 +2,7 @@ Policies in Okta define the rules and conditions that govern authentication, authorization, and security behaviors within an organization. They control aspects such as password requirements, MFA enrollment, session management, and application access. -In `OktaHound`, policies are represented as `Okta_Policy` nodes. +Okta policies are represented as Okta_Policy nodes. ## Sample Property Values @@ -34,4 +34,4 @@ The following [policy types](https://developer.okta.com/docs/api/openapi/okta-ma | POST_AUTH_SESSION | [Identity Threat Protection policies](https://help.okta.com/oie/en-us/content/topics/itp/overview.htm) | | ENTITY_RISK | [Entity risk policies](https://help.okta.com/oie/en-us/content/topics/itp/entity-risk-policy.htm) | -The `OktaHound` collector specifically reads the `IDP_DISCOVERY` policies to check if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy. +The OpenHound collector specifically reads the `IDP_DISCOVERY` policies to check if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy. diff --git a/descriptions/nodes/Okta_Realm.md b/descriptions/nodes/Okta_Realm.md index b4e71aa..70d853f 100644 --- a/descriptions/nodes/Okta_Realm.md +++ b/descriptions/nodes/Okta_Realm.md @@ -2,10 +2,10 @@ Okta Realms are used to define authentication boundaries within an Okta organization. They allow administrators to segment users and applications based on different criteria, such as geographic location, business unit, or security requirements. -In `OktaHound`, Okta Realms are represented as `Okta_Realm` nodes. +Okta Realms are represented as Okta_Realm nodes. -> [!WARNING] -> Okta Realms are currently not supported by `OktaHound` due to licensing restrictions. +> [!NOTE] +> Okta Realms are currently not supported due to licensing restrictions. ## Sample Property Values diff --git a/descriptions/nodes/Okta_ResourceSet.md b/descriptions/nodes/Okta_ResourceSet.md index ff44b2c..c072e6d 100644 --- a/descriptions/nodes/Okta_ResourceSet.md +++ b/descriptions/nodes/Okta_ResourceSet.md @@ -22,12 +22,11 @@ Resource sets are collections of entities that can be used to scope custom role - [ ] ~~Identity and Access Management Resources~~ (Gaps in the Okta API) > [!NOTE] -> Only the marked resource types are currently supported by `OktaHound` as resource set members. -> Some resource types, such as Workflows, are not accessible via the Okta API at all. +> Only the marked resource types are currently supported as resource set members. Some resource types, such as Workflows, are not accessible via the Okta API at all. ![Okta Resource Set displayed in BloodHound](../Images/bloodhound-resource-set.png) -In `OktaHound`, resource sets are represented as `Okta_ResourceSet` nodes. +Okta resource sets are represented as Okta_ResourceSet nodes. ## Sample Property Values diff --git a/descriptions/nodes/Okta_Role.md b/descriptions/nodes/Okta_Role.md index 5b06735..07c5254 100644 --- a/descriptions/nodes/Okta_Role.md +++ b/descriptions/nodes/Okta_Role.md @@ -24,7 +24,7 @@ The following roles can either be scoped to specific resources or assigned organ > [!NOTE] > Although the Workflows Administrator role is a built-in role, the Okta API treats it as a custom role that is scoped to the built-in `Workflows Resource Set`. -In `OktaHound`, built-in roles are represented as `Okta_Role` nodes. +Okta built-in roles are represented as Okta_Role nodes. ## Sample Property Values @@ -70,7 +70,7 @@ When working with roles using the Okta API, the built-in roles are referenced by | REPORT_ADMIN | Report Administrator | | READ_ONLY_ADMIN | Read-Only Administrator | -To make the role identifiers unique, the `OktaHound` collector adds the organization domain name as a suffix to each role's ID, e.g., `SUPER_ADMIN@contoso.okta.com`. +To make the role identifiers unique, the OpenHound collector adds the organization domain name as a suffix to each role's ID, e.g., `SUPER_ADMIN@contoso.okta.com`. ## Built-In Role Permissions diff --git a/descriptions/nodes/Okta_RoleAssignment.md b/descriptions/nodes/Okta_RoleAssignment.md index 689ebdf..c1cc20c 100644 --- a/descriptions/nodes/Okta_RoleAssignment.md +++ b/descriptions/nodes/Okta_RoleAssignment.md @@ -1,6 +1,6 @@ ## Overview -To help visualize role assignments in BloodHound, `OktaHound` creates `Okta_RoleAssignment` nodes for each role assignment in Okta. These nodes represent the relationship between a [user](Okta_User.md), [group](Okta_Group.md), or [application](Okta_Application.md) and a role ([built-in](Okta_Role.md) or [custom](Okta_CustomRole.md)). +To help visualize role assignments in BloodHound, Okta_RoleAssignment nodes are created for each role assignment in Okta. These nodes represent the relationship between a [user](Okta_User.md), [group](Okta_Group.md), or [application](Okta_Application.md) and a role ([built-in](Okta_Role.md) or [custom](Okta_CustomRole.md)). ## Sample Property Values diff --git a/descriptions/nodes/Okta_User.md b/descriptions/nodes/Okta_User.md index 8267983..5efe46b 100644 --- a/descriptions/nodes/Okta_User.md +++ b/descriptions/nodes/Okta_User.md @@ -2,7 +2,7 @@ User objects (AKA People) represent individuals who have access to the Okta organization. Each user has a unique identifier, username in the email address format, and various attributes such as email, first name, last name, and status. -In `OktaHound`, users are represented as `Okta_User` nodes. +Okta users are represented as Okta_User nodes. ## Sample Property Values @@ -39,7 +39,7 @@ User status can have [multiple values](https://developer.okta.com/docs/api/opena ![Okta user status](https://developer.okta.com/docs/api/images/users/okta-user-status.png) -To simplify analysis in BloodHound, the `OktaHound` collector maps the **Status** attribute to the virtual boolean **Enabled** attribute as follows: +To simplify analysis in BloodHound, the OpenHound collector maps the **Status** attribute to the virtual boolean **Enabled** attribute as follows: | Okta User Status | Enabled | Explanation | |------------------|---------|----------------------------------| @@ -53,12 +53,11 @@ To simplify analysis in BloodHound, the `OktaHound` collector maps the **Status* | DEPROVISIONED | ❌ | User is deprovisioned and cannot authenticate. | > [!WARNING] -> This mapping is a simplification and may not cover all edge cases. -> Always refer to the actual **Status** attribute for precise user state information. +> This mapping is a simplification and may not cover all edge cases. Always refer to the actual **Status** attribute for precise user state information. ## Authentication Factors -Okta supports various authentication factors for multi-factor authentication (MFA), such as SMS, email, push notifications, and hardware tokens. In case of mobile and desktop applications, these authentication factors are associated with the [Device](Okta_Device.md) entities. Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, but the number of enrolled factors is stored in the `authenticationFactors` attribute of the `Okta_User` nodes. +Okta supports various authentication factors for multi-factor authentication (MFA), such as SMS, email, push notifications, and hardware tokens. In case of mobile and desktop applications, these authentication factors are associated with the [Device](Okta_Device.md) entities. Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, but the number of enrolled factors is stored in the `authenticationFactors` attribute of the Okta_User nodes. ## Synchronization with External Directories From 5b2ce58dc6f8cef5d78142a5dd714630d6acf349 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Fri, 17 Apr 2026 12:18:50 +0200 Subject: [PATCH 08/11] rm docs/official-docs/ from gitignore --- .gitignore | 1 - .../images/extensions/okta/okta_agent.png | Bin 0 -> 948 bytes .../images/extensions/okta/okta_agentpool.png | Bin 0 -> 1267 bytes .../okta/okta_apiserviceintegration.png | Bin 0 -> 979 bytes .../images/extensions/okta/okta_apitoken.png | Bin 0 -> 1117 bytes .../extensions/okta/okta_application.png | Bin 0 -> 835 bytes .../okta/okta_authorizationserver.png | Bin 0 -> 892 bytes .../extensions/okta/okta_clientsecret.png | Bin 0 -> 1117 bytes .../extensions/okta/okta_customrole.png | Bin 0 -> 1123 bytes .../images/extensions/okta/okta_device.png | Bin 0 -> 989 bytes .../images/extensions/okta/okta_group.png | Bin 0 -> 943 bytes .../extensions/okta/okta_identityprovider.png | Bin 0 -> 944 bytes .../images/extensions/okta/okta_jwk.png | Bin 0 -> 1117 bytes .../extensions/okta/okta_organization.png | Bin 0 -> 1290 bytes .../images/extensions/okta/okta_policy.png | Bin 0 -> 1066 bytes .../images/extensions/okta/okta_realm.png | Bin 0 -> 1047 bytes .../extensions/okta/okta_resourceset.png | Bin 0 -> 975 bytes .../images/extensions/okta/okta_role.png | Bin 0 -> 1123 bytes .../extensions/okta/okta_roleassignment.png | Bin 0 -> 1027 bytes .../images/extensions/okta/okta_user.png | Bin 0 -> 1056 bytes .../opengraph/extensions/okta/docs.json | 84 +++ .../extensions/okta/edges/okta_addmember.mdx | 24 + .../okta/edges/okta_agentmemberof.mdx | 32 + .../okta/edges/okta_agentpoolfor.mdx | 37 ++ .../okta/edges/okta_apitokenfor.mdx | 28 + .../extensions/okta/edges/okta_appadmin.mdx | 28 + .../okta/edges/okta_appassignment.mdx | 40 ++ .../extensions/okta/edges/okta_contains.mdx | 45 ++ .../extensions/okta/edges/okta_creatorof.mdx | 24 + .../extensions/okta/edges/okta_deviceof.mdx | 25 + .../extensions/okta/edges/okta_groupadmin.mdx | 26 + .../okta/edges/okta_groupmembershipadmin.mdx | 23 + .../extensions/okta/edges/okta_grouppull.mdx | 21 + .../extensions/okta/edges/okta_grouppush.mdx | 21 + .../extensions/okta/edges/okta_hasrole.mdx | 29 + .../okta/edges/okta_hasroleassignment.mdx | 39 ++ .../okta/edges/okta_helpdeskadmin.mdx | 24 + .../extensions/okta/edges/okta_hostsagent.mdx | 34 + .../okta/edges/okta_identityproviderfor.mdx | 26 + .../okta/edges/okta_idpgroupassignment.mdx | 25 + .../okta/edges/okta_inboundorgsso.mdx | 24 + .../extensions/okta/edges/okta_inboundsso.mdx | 24 + .../okta/edges/okta_kerberossso.mdx | 32 + .../extensions/okta/edges/okta_keyof.mdx | 28 + .../extensions/okta/edges/okta_manageapp.mdx | 24 + .../extensions/okta/edges/okta_managerof.mdx | 31 + .../extensions/okta/edges/okta_memberof.mdx | 27 + .../okta/edges/okta_membershipsync.mdx | 52 ++ .../okta/edges/okta_mobileadmin.mdx | 23 + .../extensions/okta/edges/okta_orgadmin.mdx | 25 + .../extensions/okta/edges/okta_orgswa.mdx | 31 + .../okta/edges/okta_outboundorgsso.mdx | 38 ++ .../okta/edges/okta_outboundsso.mdx | 36 ++ .../okta/edges/okta_passwordsync.mdx | 56 ++ .../okta/edges/okta_policymapping.mdx | 41 ++ .../okta/edges/okta_readclientsecret.mdx | 33 + .../okta/edges/okta_readpasswordupdates.mdx | 25 + .../okta/edges/okta_realmcontains.mdx | 30 + .../okta/edges/okta_resetfactors.mdx | 23 + .../okta/edges/okta_resetpassword.mdx | 44 ++ .../okta/edges/okta_resourcesetcontains.mdx | 32 + .../extensions/okta/edges/okta_scopedto.mdx | 39 ++ .../extensions/okta/edges/okta_secretof.mdx | 26 + .../extensions/okta/edges/okta_superadmin.mdx | 23 + .../extensions/okta/edges/okta_swa.mdx | 28 + .../extensions/okta/edges/okta_userpull.mdx | 23 + .../extensions/okta/edges/okta_userpush.mdx | 25 + .../extensions/okta/edges/okta_usersync.mdx | 29 + .../extensions/okta/nodes/okta_agent.mdx | 31 + .../extensions/okta/nodes/okta_agentpool.mdx | 38 ++ .../okta/nodes/okta_apiserviceintegration.mdx | 55 ++ .../extensions/okta/nodes/okta_apitoken.mdx | 33 + .../okta/nodes/okta_application.mdx | 325 ++++++++++ .../okta/nodes/okta_authorizationserver.mdx | 32 + .../okta/nodes/okta_clientsecret.mdx | 34 + .../extensions/okta/nodes/okta_customrole.mdx | 49 ++ .../extensions/okta/nodes/okta_device.mdx | 60 ++ .../extensions/okta/nodes/okta_group.mdx | 85 +++ .../okta/nodes/okta_identityprovider.mdx | 35 ++ .../extensions/okta/nodes/okta_jwk.mdx | 28 + .../okta/nodes/okta_organization.mdx | 26 + .../extensions/okta/nodes/okta_policy.mdx | 45 ++ .../extensions/okta/nodes/okta_realm.mdx | 32 + .../okta/nodes/okta_resourceset.mdx | 49 ++ .../extensions/okta/nodes/okta_role.mdx | 85 +++ .../okta/nodes/okta_roleassignment.mdx | 25 + .../extensions/okta/nodes/okta_user.mdx | 74 +++ .../extensions/okta/privilege-zone-rules.mdx | 55 ++ .../opengraph/extensions/okta/queries.mdx | 586 ++++++++++++++++++ .../opengraph/extensions/okta/schema.mdx | 95 +++ 90 files changed, 3384 insertions(+), 1 deletion(-) create mode 100644 docs/official-docs/images/extensions/okta/okta_agent.png create mode 100644 docs/official-docs/images/extensions/okta/okta_agentpool.png create mode 100644 docs/official-docs/images/extensions/okta/okta_apiserviceintegration.png create mode 100644 docs/official-docs/images/extensions/okta/okta_apitoken.png create mode 100644 docs/official-docs/images/extensions/okta/okta_application.png create mode 100644 docs/official-docs/images/extensions/okta/okta_authorizationserver.png create mode 100644 docs/official-docs/images/extensions/okta/okta_clientsecret.png create mode 100644 docs/official-docs/images/extensions/okta/okta_customrole.png create mode 100644 docs/official-docs/images/extensions/okta/okta_device.png create mode 100644 docs/official-docs/images/extensions/okta/okta_group.png create mode 100644 docs/official-docs/images/extensions/okta/okta_identityprovider.png create mode 100644 docs/official-docs/images/extensions/okta/okta_jwk.png create mode 100644 docs/official-docs/images/extensions/okta/okta_organization.png create mode 100644 docs/official-docs/images/extensions/okta/okta_policy.png create mode 100644 docs/official-docs/images/extensions/okta/okta_realm.png create mode 100644 docs/official-docs/images/extensions/okta/okta_resourceset.png create mode 100644 docs/official-docs/images/extensions/okta/okta_role.png create mode 100644 docs/official-docs/images/extensions/okta/okta_roleassignment.png create mode 100644 docs/official-docs/images/extensions/okta/okta_user.png create mode 100644 docs/official-docs/opengraph/extensions/okta/docs.json create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_addmember.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/queries.mdx create mode 100644 docs/official-docs/opengraph/extensions/okta/schema.mdx diff --git a/.gitignore b/.gitignore index 1626df3..f47e4d7 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,6 @@ output graph logs .vscode -docs/official-docs/ # Codex .codex diff --git a/docs/official-docs/images/extensions/okta/okta_agent.png b/docs/official-docs/images/extensions/okta/okta_agent.png new file mode 100644 index 0000000000000000000000000000000000000000..d4077f7e4143543be93ac1c951196f1701be2164 GIT binary patch literal 948 zcmV;l155mgP)E-96Zjo#Ntp#9p1a%|Mn2#lU&mKdf)dv-}~=-zX;)> z04ZPqNZ1|#&Gu{nMWA|ywHqP~zEB{7rqFRId3-INrF5)^iOGI7d zyC(V0n*tKRQxKmw z+j;TGJLZaf50opgW^HWR;H(SCfkb- z>AK7AMGXODy1kQU^XDT6nBVe_+1xM?#Rvw~$M<({1}{9^BfHz4a4Z;V4I5XY#S{?t zDYGNS!jG4{;UCMtsDzT3OZ_1>z7~=SO-ZnA`%~aPKsm_9q8NrX{2P zpZq^Wfnx}+WUG6UhIY734Y0ZId|%j-xqc{FHKW{ubTRSciq{RRdtU#W0wNJ{MYRT- z2mYeWxo%gS*6Kg2rhrsg_vWj6R}OJsG()P>JLXqO-6-h}^XI@ijx}Hg;K8Cqb|d(asU3~yRBN)f zff<9-(Gx02JgBKIsqq&H+X+|(`Y`%Jzot|JT2o!H_T*xk(!oV29s+QRoISoxDaIdt zz-jRi(sSWrA_!(bVI%LubvI~qF)08lNFjNC#*4|TyrUF5%pOL7DPkOHAOWi_Q)6)T zvURGJbolk#x|+GHHUqr%BM*xNQYX%OIbGqLms2+s#Ej+^}ImH9sdRN WQzhSk)ow}v0000ZKWH0w6vscZ-I7{^FQAA_@`*xGk*Vbbk_Gl`U~a6gpFIxE=}xwVY7r2>i@2{!@}Q@JDu2ALR76YP()rMMAVLFL+F zf^wyRsa!G1v?L$_8X$#3F=i&Sc)ijqDYsx4Rjw^2*xXvRNCa_M!b!k3dpH#1>ZSZ^ zDQ?8&uj3YpUGC^|$fSUX92jI~GW$lA1I$cjIppgH;bJ?mEdnwy1u!w5ZZi9mU$T@c zIsmusB>8yE!>v2XjtF?YlJmpnOr7+Y8z~Uc-WYHjTY0YE90g$D{Wu#>^WwnX&SN9k zA3=$ZS=o^Sk{*Qb{{>k3Mr%s7QblL_as;DZYdY}w(FERJi7&>N+a^&e>zw~8Xe|$R z0dWvT#x2kNJ{dV6tP&2zm>6Fs9Et((`0zefO*ty^KVYD8orcqDfmuiH;ErbXF&no%a(xn8Dz7h*ng2^f+y=b3bLk;}L%` zEpjg1^xl4O=#p&$exKYVI1q|+>f{vOUWt|LJR48*b`S#S&(|qcbo@RUt*GMn$!!Iv zL#D3_=m%QX`OiOF;LK=>QzxhFy>KXox3>?&s8XuvJb1Xk^yMM$eJ9epRMF9js_S`x zGt(kHEu|V@)J64FqGL>)OH-=o81*W_K!i=xD!H``<$nrjMHR!Sa&hWD$6aE}2@j%) z=yyxOMl_oF!NUcN?HVihQ?Bw$H#Aq*Y6X?)*&%@S9*aP!qVG$<8K_!O<=*#S+UsyA z#z-{DqqQ`fTdN|iU6jL)HGyiENnlT(xxw#~QKDn^x-msJw^q4*_pDRdF7hVyZu7?{ zFJHc3WH{M2fw$i}!11FAHn#GVD+TJ?H9(}Ob#G`zm7xzlY_i0+ne$X@e*?_-0C|gX zsl2}%oG4Xv^yi}eYD`hfIs>8j?sv+%vt`S7A@1c2z)CjNwsH`@Gz?*4t2_f7J93(d zb7|Ki<;c3JD9n8fpOz~60rj_sy!Y-24oZh#Nx4=~ znZ2f1d0#{H9=cOzufZe_3<4;_NzR;}>ufOjVV>O1RlaU2Z)-4dlDL3qAOR8e%5aik zAVTjuefF)U6;$fmH8Gk!PB&K7d0@d!dApE-G@TEpXF|9LGPdiyP_E(h7cP``$h~M0h)EqH(mZ8B zAY@(3QxOPt>CZ_sIu$8)NiW(VFYUqY5(~SyA%w;XE4zZbmpc4rX5Y@vjI&x_cC;O2@nF-fL?&ELFgMR6CQ>94#XEk7#*8H z%uWb90eW@vP&fjy`|^*EgKP>`9zuQ>bn=)kjH3V{U<(Mf^}x^!1e%UVZlG8YA$}!H zAv#cQ!e=30GsuT$PfiYU#_+7zkIG@J*DHIU03+cDTzU-thLe-4(E1_02Bia9fg-RD zWff@1)pO;Qcb#v%kl*MXZ~L<;_%LZcb^sYe1&=_iy%vM}{!xZkGzppuxp<`o>K690#WSzyOGmxcPZ<1vXxaRa>!quRISlLG(6s4cVU) zY=v;d3|0d^B(|ePoyozO+=^mB_PRk)!-x+(Uc2djFI`CRchEgre%Cz;6H9Pmrc#Lbf}CMRL!&u8;{)2kUjNBeImGT`b-yvU zo?*!cCX^fK^;a*uV|iLEUA6r9f;`)K$WibEKY{lAj<;-=-;trBSb(js-bu45bDHoY zRZM$+w_1Si(F%(t*dp$=mli@JZp0U$qhH)BxngENV)yOyN$J3x=6t#Us#GSlejzjt z2?Qlxgd_6Y+*#IVI3jC-puV?BzSa6&Zy-~L#DPU413F=D#9JIN$S0PZ*WceV-Sn~# zJuCf6RO?oS*V-V^Bzv8Z->HZZ>qa)52gbVwA@;zXz#5dSX<9NWFoX0D6&2AYaIsXN_4g0wY<65M-i6#Y0103c zI0XBmGy|OZPetiIqHeP&t+(ty1U>`T^1Gbc{st}Q;Plz!k!MqK?Yhgc;sV`K8RA`>Qba!-wkD#R4ho&n-wT|;`=)mZixvo%W#sihW}0iM~BdxeI? ziCUY}c~01zS`k97(P+;@=qf_4I7hiXU&rG={tHXEH9f3-UHt$6002ovPDHLkV1m1; B!HWO@ literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_apitoken.png b/docs/official-docs/images/extensions/okta/okta_apitoken.png new file mode 100644 index 0000000000000000000000000000000000000000..cee2030e896a220f0c638f62ca301bf35f9f2192 GIT binary patch literal 1117 zcmV-j1fu(iP)ZO=}xh6o#KDA~G0D<07eUh49!oAR`w|YcQ#yNN&1l(naKz z=_XQk-P!#Gmj6Kl*>zzlixNY@^2SY|V3`&#yy+NhqD81D4%tYi9myMwH|^r;jz_Xa zU+xP7SN9&xd*+;bzHZS!6d(zt0oCyU7>=h1>;vWi@9qi}*aZF^@Y!@I=!#oi&JK{W5_yN!>RZQy=y;3EAT;`~H?tD)Uc!rBb+!RoNJwOA<#ADlo21Lm1UCA zNDGHNcUs^nu$l-32O`g(l-YUv7iPl(KnsUholl_p$6DmfhK2UxrF6#z;&R#ws0h>Z z=i`;Wd~Vb)ST63OSE?P)pML!nt6wBq_Vh}X&tGiGpHqNwTgn4kCLZGl?X#Zbre*Qv z&%aRq`yW@CSEpwvJ|Fi!ov`;NMn^Gfbs47PK+%KnM+P9bxX_avU~TUYj9UHL{-c>` zGIO&8e8PP{?){D-Om4%$kpUDBkOGlp`iXPXvM3zCxwbzU@Ka1bB>(Mw(s!rr{d}9O z8t{_{1?A6_2a(%J&rJ0s2hc0$9rtUNb){tEYF!fH*MjU^OfJ)2n)!OzWaA_qfBqAS z&)3mCPB^$!TY>hlaf9M>4^OjUwR}C$(XEQ_j$8&jz@(dCC+OAAE^tFiB%l^JETDO= zopwR~q|B3Ff9qR55e|}#$GXaRfOkMozYR(*qT;)bXO84`X*W&dik(d@|rC8;_BS zMr^`Y&R-JFHi#5fBylaR&R-h_ADl$`p5cC+wE}F0)UbS(Hs;2atDW9|D23Q zSYKRVZ9dUet{WU21;CVHm;)%BlwHd!2><357f8=cyUKKfUa30!#2kPu$0njTNWDHi zBO9M(#Ot*qLk;**1AfwXr-^+uJ`}mxuvpsKmJzUlxO*)fk%G7niBvSg-pcY&L~hUu zFQxB~5Ea;LS3oLZ0D)9A!uJ2vlrHb=%BomH)E>Jjz1=3?0A2y#8}*Bk*Txz5KKYo5 z(b1vE^-7hct!-I9YKSj4oHE@8lM;{s$i`!=4>*`?92}Crx^OLK??(Zt#2R8e13(K0 z$;M~V!a)MQJ9bsmD^+UNC3@wY{K=d4rey=sa}GVMsz9E>htoVa98TMzAj~MobA_gh j5GFRc8qZ7g`NjVM#UqWr*hXB600000NkvXXu0mjf`b7yq literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_application.png b/docs/official-docs/images/extensions/okta/okta_application.png new file mode 100644 index 0000000000000000000000000000000000000000..ee2bf6beef5a7e0b15969744e3e32d6eccdf7e95 GIT binary patch literal 835 zcmV-J1HAl+P)(V&b#SG0Pg_K4LrIm;&NukN2!}sp;k|t^H($+sb?!CLm z`+xVn?|tw8b=i}1zyp>BaI9&fmL7-AUX;|lNG|_P}qf3LX1&Z z2jcaNsAs^SA~$;?5PvFv>;<_Dtjs`R4-|P^8Pm`J6W9XGz5y7UgL7Tp$ZeF0V#H3` zF(QoS38RL5)g~XGZ=W1wjq!PjADzSg-l@%f0ZjBn;O2Ai`P(PgVZ~r`70L&MfD({| z$`)9N>$&~L`<@?%Tn0W&Im0lJ^{K%uNVM0IZ>%^$b; z2!x;~;v}mPAClX#h8r&!9g{@l2L7(b-iwaH+G_wNe5icgEbvl^iZ@zCv-ujA7#L=uF$p+j#ZBfyH%1c=|jZ967V3EfcUe@biFE@iFAL0Z0Q=z#-HZrCFf+ltk%1vfYj-?W~!92z&XF1i?}aN7iqINt%ZrW(Js$T)D|Hw&QmGRleGB9{{YG2`s>1gTRQ*% N002ovPDHLkV1o4nf!6>4 literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_authorizationserver.png b/docs/official-docs/images/extensions/okta/okta_authorizationserver.png new file mode 100644 index 0000000000000000000000000000000000000000..c6e83af0944fa113b766d1c764979b080f580e75 GIT binary patch literal 892 zcmV-?1B3jDP)ZKTH!*9LGOgTu8NvhdMau@Vo21Uf(-f=r_5vckkZ&{_gkxH$wlg zfg-R3M$l+5U**s5W4E8|ptHAfF3_F$!P<7l1u84hO4Xr>;gG!f(TaZTR%HBg7brCaf6w zNl1RYaeZ=-GmbaJe^d^g04`8)M&-+gje}Ll-2ueJ9mft$kVjO{se8H2r(CEv;lsMz zFO}ZD-3__3pp5)+)P>^XDwKA>=U z7Sh9U^u>Ijoze?vLamWpNtH(B&;rUJ^;%~y=+5m)no!qF^}uU(wQOYzX%6;5+9(~0 z6B1H?-^g!>bgDZ<)pty(SmD?Q{41AZuNet5UyA%C3A%EuhN}x~hIM@y-H-~uE#!fj zw@}J)2pjPSCsg?`F}2yTeGRF=eq4Z12oFdXC*b|caGKKPosLts5OZsrQi6q9pjA1S zOg3mGR1w--A)h5S8zc=TWxxS=JPl6=986vu!G09)U25+~fKZ4vWIO|+p3cd_t(#G_ zR2%U7Pc)jvw6+Dj)RFg#Jg~>$!|5K^98Tk~5jBS6xlLdqM8!VQcwVN@Fa8fiZYiMH Si$Y)k0000ZO=}xh6o#KDA~G0D<07eUh49!oAR`w|YcQ#yNN&1l(naKz z=_XQk-P!#Gmj6Kl*>zzlixNY@^2SY|V3`&#yy+NhqD81D4%tYi9myMwH|^r;jz_Xa zU+xP7SN9&xd*+;bzHZS!6d(zt0oCyU7>=h1>;vWi@9qi}*aZF^@Y!@I=!#oi&JK{W5_yN!>RZQy=y;3EAT;`~H?tD)Uc!rBb+!RoNJwOA<#ADlo21Lm1UCA zNDGHNcUs^nu$l-32O`g(l-YUv7iPl(KnsUholl_p$6DmfhK2UxrF6#z;&R#ws0h>Z z=i`;Wd~Vb)ST63OSE?P)pML!nt6wBq_Vh}X&tGiGpHqNwTgn4kCLZGl?X#Zbre*Qv z&%aRq`yW@CSEpwvJ|Fi!ov`;NMn^Gfbs47PK+%KnM+P9bxX_avU~TUYj9UHL{-c>` zGIO&8e8PP{?){D-Om4%$kpUDBkOGlp`iXPXvM3zCxwbzU@Ka1bB>(Mw(s!rr{d}9O z8t{_{1?A6_2a(%J&rJ0s2hc0$9rtUNb){tEYF!fH*MjU^OfJ)2n)!OzWaA_qfBqAS z&)3mCPB^$!TY>hlaf9M>4^OjUwR}C$(XEQ_j$8&jz@(dCC+OAAE^tFiB%l^JETDO= zopwR~q|B3Ff9qR55e|}#$GXaRfOkMozYR(*qT;)bXO84`X*W&dik(d@|rC8;_BS zMr^`Y&R-JFHi#5fBylaR&R-h_ADl$`p5cC+wE}F0)UbS(Hs;2atDW9|D23Q zSYKRVZ9dUet{WU21;CVHm;)%BlwHd!2><357f8=cyUKKfUa30!#2kPu$0njTNWDHi zBO9M(#Ot*qLk;**1AfwXr-^+uJ`}mxuvpsKmJzUlxO*)fk%G7niBvSg-pcY&L~hUu zFQxB~5Ea;LS3oLZ0D)9A!uJ2vlrHb=%BomH)E>Jjz1=3?0A2y#8}*Bk*Txz5KKYo5 z(b1vE^-7hct!-I9YKSj4oHE@8lM;{s$i`!=4>*`?92}Crx^OLK??(Zt#2R8e13(K0 z$;M~V!a)MQJ9bsmD^+UNC3@wY{K=d4rey=sa}GVMsz9E>htoVa98TMzAj~MobA_gh j5GFRc8qZ7g`NjVM#UqWr*hXB600000NkvXXu0mjf`b7yq literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_customrole.png b/docs/official-docs/images/extensions/okta/okta_customrole.png new file mode 100644 index 0000000000000000000000000000000000000000..9cfcd1b037f580a80bd0d493787d52f7657dda32 GIT binary patch literal 1123 zcmV-p1f2VcP)a$O^jLO1utTw_Ap*&ZPp(UnnxOG zcRt?dnRjO1d8diSp#tN;Z6M+(04YaV2A%@?8En@?1Xu$8J!4sN2&{^x8f_}@12Ah> z_y$zEhkH;$3UZf>+~ozp(DGOX3qv!=#M2!9V>s>10Y6d2Bh>_`zzQ%5;Ex3ePew|F z^^w=4iKp$VHQ<(;2sZ(vMRK(*sPNU)HIz_$L&TLZv^<-O36A$oisZM7VyX&I zfxiINH=r_fXBf%baxQWkR^f!r#RLaQ-4@Z0!xNqg@)esrIy3gkAG!3+DhA4oM9e;xv({#bzEjgTw(=HdoN zyGH=111kP+dQk^EOQi`g_f3v=k9hxT7bVor95_LbFXUI{&^myL1rLU=M_AJ1uERstqK1er$9d2;y;$>lc<^{s^5 z<)tmC*j||MAYyyf&GUc29}C!@w>=c&wGvW3n*aw_q$EJ@l0TaO$t&5PJ_!g50rl5k z2`OB^7b6o-v-R_9hVG0Y$x>OLtzTYa=FB>FO2>Rus@3r{MA)zjR%O+xK8->Gc7U*% zE7bLZq2+mYcct{dxwvsAGN+v));)+UrmovA5)KdQQc=LTp&6)yoizu_T{7XxelpMB zp(k|$v0hpoo7XB>Wa972m&gTjVu7qfBe1d_=>bFUu`%bvL#2#w(3D7 z2af@Eo}_9HwhAY_efl?Mu23?jZ||2%J@N{U$AE4pBy%8K<7VVMLCS56q2-sokuKW?x6I^qV_D+SmhQh?7ls512J1tq0R2@bY(fCI$cQ%W3~EBc$j zZ@|=X&XjXoIXc1}TaujF}qgm}L zlDw8sjdl@hO?&GR9>E=8QeHWNw%`AbPYaryS4 z$pL!%2AQ~gn_xKZ;E>PlGw=)WlV6WAap`mNvYFxEmEZWZS87Y>@eVR_?gxCTGhV8d z6048q(^g3}TZK}%S8R>Foyr)4t%A_g>I79cix-8D(4uyM=+ngUFLNHT8s`C-r>2;tYGvN@$7 zayvuOGe=G?5w0)81%+C^_UoM`n@(WkidX`C>QL7N^m+&6Z9oA|0$o{u3ENH^SK7VU z4Jg1Sh!d<^u;qz$1>s_3itGxidpq*BUmId}lf8f%M;&HTLYApL<5BU3** z`nHlwRQEZm0gSapdHVn;cxsIVFuRppB69j-(-TqEqt=PITg_o|h=%4XI}X^41;OH1}8@yEkCx%TUb6S&YQK#E8Kfg>`d zMa0=-nbMwy_bb42;JdP!?aOceg%%pYI}q%M+{_ugdVEvI^3X^3Z4lq1A zLu~Te0SlAg*-E~UU5;sYBS4C{fhf-a@as{+U(KNEQ9Q>7tleVf3_g9_!OU-ve*2=a zG+RJ8?v9Jq2ymZ+7pM0*WO3RE4KakO@LsCGnaEm{Q00000 LNkvXXu0mjfsmaZS literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_group.png b/docs/official-docs/images/extensions/okta/okta_group.png new file mode 100644 index 0000000000000000000000000000000000000000..7ec63f5d4e1e98e20e4c8c42ba25196c6429d32c GIT binary patch literal 943 zcmV;g15o^lP)igj(pWE7+(OI!lIg53%|(^a?*zk7G@l9zZ(=FjD>w~NqI~EpF^uMpSd;Jr zC49elb>Sd9_KOlfx(t&73qUHFkey#Qw$~(Z5f}S`ty~aCOwZBY<$Zn;DmAz_>HiJ` z_6_gnBaq5x;pLNP%*uz7a-MJflL6h_AU-~Jdd1`;GD;guRJt;%klhS0WlTIVU6(~$3_Rax7N_#h+`{_hw-0dQC5 z%|&HsASfuaGeXOxTT5>yEn~AY0WCgg=D9NO&nd+4>a{8GoQ7XSfS|;B(Hw%J>1EhH z4Xma^lNI+BFfp}m`S}aTIRNl(HcZc?g{IF@bW<(q>kU485L0koZ=I-6sR^Sf0Sdv+ zJEil@5qU>apq)~C-{f1JkljEj0MbOXJ?-|35=?-*zKr|(JMPp(YYS;Kvt}L&nk+kp^l(PTdJ3jSTRI&hswd%i(0M3mg={y5xPbDZXs<&{m#(1aelrj4 zEC48})35+c=dqAs1pL>DaBD@nUq)fViJDuzPVltfzRmlonTugK&=8)?dAlZ@6N=MVz8)S>R znpICE#hR?Pi1eJ7zO2Uax~49l0$048Hp4=EsIKQ0ko3l?$PR6!w3mpu<9|g(6eVc4 RWx4ZJ!n%=6vux}D`*Gv#0)NJUZ-}^q@q*6v`BHY1-rPULI($} z6ohtBno<`9L9L_GkEMeO4Q|%bR&Y_ViIbgtd7Xq55{D=_)Zx7QzM7=(#r)yIyYJn1 z&;Oot?)m5-I5Z#wi~_oA02r>Z25bYB5PLU;4lDu(A;+SNU_*2?`KAH0z?6D%sSid5 zAlUyDi%dfT8t?Va@M=f(o_m~ z+64@PI7yIuUMj=(cNl&I>(h?8Qay)FH=mc_J_2NEFPY z*ZPr7+mEANSn)d9!10VSnETHBn=8yJ5^hZdflHQd6G+ri|Fd*r-Uj!&YefA^ggKZM+hWFFKv!%;%i(N<+lPHxB zZ*XTAt`5l6v;Wxh`h^l6#tEx6`>~=3WQwK)5I^)-7t?BsLJ9*Z+#hPqZ)FfQWN3Ub)U23 zd1^up@rPulUmUERxG-zmzKCStil2ZYVF1xgKfJ!(o}zT@xukHQikQ1@QHu3p5U8r0 z-%7ewP&Ri7AH>%iG;2(@fF!_p8t#Q`OdjN6*}3l?wFe=fNK7H^86dYKo0hwM@`Q6+ z3MTye?X+e-t<51dXUom1j>L(u&FK>V*_`^JA!=0ZxrSvTM8y@H_I!(gC;kTnYAo;= SjeKkX0000ZO=}xh6o#KDA~G0D<07eUh49!oAR`w|YcQ#yNN&1l(naKz z=_XQk-P!#Gmj6Kl*>zzlixNY@^2SY|V3`&#yy+NhqD81D4%tYi9myMwH|^r;jz_Xa zU+xP7SN9&xd*+;bzHZS!6d(zt0oCyU7>=h1>;vWi@9qi}*aZF^@Y!@I=!#oi&JK{W5_yN!>RZQy=y;3EAT;`~H?tD)Uc!rBb+!RoNJwOA<#ADlo21Lm1UCA zNDGHNcUs^nu$l-32O`g(l-YUv7iPl(KnsUholl_p$6DmfhK2UxrF6#z;&R#ws0h>Z z=i`;Wd~Vb)ST63OSE?P)pML!nt6wBq_Vh}X&tGiGpHqNwTgn4kCLZGl?X#Zbre*Qv z&%aRq`yW@CSEpwvJ|Fi!ov`;NMn^Gfbs47PK+%KnM+P9bxX_avU~TUYj9UHL{-c>` zGIO&8e8PP{?){D-Om4%$kpUDBkOGlp`iXPXvM3zCxwbzU@Ka1bB>(Mw(s!rr{d}9O z8t{_{1?A6_2a(%J&rJ0s2hc0$9rtUNb){tEYF!fH*MjU^OfJ)2n)!OzWaA_qfBqAS z&)3mCPB^$!TY>hlaf9M>4^OjUwR}C$(XEQ_j$8&jz@(dCC+OAAE^tFiB%l^JETDO= zopwR~q|B3Ff9qR55e|}#$GXaRfOkMozYR(*qT;)bXO84`X*W&dik(d@|rC8;_BS zMr^`Y&R-JFHi#5fBylaR&R-h_ADl$`p5cC+wE}F0)UbS(Hs;2atDW9|D23Q zSYKRVZ9dUet{WU21;CVHm;)%BlwHd!2><357f8=cyUKKfUa30!#2kPu$0njTNWDHi zBO9M(#Ot*qLk;**1AfwXr-^+uJ`}mxuvpsKmJzUlxO*)fk%G7niBvSg-pcY&L~hUu zFQxB~5Ea;LS3oLZ0D)9A!uJ2vlrHb=%BomH)E>Jjz1=3?0A2y#8}*Bk*Txz5KKYo5 z(b1vE^-7hct!-I9YKSj4oHE@8lM;{s$i`!=4>*`?92}Crx^OLK??(Zt#2R8e13(K0 z$;M~V!a)MQJ9bsmD^+UNC3@wY{K=d4rey=sa}GVMsz9E>htoVa98TMzAj~MobA_gh j5GFRc8qZ7g`NjVM#UqWr*hXB600000NkvXXu0mjf`b7yq literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_organization.png b/docs/official-docs/images/extensions/okta/okta_organization.png new file mode 100644 index 0000000000000000000000000000000000000000..e98cb538ece1b6c7e67a7a3ee34ccdeb01a28435 GIT binary patch literal 1290 zcmV+l1@-!gP)Mot=wQ6jR+*o#IqVhPxq$lv^0$!j=Vzl7)(a zfdNLCBBYZF(giU=`xgX+Q0Z_8DGM18=`pYbi3Eu(L5(x^PVGg)=5o%RJNQTJ^P4m& zt@@QL`SttweZKGWJn!>7uf)-z1K$GYf$`V_uoZir0lxz6W2}8B#(_n^JLa<(BX}UB zL*{hg2jF`6K`9m)nw}27S$Z?$s3Ebt4^86?%Q8>$(bgettMP6rsFc8%Yiviibdf$x9fFW%K~7iQUPFhbu}f| zeg8fo<60JWy`GZG6bfX=#=_wl89%o(G(DXX9yE0}a8Gcg64-t7CLsg9Yx>P*N;YSj z;p=&sAYW$%z8^Gorcj{YY|x90)r9D^ zT4eJ1#5a+(r2XVJD&bcyzIyyvNFW}~O0kINI4NQwvW9`AX$hs0rU|Y4`=v{Oe+vFr zWC05>dISCg=rkHQ&!0!*FYnyJa~%FW;E0{9R>|b^iTPpEp6mq9eBPj}do0|+(DtN9Nop0e+hjQ4G{hRpX=FQOeYxotoJxCxVu?39& zM@{Jte(e!9rQkP;&w=mztyZqPzD{;xA{7%yg=<-~7Z&LGM{@^%=UZ`^!!9N(KpFh{ zJ#yi~@h&D$pT^I7!t6&O5R$l#e?0^I)SNTTsOp9J!40ZrbTvz6)!V?2BIQTLIPieu zUrrzJnU~W+==f#~uje{}i||d{X8(G=!V!1;7pOS^Y_lcW+W-In07*qoM6N<$g8QCe ARsaA1 literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_policy.png b/docs/official-docs/images/extensions/okta/okta_policy.png new file mode 100644 index 0000000000000000000000000000000000000000..5d7b34301265e1b823b21002f11a8aa2737ecad5 GIT binary patch literal 1066 zcmV+_1l9YAP)ZOK2Nc6ox;miv(iFGA>~RQL2>5Mp3tVO74B?58XVo1rx&O+Xdpe{0KppfbnXjkoG zbd`}tGkUl`49wg+=luVix%b?2#uyx4;3HrT2v{zFW6Sjn_ywpA;oB7fAOrk6uNYNLU55!>)uC(ofT; zBJRe@rz=84$M1O0^3FOiCkJI7Wgl_o>={>w2QLqJ^3@Y|cXpY2f2!~Lh|EUV-PxsC zZ%V*Fz#hDdKmarJZ2Yw0_|Kd5Ci~C#(NY?fa;0O==l79RlSF1CjGrIxX|ES`mOow= zkC%aC5rGt-MB`Czes%92k1Vkm(E4 z7$=6`qJH{&I3iFY9@i^rHu7jCm zy2(q$(#Yfh+nd{ziXBM_pWlZZl*Qw94`yyBG8?fuXw(}cle_td#-rkP&O<9-TU50% zasG5Uz{!V&E6^4oU6kxEUbTxF7QK8}cFCj%_yBO+$GsvmFu8-RWt%IWeomCIGO~a{ zY(2mqfGx2IBo-4R3vja4i@Lad?ZK>K#EE5t>%!K~rff4=W%5Sj@QUyKh-9$$vgs`O?YtQ32>T!cga{S0Jp;_6 zH5QK{2W8GpoNMnEy{PlH@s`q2iF_{KT?MUS)|?|Zs{ue`_~umOl+9^3yqIAW?YWoM kFTxCQm3Qs=9s_>ye~?OamESkVJ^%m!07*qoM6N<$g5VASeEwMP$ez;X&6HM3qGnUc6OW+;*ts z4uKAWx@794^HNWR8oXt&tW5DDXG;bn2?7BPsXPd2DEN%6MP5$I;!N)F?p>a2%eu4M ze&OKWyZ3(I-~E2?{r)__J9Hoo@aUx@|swuo-mQbZQmOdq=7q6WC^gMJ6er19iXvSk4zo zl}wj#8isv~cRMDX+Mb+h1KFFDxJd!SA=l?)30Ai%gyV)M;;R^R+q^2}81+wZ$g_?z z6BW>bV?bX_rulZ~fSEb{PUI37Bb!&H9A~YjRALFm5~>2O*%y;(zNe32)mGQru<)cp!a5zqrb21JnYa?itY!xbX$`RY~$ zfYVlE>NyE5M468zWU$I;h}h2KmE2TvfKmU1vsRP$)opj~eRZ3&R#P6ZsZh>FE`SrS zy#||M-{NH!P`#Ku#|^OYrEq=T-TkB&4%6?3Ox zb60%);N~LRRY1|o6T-0sYt=ey)jHu=!q;Af%hC`v9Dg4k_!5#TnM9HqC-IoR_I7F& z`FfxM4S=&&lc5hc1eI(V^ieYm`<7a=H8ezC-UE?x|7$25dw?Bq1}0GK)b{wQuyHLa z-V~%7Tfe#iMLATr?h!?+TPKv#YF literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_resourceset.png b/docs/official-docs/images/extensions/okta/okta_resourceset.png new file mode 100644 index 0000000000000000000000000000000000000000..17e5e04911f20ed887807a58b802c74f76cffa5a GIT binary patch literal 975 zcmV;=12FuFP)I%rPJlEQzWG zescm>fU{yF7;w`X^x{`tcs&lho*Dom(G(edjyJJs9t_8L6PuRLxeDB%ghomcZ~}h; zO#mG&D(8;}EP>xcLd((@3iDt%CblMk{l!QWBhX|DcluQq*U#;yaZ8;o!TE?pQ=IA< zBRQpG3g2&%DM`Qyya$}YfSbFQ_EB3?y(r-V>Fg}0dPW%!PYDtYNScrdSZWUj+&ujA z;F1LAqy55jK_bT-tE6xK0NVVji%`!2)>f}7JY@-J4SIPr`hko-w+Z+k7=d{W_%Kw@ zvzv!=Y<_#_El>YR796<2QO)Ti+t{<+W1B=In&Qxz$70z4#KkrHfu@cYl@mX1wf@i- z3iJEm1PM(q81Ir9^OaZGCgHAIM?%wuo4SCZDh%6C1H2eGlH+Ra7ls)RYqoEgkH#%^ z+_|_Hug78SCA2KNet9I8E(K@?BgokGbGwK{Q(V6FGH1{0sll(h#Ijkzi0!lny%iNM zkjc&#>~*xLV%nx)#%qbyvO|*Pvk1s`T5fD`tP#^%1=ws5sI2`Lg5>5+%8E%X0R{K~ zhI_0OBGHtXPAV8x3<*tNF#;KVPE2Pk0(nKmvOz9Ebzm0G+*Kq>IGwr6Qf3rL%WTEW1saITg_aa5$sSZF=?ZM>%0s z1V42>%x@%L*DAdO*et0>Jc{JsEBfMW?w zUpxBpKXz{0h`VmxqJ&4HDSrNKSiJf)M(q)ozgeg;83A?x9BonQDzh=U77BBJ-rpxp z;kFtRnZ#L)_6&eV)kVia6~F3Y{SRv_Z;3=xeEMv*X3t|pa-(WDM$NhCX4MA_Qhswf x$P$~=d^j=GDB5!;rin0AJi~l@K7!2~e*-i%OY+qbX1)Lb002ovPDHLkV1g=gwXgsH literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_role.png b/docs/official-docs/images/extensions/okta/okta_role.png new file mode 100644 index 0000000000000000000000000000000000000000..9cfcd1b037f580a80bd0d493787d52f7657dda32 GIT binary patch literal 1123 zcmV-p1f2VcP)a$O^jLO1utTw_Ap*&ZPp(UnnxOG zcRt?dnRjO1d8diSp#tN;Z6M+(04YaV2A%@?8En@?1Xu$8J!4sN2&{^x8f_}@12Ah> z_y$zEhkH;$3UZf>+~ozp(DGOX3qv!=#M2!9V>s>10Y6d2Bh>_`zzQ%5;Ex3ePew|F z^^w=4iKp$VHQ<(;2sZ(vMRK(*sPNU)HIz_$L&TLZv^<-O36A$oisZM7VyX&I zfxiINH=r_fXBf%baxQWkR^f!r#RLaQ-4@Z0!xNqg@)esrIy3gkAG!3+DhA4oM9e;xv({#bzEjgTw(=HdoN zyGH=111kP+dQk^EOQi`g_f3v=k9hxT7bVor95_LbFXUI{&^myL1rLU=M_AJ1uERstqK1er$9d2;y;$>lc<^{s^5 z<)tmC*j||MAYyyf&GUc29}C!@w>=c&wGvW3n*aw_q$EJ@l0TaO$t&5PJ_!g50rl5k z2`OB^7b6o-v-R_9hVG0Y$x>OLtzTYa=FB>FO2>Rus@3r{MA)zjR%O+xK8->Gc7U*% zE7bLZq2+mYcct{dxwvsAGN+v));)+UrmovA5)KdQQc=LTp&6)yoizu_T{7XxelpMB zp(k|$v0hpoo7XB>Wa972m&gTjVu7qfBe1d_=>bFUu`%bvL#2#w(3D7 z2af@Eo}_9HwhAY_efl?Mu23?jZ||2%J@N{U$AE4pBy%8K<7VVMLCS56q2-sokuKW?x6I^qV_D+SmhQh?7ls512J1tq0R2@bY(fCI$cQ%W3~EBc$j zZ@|=X&XjXoIXc1}TKpL6o$VDUg{3wpsW(JX(J=AG9)!XGm3S$05RpZ9$U$o znxU5D#hn_<9UH`Cf@W(&jSbL*g0)(qHg6@p+5$J5_MED`N=Pq5V!}FmT zHaS2oNkozWH6WLiyu!2Z4Ag>}ig+51=df|8;azwHF75@CeLi$`< ziadmW<+E|9F*qHBBJL2gL|i~*_DZqBo5%J?5l`cb{c0#;!X0q|2S8KFE4=y9p1E>s zWby0kUSi+(UpCQ7T4JAnKLw9r$n==w1BTUc9-n&GfTO*4XLlf)7nzK&O)-)cL z^+X|#=diYWH~hQA81C5`6&)8+0OK=f*7ylHo`ZR8pypN7yh`^~XCeTlL5$1IAaXeRqxmsD zj&GiBarnANf7EBs>MleMU=EG&)mi~;fWhei_dJ~&0Cs+FeRxm;+;cacve_BLy=($> ztwB?-4$=EG3l%1N{VwLQ z5jIVjJ&k}+L<>=#0ifnp^z{ZxUM2fkHoDau&*AdlOHrB~Ux(=cT|~ycv_EA;(z2iB5)DH#6H*MxlPIy{||&%dCV~!NxA?4002ovPDHLkV1n1#?P>r3 literal 0 HcmV?d00001 diff --git a/docs/official-docs/images/extensions/okta/okta_user.png b/docs/official-docs/images/extensions/okta/okta_user.png new file mode 100644 index 0000000000000000000000000000000000000000..18f764474dea816920e037de96d451778aa18106 GIT binary patch literal 1056 zcmV+*1mF9KP)ZKWrOi7{-4-pY7T;_Qn09P)pPiifkcO4N|hOkY-{_2IxeW zGG(f#PL^q0y^Eqed{yEJf zopg8Kz2EcP`+e{Gy>E!%P=JqtB_LY64N;Tbj^*eCGNraPtnLfFakB9m4y%dFn9Ef-ns%CJf++erUqfdUL zFUD1X0+az|HW}g3REm@=or>H-)97)h+~h^8Yl)b`<_Y`kmfMxtWQ5ge<*ms9QnJMA zw8CsMGQ?qx+ZXjKU@0FD^WFPtVv^VX1hs9jUf0>u45CtqixF?J3+X89b)5tAXcEwY z4LDwc9K!Ydl%Mcj^RKIi{P3?f^zPQ>1b4INy+vyVpKb43k5fR!^1wr2W-$}v=B2pj zB;W37Jo!gE@qX*D3!xBm!qtwr7?IfRm{yoh0Ba${dh7$Ne~|GFwU4&`D}66bE@Aa=YTvavAv_<(0#LgaQ9(otVyKfDtT7B!2R zbJp#WL_c2_;=z*5=a&=i6JI#zI%bEBD>o2uB^oTvE>9-NJBZE4WtJ!1#o1x=R62w> zx%lJ5OM#3neE+)5cH0<`-|~r`QC$1&H2|ke@-Q}`8)RSyxLVcC;HO=u$KRcyBbRrh zVY1O+n^4sZ>-MFLsA8_}cKiiwwz_;%ZP_OnLLnh@H=FcKMlcl0b*V1^we38qg;GuD z_N%%pIfy^I{i<%S1DwA*=Bh}D8jk0Uj;F!Bou=occHG-(dj3$U_QtwhljxsHFIruy zy6I@}c<*HH_k){FRX6P=+lGWF4xS04Lr0_Mb#IrBV`JlZMt={0C>$x(^b>1b?fB<+ zH;meg8p=i`7L*uG^JpycR5&ygmQABavD~m8SNfbo zHKBso57+0C5uQvdoFzV0Yu4JoM4Z6&Q2~~S3Xq;lMtFEeMQO3zWK$HS4aC{wSd`Kq zm!k10000 + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_AddMember edges represent custom role permissions that allow a principal (user, group, or application) to add or remove members in scoped Okta groups. These edges are created when a custom role includes the `okta.groups.members.manage` or `okta.groups.manage` permissions. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + g1("Okta_Group Finance") + g2("Okta_Group Tier 0 Admins") + app1("Okta_Application Automation") + u1 -- Okta_AddMember --> g1 + app1 -- Okta_AddMember --> g2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx new file mode 100644 index 0000000..1edd756 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx @@ -0,0 +1,32 @@ +--- +title: 'Okta_AgentMemberOf' +description: 'Membership of an Okta agent in an agent pool' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +Okta_AgentMemberOf edges represent membership of an [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) in an [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool). + +Active Directory Agent Pools and their agents can be visualized in BloodHound as follows: + +```mermaid +graph LR + ap1("Okta_AgentPool contoso.com") + ap2("Okta_AgentPool adatum.com") + a1("Okta_Agent CONTOSO-SRV1") + a2("Okta_Agent CONTOSO-SRV2") + a3("Okta_Agent ADATUM-SRV1") + a1 -- Okta_AgentMemberOf --> ap1 + a2 -- Okta_AgentMemberOf --> ap1 + a3 -- Okta_AgentMemberOf --> ap2 +``` + + +Traversable edges between [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) and AD Domain nodes are not modeled in the current version of the Okta BloodHound extension. Support for this is planned for a future release. + diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx new file mode 100644 index 0000000..7768ad3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx @@ -0,0 +1,37 @@ +--- +title: 'Okta_AgentPoolFor' +description: 'Relationship between an AD agent pool and its backing AD application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +Okta_AgentPoolFor edges connect an AD [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) to the backing [Okta_Application](/opengraph/extensions/okta/nodes/okta_application) used for directory integration. +```mermaid +graph TB + subgraph Active Directory + d1("Domain contoso.com") + c1("Computer CONTOSO-SRV1$") + c2("Computer CONTOSO-SRV2$") + d1 -- Contains --> c1 + d1 -- Contains --> c2 + end + + subgraph Okta + ap1("Okta_AgentPool contoso.com") + a1("Okta_Agent CONTOSO-SRV1") + a2("Okta_Agent CONTOSO-SRV2") + app1("Okta_Application AD contoso.com") + a1 -- Okta_AgentMemberOf --> ap1 + a2 -- Okta_AgentMemberOf --> ap1 + ap1 -- Okta_AgentPoolFor --> app1 + end + + c1 -- Okta_HostsAgent --> a1 + c2 -- Okta_HostsAgent --> a2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx new file mode 100644 index 0000000..a5263ea --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx @@ -0,0 +1,28 @@ +--- +title: 'Okta_ApiTokenFor' +description: 'User ownership of an Okta API token' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ApiTokenFor edges represent the API token assignments for users in Okta, represented by the [Okta_User](/opengraph/extensions/okta/nodes/okta_user) nodes: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + t1("Okta_ApiToken Test App") + t2("Okta_ApiToken Postman") + t3("Okta_ApiToken Python Script") + org("Okta_Organization contoso.okta.com") + t1 -- Okta_ApiTokenFor --> u1 + t2 -- Okta_ApiTokenFor --> u2 + t3 -- Okta_ApiTokenFor --> u2 + u2 -- Okta_SuperAdmin --> org +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx new file mode 100644 index 0000000..f2b2156 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx @@ -0,0 +1,28 @@ +--- +title: 'Okta_AppAdmin' +description: 'Application administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_AppAdmin edges represent Application Administrator role assignments. Application Administrators can manage application configurations, user assignments, and provisioning settings for their assigned applications. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Salesforce Admins") + app1("Okta_Application GitHub") + app2("Okta_Application Salesforce") + is1("Okta_APIServiceIntegration Elastic Agent") + u2 -- Okta_MemberOf --> g1 + u1 -- Okta_AppAdmin --> app1 + g1 -- Okta_AppAdmin --> app2 + u1 -- Okta_AppAdmin --> is1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx new file mode 100644 index 0000000..9ca1b1f --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx @@ -0,0 +1,40 @@ +--- +title: 'Okta_AppAssignment' +description: 'Assignment of users or groups to an Okta application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +Only users that are assigned to applications can access them. Users can be assigned to applications directly or indirectly through group memberships. + +The non-traversable Okta_AppAssignment edges represent the application assignments for users and groups in Okta: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + u3("Okta_User mary\@contoso.com") + u4("Okta_User bob\@contoso.com") + u5("Okta_User alice\@contoso.com") + g1("Okta_Group Engineering") + e("Okta_Group Everyone") + a1("Okta_Application SalesForce") + a2("Okta_Application GitHub") + a3("Okta_Application VPN") + e -. Okta_AppAssignment .-> a1 + u1 -- Okta_MemberOf --> e + u2 -- Okta_MemberOf --> e + u3 -- Okta_MemberOf --> e + u4 -- Okta_MemberOf --> e + u3 -- Okta_MemberOf --> g1 + u4 -- Okta_MemberOf --> g1 + g1 -. Okta_AppAssignment .-> a2 + u4 -. Okta_AppAssignment .-> a3 + u5 -. Okta_AppAssignment .-> a3 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx new file mode 100644 index 0000000..dcc763d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx @@ -0,0 +1,45 @@ +--- +title: 'Okta_Contains' +description: 'Contains relationship between the Okta organization and its objects' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_Contains edges represent the containment relationships between the organization and other entities in Okta. The organization node will have Okta_Contains edges to all other nodes in the graph, with some exceptions. + +```mermaid +graph LR + org("Okta_Organization contoso.okta.com") + user1("Okta_User john\@contoso.com") + group1("Okta_Group IT") + app1("Okta_Application GitHub") + role1("Okta_Role Super Admin") + device1("Okta_Device John's MacBook") + realm1("Okta_Realm EU") + cr1("Okta_CustomRole Help Desk") + rs1("Okta_ResourceSet HR Resources") + ap1("Okta_AgentPool AD Sync Pool") + as1("Okta_AuthorizationServer Default Server") + ip1("Okta_IdentityProvider Google IdP") + is1("Okta_APIServiceIntegration Elastic Agent") + p1("Okta_Policy Idp Discovery Policy") + org -- Okta_Contains --> user1 + org -- Okta_Contains --> group1 + org -- Okta_Contains --> app1 + org -- Okta_Contains --> role1 + org -- Okta_Contains --> device1 + org -- Okta_Contains --> cr1 + org -- Okta_Contains --> realm1 + org -- Okta_Contains --> rs1 + org -- Okta_Contains --> ap1 + org -- Okta_Contains --> as1 + org -- Okta_Contains --> ip1 + org -- Okta_Contains --> is1 + org -- Okta_Contains --> p1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx new file mode 100644 index 0000000..688d6c5 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx @@ -0,0 +1,24 @@ +--- +title: 'Okta_CreatorOf' +description: 'Creator relationship for API service integrations' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_CreatorOf edges represent the creator relationships between API Service Integration instances and users in Okta: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + is1("Okta_APIServiceIntegration Elastic Agent") + is2("Okta_APIServiceIntegration Falcon Shield") + u1 -. Okta_CreatorOf .-> is1 + u2 -. Okta_CreatorOf .-> is2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx new file mode 100644 index 0000000..c612769 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx @@ -0,0 +1,25 @@ +--- +title: 'Okta_DeviceOf' +description: 'Ownership relationship between a device and its assigned user' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_DeviceOf edges represent the ownership relationships between users and devices in Okta: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + d1("Okta_Device John's MacBook") + d2("Okta_Device Steve's iPhone") + d1 -. Okta_DeviceOf .-> u1 + d1 -. Okta_DeviceOf .-> u2 + d2 -. Okta_DeviceOf .-> u2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx new file mode 100644 index 0000000..f8fc66c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx @@ -0,0 +1,26 @@ +--- +title: 'Okta_GroupAdmin' +description: 'Group administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_GroupAdmin edges represent Group Administrator (also known as User Administrator) role assignments. Group Administrators can manage users and groups within their assigned scope. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Marketing") + u1 -- Okta_GroupAdmin --> u2 + u1 -- Okta_GroupAdmin --> g1 + u2 -- Okta_MemberOf --> g1 +``` + +Target group memberships are flattened when the assignment is evaluated. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx new file mode 100644 index 0000000..0c3b01c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx @@ -0,0 +1,23 @@ +--- +title: 'Okta_GroupMembershipAdmin' +description: 'Group membership administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_GroupMembershipAdmin edges represent Group Membership Administrator role assignments. Group Membership Administrators can add and remove members from groups within their assigned scope but cannot modify the groups themselves. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + g1("Okta_Group Marketing") + g2("Okta_Group Sales") + u1 -- Okta_GroupMembershipAdmin --> g1 + u1 -- Okta_GroupMembershipAdmin --> g2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx new file mode 100644 index 0000000..39b4564 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx @@ -0,0 +1,21 @@ +--- +title: 'Okta_GroupPull' +description: 'Import of group memberships from an external application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_GroupPull edges represent the group synchronization relationships from applications to Okta: + +```mermaid +graph LR + g1("Okta_Group HR") + app1("Okta_Application contoso.com") + app1 -- Okta_GroupPull --> g1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx new file mode 100644 index 0000000..a748e43 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx @@ -0,0 +1,21 @@ +--- +title: 'Okta_GroupPush' +description: 'Provisioning of group memberships to an external application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_GroupPush edges represent the group push assignments to applications. This indicates group provisioning and membership synchronization from Okta to external applications. + +```mermaid +graph LR + g1("Okta_Group Engineering") + app1("Okta_Application contoso.com") + g1 -. Okta_GroupPush .-> app1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx new file mode 100644 index 0000000..f546182 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx @@ -0,0 +1,29 @@ +--- +title: 'Okta_HasRole' +description: 'Assignment of a built-in or custom role to a principal' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_HasRole edges represent the role assignments for users in Okta: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + g1("Okta_Group IT") + a1("Okta_Application Python Script") + r1("Okta_Role Group Administrator") + r2("Okta_Role Application Administrator") + u1 -. Okta_HasRole .-> r1 + g1 -. Okta_HasRole .-> r1 + g1 -. Okta_HasRole .-> r2 + a1 -. Okta_HasRole .-> r2 + u2 -- Okta_MemberOf --> g1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx new file mode 100644 index 0000000..9a6f64c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx @@ -0,0 +1,39 @@ +--- +title: 'Okta_HasRoleAssignment' +description: 'Relationship between a principal and a role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The Okta_HasRoleAssignment edges connect users, groups, and applications to their respective [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes. The [Okta_ScopedTo](/opengraph/extensions/okta/edges/okta_scopedto) edges connect the [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes to the resources they are scoped to, such as the organization or specific groups or applications. + +```mermaid +graph TB + ra1("Okta_RoleAssignment Help Desk Administrator") + ra2("Okta_RoleAssignment Super Administrator") + r1("Okta_Role Help Desk Administrator") + r2("Okta_Role Super Administrator") + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + u3("Okta_User alice\@contoso.com") + g1("Okta_Group Seattle Help Desk") + g2("Okta_Group Seattle Office") + org("Okta_Organization contoso.okta.com") + + u1 -- Okta_MemberOf --> g1 + g1 -. Okta_HasRoleAssignment .-> ra1 + g1 -. Okta_HasRole .-> r1 + g1 -- Okta_HelpDeskAdmin --> u3 + u3 -- Okta_MemberOf --> g2 + ra1 -. Okta_ScopedTo .-> g2 + u2 -. Okta_HasRoleAssignment .-> ra2 + ra2 -. Okta_ScopedTo .-> org + u2 -- Okta_SuperAdmin --> org + u2 -. Okta_HasRole .-> r2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx new file mode 100644 index 0000000..2c24393 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx @@ -0,0 +1,24 @@ +--- +title: 'Okta_HelpDeskAdmin' +description: 'Help desk administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_HelpDeskAdmin edges represent Help Desk Administrator role assignments. Help Desk Administrators can perform password resets, unlock accounts, and reset MFA factors for users within their assigned scope. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + g1("Okta_Group Help Desk") + u2("Okta_User alice\@contoso.com") + u3("Okta_User bob\@contoso.com") + u1 -- Okta_HelpDeskAdmin --> u2 + g1 -- Okta_HelpDeskAdmin --> u3 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx new file mode 100644 index 0000000..2992119 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx @@ -0,0 +1,34 @@ +--- +title: 'Okta_HostsAgent' +description: 'Relationship between an AD server and the Okta agent running on that host' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +Hybrid Okta_HostsAgent edges connect an AD Computer node to the [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) running on that host. + +```mermaid +graph LR + subgraph ad["Active Directory"] + d1("Domain contoso.com") + c1("Computer LON-SRV1$") + c2("Computer NY-SRV2$") + d1 -- Contains --> c1 + d1 -- Contains --> c2 + end + subgraph okta["Okta"] + ap1("Okta_AgentPool contoso.com") + a1("Okta_Agent LON-SRV1") + a2("Okta_Agent NY-SRV2") + a1 -- Okta_AgentMemberOf --> ap1 + a2 -- Okta_AgentMemberOf --> ap1 + end + c1 -- Okta_HostsAgent --> a1 + c2 -- Okta_HostsAgent --> a2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx new file mode 100644 index 0000000..6c089a6 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx @@ -0,0 +1,26 @@ +--- +title: 'Okta_IdentityProviderFor' +description: 'Trust relationship between an identity provider and Okta users' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_IdentityProviderFor edges represent the relationships between identity providers and the users who authenticate through them: + +```mermaid +graph LR + idp1("Okta_IdentityProvider Google") + idp2("Okta_IdentityProvider Contoso SAML") + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@gmail.com") + u3("Okta_User bob\@contoso.com") + idp1 -- Okta_IdentityProviderFor --> u2 + idp2 -- Okta_IdentityProviderFor --> u1 + idp2 -- Okta_IdentityProviderFor --> u3 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx new file mode 100644 index 0000000..99b7765 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx @@ -0,0 +1,25 @@ +--- +title: 'Okta_IdpGroupAssignment' +description: 'Identity provider group assignment to an Okta group' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_IdpGroupAssignment edges represent groups automatically assigned to users based on identity provider attributes or user claims: + +```mermaid +graph LR + idp1("Okta_IdentityProvider Microsoft Login") + g1("Okta_Group Contractors") + g2("Okta_Group Employees") + g3("Okta_Group Entra ID Users") + idp1 -. Okta_IdpGroupAssignment .-> g1 + idp1 -. Okta_IdpGroupAssignment .-> g2 + idp1 -. Okta_IdpGroupAssignment .-> g3 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx new file mode 100644 index 0000000..f132d1d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx @@ -0,0 +1,24 @@ +--- +title: 'Okta_InboundOrgSSO' +description: 'Single sign-on from an external organization into Okta' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The Okta_InboundOrgSSO and [Okta_InboundSSO](/opengraph/extensions/okta/edges/okta_inboundsso) hybrid edges connect external tenants and users to Okta entities: + +```mermaid +graph LR + t1("AZTenant Contoso") + idp1("Okta_IdentityProvider Microsoft Login") + u1("AZUser alice\@contoso.com") + ou1("Okta_User alice\@contoso.com") + t1 -- Okta_InboundOrgSSO --> idp1 + u1 -- Okta_InboundSSO --> ou1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx new file mode 100644 index 0000000..e5bf4fe --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx @@ -0,0 +1,24 @@ +--- +title: 'Okta_InboundSSO' +description: 'Single sign-on from an external identity provider into Okta' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The [Okta_InboundOrgSSO](/opengraph/extensions/okta/edges/okta_inboundorgsso) and Okta_InboundSSO hybrid edges connect external tenants and users to Okta entities: + +```mermaid +graph LR + t1("AZTenant Contoso") + idp1("Okta_IdentityProvider Microsoft Login") + u1("AZUser alice\@contoso.com") + ou1("Okta_User alice\@contoso.com") + t1 -- Okta_InboundOrgSSO --> idp1 + u1 -- Okta_InboundSSO --> ou1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx new file mode 100644 index 0000000..a7d250c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx @@ -0,0 +1,32 @@ +--- +title: 'Okta_KerberosSSO' +description: 'Agentless desktop SSO relationship from on-prem AD user account to Okta AD application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +Hybrid traversable Okta_KerberosSSO edges represent [agentless desktop SSO](https://help.okta.com/en-us/content/topics/directory/ad-dsso-about-workflow.htm) trust from an on-prem AD User account to an AD-backed [Okta_Application](/opengraph/extensions/okta/nodes/okta_application). + +```mermaid +graph LR + subgraph ad["Active Directory"] + d1("Domain contoso.com") + u1("User SPN:HTTP/contoso.kerberos.okta.com") + u2("User jane.doe\@contoso.com") + d1 -- "Contains" --> u1 + d1 -- "Contains" --> u2 + end + subgraph okta["Okta"] + app1("Okta_Application contoso.com") + u3("Okta_User jane.doe\@contoso.com") + app1 -. Okta_UserPull .-> u3 + end + u1 -- Okta_KerberosSSO --> app1 + u2 -. Okta_UserSync .-> u3 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx new file mode 100644 index 0000000..b4e5b35 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx @@ -0,0 +1,28 @@ +--- +title: 'Okta_KeyOf' +description: 'JSON Web Key associated with an Okta application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_KeyOf edges represent the relationships between applications [Okta_Application](/opengraph/extensions/okta/nodes/okta_application) and their JWKs: + +```mermaid +graph LR + app1("Okta_Application OpenHound Okta Collector") + app2("Okta_Application Security Scanner") + key1("Okta_JWK ABC123") + key2("Okta_JWK DEF456") + key3("Okta_JWK GHI789") + key1 -- Okta_KeyOf --> app1 + key2 -- Okta_KeyOf --> app2 + key3 -- Okta_KeyOf --> app2 +``` + +Possession of the private key corresponding to a JWK allows an attacker to authenticate as the application. The Okta_KeyOf edge can be used in BloodHound to understand which applications use JWK-based authentication and trace potential attack paths involving compromised private keys. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx new file mode 100644 index 0000000..14e6f34 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx @@ -0,0 +1,24 @@ +--- +title: 'Okta_ManageApp' +description: 'Ability to manage scoped Okta applications' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ManageApp edges correspond to the `okta.apps.manage` custom role permissions that allow a principal (user, group, or application) to fully manage Okta applications and their members. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + g1("Okta_Group App Operators") + app1("Okta_Application GitHub") + app2("Okta_Application Salesforce") + u1 -- Okta_ManageApp --> app1 + g1 -- Okta_ManageApp --> app2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx new file mode 100644 index 0000000..d7b034a --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx @@ -0,0 +1,31 @@ +--- +title: 'Okta_ManagerOf' +description: 'Manager relationship between Okta users' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +Okta uses the `Manager` and `ManagerId` user profile attributes to represent managerial relationships. Unfortunately, these attributes can have any arbitrary value and their referential integrity is not enforced by Okta. They are not even synchronized from external directories by default. + +Our recommendation is to map the `ManagerId` attribute to the login of the manager in Okta. When synchronizing users from Active Directory, the `getManagerUser("active_directory").login` mapping expression can be used to achieve this. Such values are automatically recognized by the OpenHound Okta collector. + +The **non-traversable** Okta_ManagerOf edges represent the organizational structure in BloodHound: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + u3("Okta_User mary\@contoso.com") + u4("Okta_User bob\@contoso.com") + u5("Okta_User alice\@contoso.com") + u1 -. Okta_ManagerOf .-> u2 + u1 -. Okta_ManagerOf .-> u3 + u3 -. Okta_ManagerOf .-> u4 + u3 -. Okta_ManagerOf .-> u5 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx new file mode 100644 index 0000000..b23dd95 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx @@ -0,0 +1,27 @@ +--- +title: 'Okta_MemberOf' +description: 'Membership of a user in an Okta group' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_MemberOf edges represent the membership relationships between users and groups in Okta: + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + u3("Okta_User mary\@contoso.com") + g1("Okta_Group Marketing") + g2("Okta_Group Sales") + u1 -- Okta_MemberOf --> g1 + u2 -- Okta_MemberOf --> g1 + u2 -- Okta_MemberOf --> g2 + u3 -- Okta_MemberOf --> g2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx new file mode 100644 index 0000000..1637d18 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx @@ -0,0 +1,52 @@ +--- +title: 'Okta_MembershipSync' +description: 'Bidirectional synchronization between Okta groups and external groups' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable hybrid Okta_MembershipSync edges represent the synchronization relationships between groups in external directories and their corresponding groups in Okta: + +```mermaid +graph TB + subgraph ad["Active Directory"] + adg1("Group IT") + adg2("Group HR") + end + subgraph okta["Okta Org A"] + g1("Okta_Group IT") + g2("Okta_Group HR") + adg1 -- Okta_MembershipSync --> g1 + g2 -- Okta_MembershipSync --> adg2 + end + subgraph okta2["Okta Org B"] + g3("Okta_Group IT") + g1 -- Okta_MembershipSync --> g3 + end +``` + +```mermaid +graph LR + subgraph source_org["Okta Org Contoso"] + u1("Okta_User alice\@contoso.com") + g1("Okta_Group IT") + app1("Okta_Application Adatum Org2Org App") + end + subgraph target_org["Okta Org Adatum"] + u2("Okta_User alice\@adatum.com") + g2("Okta_Group IT") + app2("Okta_Application Contoso Sync API Service") + end + u1 -->|Okta_MemberOf| g1 + u1 .->|Okta_UserSync| u2 + u1 .->|Okta_UserPush| app1 + u2 -->|Okta_MemberOf| g2 + g1 .->|Okta_GroupPush| app1 + g1 -->|Okta_MembershipSync| g2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx new file mode 100644 index 0000000..3e25dc0 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx @@ -0,0 +1,23 @@ +--- +title: 'Okta_MobileAdmin' +description: 'Mobile administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_MobileAdmin edges represent Mobile Administrator role assignments. Mobile Administrators can manage mobile device settings and configurations within their assigned scope. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + d1("Okta_Device Alice's iPhone") + d2("Okta_Device Bob's MacBook") + u1 -- Okta_MobileAdmin --> d1 + u1 -- Okta_MobileAdmin --> d2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx new file mode 100644 index 0000000..9940df9 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx @@ -0,0 +1,25 @@ +--- +title: 'Okta_OrgAdmin' +description: 'Organization administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_OrgAdmin edges represent Organization Administrator role assignments. Organization Administrators can manage most organizational settings except for administrative role assignments and some security settings. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group IT") + d1("Okta_Device John's MacBook") + u1 -- Okta_OrgAdmin --> u2 + u1 -- Okta_OrgAdmin --> g1 + u1 -- Okta_OrgAdmin --> d1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx new file mode 100644 index 0000000..43055ae --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx @@ -0,0 +1,31 @@ +--- +title: 'Okta_OrgSWA' +description: 'Secure Web Authentication from an Okta application to an external organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_OrgSWA edges represent the Secure Web Authentication (SWA) relationships between Okta applications and supported external organizations or tenants. SWA stores user credentials in Okta and automatically fills them in when users access the application, which is less secure than federated SSO protocols. + +```mermaid +graph LR + subgraph okta["OpenHound Okta"] + direction TB + o("Okta_Organization contoso.okta.com") + app1("Okta_Application Jamf Pro SWA") + o -- Okta_Contains --> app1 + end + subgraph "Jamf" + direction TB + jamf("jamf_SSOIntegration contoso.jamfcloud.com-SSO") + app1 -. Okta_OrgSWA .-> jamf + end +``` + +The respective BloodHound collectors, e.g., OpenHound Github for GitHub organizations and OpenHound Jamf for Jamf Pro tenants, must be used to gather the external node information. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx new file mode 100644 index 0000000..ab9b1bd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx @@ -0,0 +1,38 @@ +--- +title: 'Okta_OutboundOrgSSO' +description: 'Single sign-on from an Okta application to an external organization' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_OutboundOrgSSO edges represent the Single Sign-On (SSO) relationships between Okta applications and supported external organizations or tenants, such as GitHub Enterprise or Jamf Pro, using SAML 2.0 or OIDC protocols. + +```mermaid +graph LR + subgraph okta["OpenHound Okta"] + direction TB + o("Okta_Organization contoso.okta.com") + app1("Okta_Application GitHub Enterprise Cloud") + app2("Okta_Application Jamf Pro SAML") + o -- Okta_Contains --> app1 + o -- Okta_Contains --> app2 + end + subgraph "GitHub" + direction TB + ghorg("GH_Organization Contoso") + app1 -- Okta_OutboundOrgSSO --> ghorg + end + subgraph "Jamf" + direction TB + jamf("jamf_SSOIntegration contoso.jamfcloud.com-SSO") + app2 -- Okta_OutboundOrgSSO --> jamf + end +``` + +The respective BloodHound collectors, e.g., OpenHound Github for GitHub organizations and OpenHound Jamf for Jamf Pro tenants, must be used to gather the external node information. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx new file mode 100644 index 0000000..050131b --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx @@ -0,0 +1,36 @@ +--- +title: 'Okta_OutboundSSO' +description: 'Single sign-on from Okta to an external identity provider' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable hybrid Okta_OutboundSSO edges represent Single Sign-On relationships between Okta users and their linked accounts in external applications using federated authentication (SAML 2.0 or OIDC). + +```mermaid +graph LR + subgraph okta["Okta"] + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + end + subgraph github["GitHub"] + ghu1("GH_User john\@contoso.com") + ghu2("GH_User alice\@contoso.com") + end + subgraph jamf["Jamf"] + jamfu1("jamf_Account john\@contoso.com") + end + subgraph snowflake["Snowflake"] + snu1("SNOW_User john\@contoso.com") + end + u1 -- Okta_OutboundSSO --> ghu1 + u1 -- Okta_OutboundSSO --> jamfu1 + u2 -- Okta_OutboundSSO --> ghu2 + u1 -- Okta_OutboundSSO --> snu1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx new file mode 100644 index 0000000..0de6bc3 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx @@ -0,0 +1,56 @@ +--- +title: 'Okta_PasswordSync' +description: 'Password synchronization between user accounts via AD integration, Org2Org, or SCIM' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_PasswordSync edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user. + +In **Active Directory** hybrid setups, this edge is created between User (AD) and [Okta_User](/opengraph/extensions/okta/nodes/okta_user) when delegated authentication or password push is enabled. In **Org2Org** setups, this edge is created between [Okta_User](/opengraph/extensions/okta/nodes/okta_user) nodes across organizations when password synchronization is configured. + + +The Okta API does not indicate if the actual password or a randomly generated value is pushed to the other organization. + +### Active Directory Hybrid + +```mermaid +graph LR + subgraph ad["Active Directory"] + adu1("User john\@contoso.com") + end + subgraph okta["Okta"] + u1("Okta_User john\@contoso.com") + adu1 -->|Okta_PasswordSync| u1 + adu1 .->|Okta_UserSync| u1 + end +``` + +### Org2Org + +```mermaid +graph LR + subgraph source_org["Okta Org Contoso"] + u1("Okta_User alice\@contoso.com") + app1("Okta_Application Adatum Org2Org App") + end + subgraph target_org["Okta Org Adatum"] + u2("Okta_User alice\@adatum.com") + idp2("Okta_IdentityProvider Contoso Org2Org OIDC") + app2("Okta_Application Contoso Sync API Service") + end + u1 -->|Okta_PasswordSync| u2 + u1 -->|Okta_OutboundSSO| u2 + u1 .->|Okta_UserSync| u2 + u1 .->|Okta_UserPush| app1 + u1 .->|Okta_AppAssignment| app1 + app1 -->|Okta_ReadPasswordUpdates| u1 + app1 -->|Okta_OutboundOrgSSO| idp2 + idp2 -->|Okta_IdentityProviderFor| u2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx new file mode 100644 index 0000000..b2578ab --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx @@ -0,0 +1,41 @@ +--- +title: 'Okta_PolicyMapping' +description: 'Association of a policy with an Okta application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_PolicyMapping edges represent the association between a policy and the resources to which it is applied. + + +Only application targets are supported in the current version of the Okta BloodHound extension. + +```mermaid +graph LR + o["Okta_Organization contoso.okta.com"] + p1["Okta_Policy Idp Discovery Policy {Type: 'IDP_DISCOVERY'}"] + p2["Okta_Policy Active Directory Policy {Type: 'PASSWORD'}"] + p3["Okta_Policy Okta Admin Console {Type: 'ACCESS_POLICY'}"] + p4["Okta_Policy Any two factors {Type: 'ACCESS_POLICY'}"] + p5["Okta_Policy Default Policy {Type: 'PROFILE_ENROLLMENT'}"] + a1["Okta_Application Okta Admin Console"] + a2["Okta_Application Salesforce"] + a3["Okta_Application Intranet Portal"] + o -->|Okta_Contains| p1 + o -->|Okta_Contains| p2 + o -->|Okta_Contains| p3 + p3 -->|Okta_PolicyMapping| a1 + o -->|Okta_Contains| p4 + p4 -->|Okta_PolicyMapping| a2 + p4 -->|Okta_PolicyMapping| a3 + o -->|Okta_Contains| p5 + p5 -->|Okta_PolicyMapping| a1 + p5 -->|Okta_PolicyMapping| a2 + p5 -->|Okta_PolicyMapping| a3 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx new file mode 100644 index 0000000..9a046cb --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx @@ -0,0 +1,33 @@ +--- +title: 'Okta_ReadClientSecret' +description: 'Ability to read client secrets for scoped Okta applications' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ReadClientSecret edges represent permissions that allow a principal (user, group, or application) to read OAuth client secrets for scoped Okta applications. These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles and for custom roles with the `okta.apps.clientCredentials.read` permission. + +```mermaid +graph TD + org("Okta_Organization contoso.okta.com") + u1("Okta_User john\@contoso.com") + g1("Okta_Group Auditors") + app1("Okta_Application HR Sync") + secret1("Okta_ClientSecret abcdefgh") + r1("Okta_Role Read-only Administrator") + u1 -- Okta_MemberOf --> g1 + g1 -- Okta_ReadClientSecret --> secret1 + secret1 -- Okta_SecretOf --> app1 + app1 -- Okta_SuperAdmin --> org + g1 -. Okta_HasRole .-> r1 +``` + +## Potential Attack Scenarios + +An attacker with the ability to read client secrets for an application assigned the Super Administrator role could potentially use the client secret to authenticate as that application and perform privileged actions in Okta. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx new file mode 100644 index 0000000..61220c8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx @@ -0,0 +1,25 @@ +--- +title: 'Okta_ReadPasswordUpdates' +description: 'Application can read password updates over the SCIM protocol' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ReadPasswordUpdates edges represent applications that can read password updates over SCIM. + +```mermaid +graph LR + org("Okta_Organization contoso.okta.com") + app("Okta_Application SCIM App") + user("Okta_User john\@contoso.com") + user2("Okta_User steve\@contoso.com") + app -- Okta_ReadPasswordUpdates --> user + user -- Okta_SuperAdmin --> org + user2 -- Okta_AppAdmin --> app +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx new file mode 100644 index 0000000..a295da1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx @@ -0,0 +1,30 @@ +--- +title: 'Okta_RealmContains' +description: 'Contains relationship between an Okta realm and its users' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_RealmContains edges represent containment relationships between realms and the users assigned to those realms. + +```mermaid +graph LR + r1("Okta_Realm EU") + r2("Okta_Realm US") + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + u3("Okta_User bob\@contoso.com") + r1 -- Okta_RealmContains --> u1 + r1 -- Okta_RealmContains --> u2 + r2 -- Okta_RealmContains --> u3 +``` + + +Okta Realms are currently not supported by BloodHound due to licensing restrictions. + diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx new file mode 100644 index 0000000..6759ca6 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx @@ -0,0 +1,23 @@ +--- +title: 'Okta_ResetFactors' +description: 'Ability to reset MFA factors for scoped Okta users' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ResetFactors edges represent custom role permissions that allow a principal to reset MFA authenticators for scoped Okta users. These edges are created when a custom role includes the `okta.users.credentials.resetFactors` or `okta.users.credentials.manage` permissions. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Tier 1 Support") + g1 -- Okta_ResetFactors --> u1 + u2 -- Okta_ResetFactors --> u1 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx new file mode 100644 index 0000000..62b799c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx @@ -0,0 +1,44 @@ +--- +title: 'Okta_ResetPassword' +description: 'Ability to reset passwords or temporary credentials for scoped Okta users' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ResetPassword edges represent custom role permissions that allow a principal (user, group, or application) to reset passwords or temporary credentials for scoped Okta users. These edges are created when a custom role includes password management permissions such as `okta.users.credentials.resetPassword`, `okta.users.credentials.manage`, `okta.users.credentials.manageTemporaryAccessCode`, or `okta.users.manage`. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Help Desk") + app1("Okta_Application Automation") + g1 -- Okta_ResetPassword --> u2 + g1 -- Okta_ResetFactors --> u2 + app1 -- Okta_ResetPassword --> u1 +``` + +The edge is calculated based on custom role scoping. + +```mermaid +graph TD + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Help Desk") + rs("Okta_ResourceSet Frontline Workers") + a("Okta_RoleAssignment Authentication Admins") + r("Okta_CustomRole Authentication Admins") + g1 -. Okta_HasRole .-> r + a -. Okta_ScopedTo .-> rs + g1 -. Okta_HasRoleAssignment .-> a + rs -- Okta_ResourceSetContains --> u2 + u1 -- Okta_MemberOf --> g1 + g1 -- Okta_ResetPassword --> u2 + g1 -- Okta_ResetFactors --> u2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx new file mode 100644 index 0000000..8e63d8e --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx @@ -0,0 +1,32 @@ +--- +title: 'Okta_ResourceSetContains' +description: 'Membership of objects within an Okta resource set' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_ResourceSetContains edges represent the membership relationships between resource sets and their member entities in Okta: + +```mermaid +graph LR + rs1("Okta_ResourceSet Sales Department Resources") + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + g1("Okta_Group Sales Team") + a1("Okta_Application GitHub") + d1("Okta_Device John's MacBook") + rs1 -- Okta_ResourceSetContains --> u1 + rs1 -- Okta_ResourceSetContains --> g1 + rs1 -- Okta_ResourceSetContains --> a1 + rs1 -- Okta_ResourceSetContains --> d1 + u2 -- Okta_MemberOf --> g1 + rs1 -- Okta_ResourceSetContains --> u2 +``` + +Note that users can also be members of resource sets indirectly through group memberships. The intermediate group will not appear in the graph, but the user membership will be resolved by the collector. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx new file mode 100644 index 0000000..bd1bd55 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx @@ -0,0 +1,39 @@ +--- +title: 'Okta_ScopedTo' +description: 'Scope relationship between a role assignment and its target' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The [Okta_HasRoleAssignment](/opengraph/extensions/okta/edges/okta_hasroleassignment) edges connect users, groups, and applications to their respective [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes. The Okta_ScopedTo edges connect the [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes to the resources they are scoped to, such as the organization or specific groups or applications. + +```mermaid +graph TB + ra1("Okta_RoleAssignment Help Desk Administrator") + ra2("Okta_RoleAssignment Super Administrator") + r1("Okta_Role Help Desk Administrator") + r2("Okta_Role Super Administrator") + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + u3("Okta_User alice\@contoso.com") + g1("Okta_Group Seattle Help Desk") + g2("Okta_Group Seattle Office") + org("Okta_Organization contoso.okta.com") + + u1 -- Okta_MemberOf --> g1 + g1 -. Okta_HasRoleAssignment .-> ra1 + g1 -. Okta_HasRole .-> r1 + g1 -- Okta_HelpDeskAdmin --> u3 + u3 -- Okta_MemberOf --> g2 + ra1 -. Okta_ScopedTo .-> g2 + u2 -. Okta_HasRoleAssignment .-> ra2 + ra2 -. Okta_ScopedTo .-> org + u2 -- Okta_SuperAdmin --> org + u2 -. Okta_HasRole .-> r2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx new file mode 100644 index 0000000..a4c47f5 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx @@ -0,0 +1,26 @@ +--- +title: 'Okta_SecretOf' +description: 'Client secret associated with an application or service integration' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_SecretOf edges represent the relationship between service applications or API service integrations and their associated client secrets, represented by the [Okta_ClientSecret](/opengraph/extensions/okta/nodes/okta_clientsecret) nodes. + +```mermaid +graph LR + is1("Okta_APIServiceIntegration Elastic Agent") + is2("Okta_APIServiceIntegration Falcon Shield") + cs1("Okta_ClientSecret pdWB5I2I1LJ_cUAzD9fB1w") + cs2("Okta_ClientSecret lLRrn0i2tIa5YowaQuTdtQ") + cs3("Okta_ClientSecret EpGPhXPYLxqY2JEWRjTSAQ") + cs1 -- Okta_SecretOf --> is1 + cs2 -- Okta_SecretOf --> is2 + cs3 -- Okta_SecretOf --> is2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx new file mode 100644 index 0000000..6f6f70d --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx @@ -0,0 +1,23 @@ +--- +title: 'Okta_SuperAdmin' +description: 'Super administrator role assignment' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: true + +## General Information + +The traversable Okta_SuperAdmin edges represent Super Administrator role assignments to the Okta organization. Super Administrators have full access to all features and settings in the Okta organization. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + app1("Okta_Application Service Account") + org("Okta_Organization contoso.okta.com") + u1 -- Okta_SuperAdmin --> org + app1 -- Okta_SuperAdmin --> org +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx new file mode 100644 index 0000000..f300144 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx @@ -0,0 +1,28 @@ +--- +title: 'Okta_SWA' +description: 'Secure Web Authentication from Okta to an external application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable hybrid Okta_SWA edges represent Secure Web Authentication relationships between Okta users and their linked accounts in external applications. SWA stores user credentials in Okta and automatically fills them in, which is less secure than federated SSO. + +```mermaid +graph LR + subgraph okta["Okta"] + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + end + subgraph op["1Password Business"] + opu1("OP_User john\@contoso.com") + opu2("OP_User alice\@contoso.com") + end + u1 -. Okta_SWA .-> opu1 + u2 -. Okta_SWA .-> opu2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx new file mode 100644 index 0000000..81328a7 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx @@ -0,0 +1,23 @@ +--- +title: 'Okta_UserPull' +description: 'Import of users from an external application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The Okta_UserPull edges represent user import relationships from external applications to Okta. + +```mermaid +graph LR + app1("Okta_Application Workday") + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + app1 -. Okta_UserPull .-> u1 + app1 -. Okta_UserPull .-> u2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx new file mode 100644 index 0000000..d2bf678 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx @@ -0,0 +1,25 @@ +--- +title: 'Okta_UserPush' +description: 'Provisioning of users to an external application' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable Okta_UserPush edges represent user provisioning relationships from Okta to external applications. When configured, Okta can automatically create, update, or deactivate user accounts in integrated applications using protocols like SCIM or LDAP. + +```mermaid +graph LR + u1("Okta_User john\@contoso.com") + u2("Okta_User alice\@contoso.com") + app1("Okta_Application GitHub Enterprise Cloud") + app2("Okta_Application Salesforce") + u1 -. Okta_UserPush .-> app1 + u2 -. Okta_UserPush .-> app1 + u2 -. Okta_UserPush .-> app2 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx new file mode 100644 index 0000000..799625e --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx @@ -0,0 +1,29 @@ +--- +title: 'Okta_UserSync' +description: 'Bidirectional synchronization between Okta users and external identities' +--- + +Applies to BloodHound Enterprise and CE + +## Edge Schema + +Traversable: false + +## General Information + +The non-traversable hybrid Okta_UserSync edges represent bidirectional user synchronization relationships between Okta and external directories or applications. These edges indicate that user accounts are linked and synchronized between systems. + +```mermaid +graph LR + subgraph ad["Active Directory"] + adu1("User john\@contoso.com") + end + subgraph okta["Okta"] + u1("Okta_User john\@contoso.com") + adu1 -. Okta_UserSync .-> u1 + end + subgraph snowflake["Snowflake"] + snu1("SNOW_User john\@contoso.com") + u1 -. Okta_UserSync .-> snu1 + end +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx new file mode 100644 index 0000000..b3dcaac --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx @@ -0,0 +1,31 @@ +--- +title: 'Okta_Agent' +description: 'A synchronization or authentication agent in Okta' +icon: '/images/extensions/okta/okta_agent.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +The Okta_Agent node represents an Okta Agent, which is a component used in Okta's integration with on-premises systems. Okta Agents facilitate communication between the Okta cloud and on-premises applications or directories, enabling features such as single sign-on (SSO) and user provisioning. + +One or more agents are grouped into Agent Pools, represented by the [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) nodes, to provide redundancy and load balancing. + +![Active Directory Agent in BloodHound](/images/extensions/okta/bloodhound-ad-agent.png) + +## Sample Property Values + +```yaml +id: a53xfufl4rqWcHhQo697 +name: LON-SRV01 +displayName: LON-SRV01 +poolId: 0oaxg9rhdd7ncGCXv697 +oktaDomain: contoso.okta.com +poolName: contoso.local +operationalStatus: DISRUPTED +updateStatus: Cancelled +type: AD +version: 3.22.0 +lastConnection: 2026-01-15T02:29:40+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx new file mode 100644 index 0000000..7553eba --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx @@ -0,0 +1,38 @@ +--- +title: 'Okta_AgentPool' +description: 'A pool of synchronization or authentication agents in Okta' +icon: '/images/extensions/okta/okta_agentpool.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +The Okta_AgentPool nodes represent Okta Agent Pools, which are collections of Okta Agents (represented as [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) nodes) that work together to provide high availability and load balancing for on-premises integrations. + +The following agent pool types are supported by Okta: + +| Agent Pool Type | Description | +|-----------------|-------------| +| AD | [Active Directory](https://help.okta.com/en-us/content/topics/directory/ad-agent-integration-implementation-options.htm) | +| IWA | [Integrated Windows Authentication (Kerberos/NTLM)](https://help.okta.com/en-us/content/topics/directory/ad-iwa-learn.htm) | +| LDAP | [Lightweight Directory Access Protocol](https://help.okta.com/en-us/content/topics/directory/ldap-agent-supported-directories.htm) | +| RADIUS | [RADIUS authentication proxy](https://help.okta.com/en-us/content/topics/integrations/radius-best-pract-flow.htm) | +| MFA | | +| OPP | | +| RUM | | + +The most common agent pool type is the Active Directory (AD) Agent Pool, which consists of one or more AD Agents that facilitate bi-directional object synchronization between Okta and on-premises Active Directory environments. + +![Okta AD Agent Pools displayed in BloodHound](/images/extensions/okta/bloodhound-ad-agent-pool.png) + +## Sample Property Values + +```yaml +id: 0oaxg9rhdd7ncGCXv697_pool +name: contoso.local +displayName: contoso.local +oktaDomain: contoso.okta.com +operationalStatus: DISRUPTED +type: AD +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx new file mode 100644 index 0000000..5883e96 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx @@ -0,0 +1,55 @@ +--- +title: 'Okta_ApiServiceIntegration' +description: 'An API service integration' +icon: '/images/extensions/okta/okta_apiserviceintegration.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +API service integrations in Okta represent OAuth 2.0 service (daemon) applications that can be granted machine-to-machine access to Okta APIs. There are some important differences between API service integrations and [regular OIDC service applications in Okta](/opengraph/extensions/okta/nodes/okta_application): + +| Feature | Service Applications | API Service Integrations | +|----------------------------------------------|----------------------|--------------------------| +| Can be created manually: | ✅ | ❌ | +| Can be added from the OIN Catalog: | ✅ | ✅ | +| Require role assignments: | ✅ | ❌ | +| Support authentication using client secrets: | ✅ | ✅ | +| Support authentication using private keys: | ✅ | ❌ | +| Admins can read cleartext client secrets: | ✅ | ❌ | + +Okta API service integrations are represented as Okta_ApiServiceIntegration nodes. + +## Sample Property Values + +```yaml +id: 0oaz7jy5f2oXnvtmN697 +name: Falcon Shield +displayName: Falcon Shield +oktaDomain: contoso.okta.com +appType: falconshieldapiservice +oauthScopes: + - okta.users.read + - okta.oauthIntegrations.read + - okta.threatInsights.read + - okta.devices.read + - okta.apiTokens.read + - okta.roles.read + - okta.logs.read + - okta.groups.read + - okta.apps.read + - okta.domains.read + - okta.factors.read + - okta.authenticators.read + - okta.policies.read + - okta.networkZones.read + - okta.features.read +createdAt: 2026-01-15T12:25:42.000Z +``` + +## Integration OAuth 2.0 Scopes + +Each API service integration comes with a pre-defined set of OAuth 2.0 scopes to access Okta APIs: + +![Okta API service integration scopes in BloodHound](/images/extensions/okta/bloodhound-api-service-integration-scopes.png) diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx new file mode 100644 index 0000000..1799971 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx @@ -0,0 +1,33 @@ +--- +title: 'Okta_ApiToken' +description: 'A secret used by users to authenticate to the Okta API' +icon: '/images/extensions/okta/okta_apitoken.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +API tokens (also known as SSWS tokens) in Okta are used to authenticate and authorize access to the Okta API. They are typically used by applications and scripts that need to interact with Okta programmatically. + +These tokens are always associated with a specific user in Okta, and the permissions of the token are determined by the role assignments of that user. For example, if a user has the Super Administrator role, any API token generated by that user will have full access to all API endpoints. Moreover, the long-lived API tokens are typically stored in plaintext in application configuration files or environment variables, making them a high-value target for attackers. + +The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers. + +Okta API tokens are represented as Okta_ApiToken nodes in BloodHound. + +## Sample Property Values + +```yaml +id: 00T36fk75smeJybKx697 +name: Postman +displayName: Postman +oktaDomain: contoso.okta.com +userId: 00uw0o8iizq37KgKP697 +clientName: Okta API +created: 2025-10-03T10:08:09+00:00 +lastUpdated: 2026-01-31T20:22:42+00:00 +expiresAt: 2026-03-02T20:22:42+00:00 +networkConnection: ANYWHERE +tokenWindow: 30.00:00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx new file mode 100644 index 0000000..f7d6a11 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx @@ -0,0 +1,325 @@ +--- +title: 'Okta_Application' +description: 'An application registered in Okta, such as a SAML app or an OIDC app' +icon: '/images/extensions/okta/okta_application.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Applications in Okta represent the various software applications and services that users can access through the Okta organization. Applications can be configured to use different authentication methods, such as SAML, OIDC, or SWA. These protocols can either be configured manually by administrators or automatically by adding an application from Okta's App Integration Catalog, which provides a wide range of pre-configured cloud and on-premises application templates. + +With the exception of API Service applications, Okta users and groups can be assigned to applications. Users can also be synchronized TO and FROM applications in Okta, typically using the SCIM protocol. For example, when integrating with GitHub Enterprise Cloud, Okta can be configured to automatically create user accounts in GitHub when users are assigned to the GitHub application in Okta. + +Okta applications are represented as Okta_Application nodes. + +## Sample Property Values + +### Github Cloud + +```yaml +id: 0oawyp12cjglrkfId697 +name: Github Contoso +appType: githubcloud +displayName: Github Contoso +features: [] +githubOrg: Contoso +hasRoleAssignments: false +oktaDomain: contoso.okta.com +signOnMode: SAML_2_0 +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-10-31T06:08:00+00:00 +lastUpdated: 2025-10-31T06:08:01+00:00 +``` + +### Google Workspace + +```yaml +id: 0oax4r57x0V5NHL2W697 +afwOnly: false +appType: google +displayName: Google Workspace +domain: contoso.com +features: [] +hasRoleAssignments: false +name: Google Workspace +oktaDomain: contoso.okta.com +signOnMode: SAML_2_0 +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-11-05T09:06:48+00:00 +lastUpdated: 2025-11-05T09:07:21+00:00 +``` + +### Jamf Pro SAML + +```yaml +id: 0oax4r3ud0J2WjlNh697 +appType: jamfsoftwareserver +displayName: Jamf Pro SAML +domain: contoso.jamfcloud.com +features: [] +hasRoleAssignments: false +name: Jamf Pro SAML +oktaDomain: contoso.okta.com +signOnMode: SAML_2_0 +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-11-05T09:10:52+00:00 +lastUpdated: 2026-01-19T14:33:39+00:00 +``` + +### OpenHound Okta Collector + +```yaml +id: 0oaw0pujq5WtBiMYD697 +name: OpenHound Okta Collector +appType: oidc_client +clientType: service +displayName: OpenHound Okta Collector +features: [] +grantTypes: + - client_credentials +hasRoleAssignments: true +oauthScopes: + - okta.trustedOrigins.read + - okta.policies.read + - okta.linkedObjects.read + - okta.authModes.read + - okta.templates.read + - okta.apiTokens.read + - okta.factors.read + - okta.brands.read + - okta.authenticators.read + - okta.uischemas.read + - okta.logs.read + - okta.groups.read + - okta.identitySources.read + - okta.users.read + - okta.orgs.read + - okta.threatInsights.read + - okta.pushProviders.read + - okta.apps.read + - ssf.read + - okta.roles.read + - okta.networkZones.read + - okta.emailDomains.read + - okta.manifests.read + - okta.oauthIntegrations.read + - okta.domains.read + - okta.deviceAssurance.read + - okta.reports.read + - okta.authorizationServers.read + - okta.enduser.read + - okta.schemas.read + - okta.idps.read + - okta.agentPools.read + - okta.appGrants.read + - okta.inlineHooks.read + - okta.certificateAuthorities.read + - okta.devices.read + - okta.behaviors.read + - okta.profileMappings.read + - okta.captchas.read + - okta.clients.read + - okta.features.read + - okta.sessions.read + - okta.userTypes.read +oktaDomain: integrator-5415459.okta.com +signOnMode: OPENID_CONNECT +status: ACTIVE +userNameMapping: ${source.login} +created: 2025-10-02T10:11:20+00:00 +lastUpdated: 2025-10-02T10:26:27+00:00 +``` + +### Active Directory Integration + +```yaml +id: 0oaxg9rhdd7ncGCXv697 +name: contoso.local +appType: active_directory +displayName: contoso.local +domainSid: S-1-5-21-71365889-924527929-2677699343 +features: + - IMPORT_PROFILE_UPDATES + - PROFILE_MASTERING + - OUTBOUND_DEL_AUTH + - IMPORT_USER_SCHEMA + - IMPORT_NEW_USERS +filterGroupsByOU: false +hasRoleAssignments: false +namingContext: contoso.local +oktaDomain: contoso.okta.com +status: ACTIVE +created: 2025-11-14T12:50:42+00:00 +lastUpdated: 2026-01-31T15:12:24+00:00 +``` + +## User Name Mapping + +User name mapping from Okta to SAML 2.0, OpenID Connect (OIDC), and Secure Web Authentication (SWA) applications is configurable in the Okta Admin Console, with the default setting being the Okta username pass-through, i.e., `${source.login}`. + +| Application username format | Mapping template | +|-------------------------------|-------------------------------------------------------------| +| Okta username | `${source.login}` | +| Email | `${source.email}` | +| Okta username prefix | `${fn:substringBefore(source.login, "@")}` | +| Email prefix | `${fn:substringBefore(source.email, "@")}` | +| AD Employee ID | `${source.employeeID}` | +| AD SAM account name | `${source.samAccountName}` | +| AD SAM account name + domain | `${source.samAccountName}@${source.instance.namingContext}` | +| AD user principal name | `${source.userName}` | +| AD user principal name prefix | `${fn:substringBefore(source.userName, "@")}` | +| (None) | `NONE` | +| Custom | ? | + +## API Service Applications + +This application type is the most interesting one from the security perspective, as it represents OAuth 2.0 service (daemon) applications that can be granted machine-to-machine access to Okta APIs, without any user interaction. These applications can be assigned administrative roles, e.g., Super Admin, and OAuth 2.0 scope grants, e.g., `okta.users.manage`. Any API operation must be allowed by both the assigned roles and the granted scopes. + +![Okta Application scopes and roles in BloodHound](/images/extensions/okta/bloodhound-app-scopes.png) + +## Hybrid Edges + +For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, OpenHound can create hybrid edges in BloodHound to represent the relationships between these external systems and Okta. + +```mermaid +graph TB + subgraph ad["Active Directory"] + direction LR + domain("Domain contoso.com") + adu1("User john\@contoso.com") + adu2("User steve\@contoso.com") + adg1("Group IT") + domain -- Contains --> adu1 + domain -- Contains --> adu2 + domain -- Contains --> adg1 + adu1 -- MemberOf --> adg1 + end + subgraph okta["Okta"] + direction LR + org("Okta_Organization contoso.okta.com") + u1("Okta_User john\@contoso.com") + u2("Okta_User steve\@contoso.com") + g1("Okta_Group IT") + gha("Okta_Application GitHub Enterprise Cloud") + jmfa("Okta_Application Jamf Pro SAML") + org -- Okta_Contains --> u1 + org -- Okta_Contains --> u2 + org -- Okta_Contains --> g1 + u1 -- Okta_MemberOf --> g1 + u2 -- Okta_AppAdmin --> gha + g1 -. Okta_AppAssignment .-> gha + u1 -. Okta_AppAssignment .-> jmfa + end + subgraph gh["GitHub Enterprise Cloud"] + direction LR + ghorg("GH_Organization Contoso") + ghu1("GH_User john\@contoso.com") + ghorg -- GH_Contains --> ghu1 + end + subgraph jamf["Jamf Pro Cloud"] + direction LR + jamft("jamf_SSOIntegration contoso.jamfcloud.com-SSO") + jmfu1("jamf_Account john\@contoso.com") + end + adu1 -. Okta_UserSync .-> u1 + adu2 -. Okta_UserSync .-> u2 + adg1 -- Okta_MembershipSync --> g1 + gha -- Okta_OutboundOrgSSO --> ghorg + jmfa -- Okta_OutboundOrgSSO --> jamft + u1 -- Okta_OutboundSSO --> ghu1 + u1 -- Okta_OutboundSSO --> jmfu1 +``` + +### Active Directory Synchronization + +When Okta's Active Directory (AD) integration is configured for user and group synchronization, the connected AD domain is represented as an Okta_Application node in BloodHound. This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. + +The synchronization is performed by domain-joined servers with the Okta AD Agent installed. This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, making it a high-value target for attackers. + +![Okta AD agent settings](/images/extensions/okta/okta-ad-agent.png) + +Authentication can be delegated from Okta to AD in multiple ways: + +- [Agentless Desktop SSO](https://help.okta.com/oie/en-us/content/topics/directory/ad-dsso-about-workflow.htm) +- [Password Synchronization](https://help.okta.com/oie/en-us/content/topics/directory/installing_configuring_active_directory_password_sync_agent.htm) +- Active Directory Federation Services (ADFS) integration with Okta as a SAML IdP + + +There is no documented API available to determine the authentication delegation method(s) configured for an AD-backed Okta application. The collector therefore performs some heuristics that might not be 100% accurate in all cases. + +### GitHub Enterprise Cloud Organizations + +When integrating Okta with GitHub Enterprise Cloud, each GitHub organization connected to Okta is represented as a separate Okta_Application node in BloodHound. + +![Properties of the GitHub Application node](/images/extensions/okta/bloodhound-github-properties.png) + +### Jamf Pro + +When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate Okta_Application node in BloodHound. The differentiator is the `domainFQDN` property: + +![Jamf Pro SAML application in BloodHound](/images/extensions/okta/bloodhound-jamf-saml-properties.png) + +It is also possible to integrate Jamf Pro with Okta using Secure Web Authentication (SWA), but this option is less secure. + +![Jamf Pro SWA settings](/images/extensions/okta/app-jamf-swa.png) + +## Google Workspace + +Similarly to the Jamf Pro SAML applications, each Google Workspace (formerly G Suite) instance connected to Okta using SAML 2.0 is represented as a separate Okta_Application node in BloodHound and is identified by the `domainFQDN` property: + +![Google Workspace SAML application in BloodHound](/images/extensions/okta/bloodhound-google-saml-properties.png) + +The SAML 2.0 protocol should always be preferred to SWA when integrating Okta with Google Workspace: + +![Google Workspace sign-in protocol settings](/images/extensions/okta/app-google-protocol-selector.png) + +## Generic SAML 2.0 Applications + +The assertion consumer service (ACS) URLs of generic (non-Catalog) Okta SAML 2.0 applications are exposed via the `url` attribute in BloodHound. + +![Okta SAML application in BloodHound](/images/extensions/okta/bloodhound-app-saml.png) + +## Generic Secure Web Authentication (SWA) Applications + +Secure Web Authentication (SWA) is an Okta technology that provides Single Sign-On (SSO) functionality to external web applications that don't support federated protocols. SWA applications store user credentials in Okta and automatically fill them in when users access the application through the Okta dashboard. + +The app's login page URL is exposed via the `url` attribute in BloodHound. + +![Okta SWA application in BloodHound](/images/extensions/okta/bloodhound-app-swa.png) + +## Generic OpenID Connect (OIDC) Applications + +Okta supports three types of OIDC applications: + +- Web Application +- Single-Page Application (SPA) +- Native Application + +The default redirect URI of generic (non-Catalog) Okta OIDC single-page applications (SPAs) starts with `http://localhost:8080/`, making it hard to identify the actual application address. The optional Okta-initiated sign-in flow URL is therefore exposed in the `url` attribute in BloodHound instead, if configured. + +OIDC applications can be granted OAuth 2.0 scopes to access Okta APIs on behalf of users: + +![Okta application OIDC grants](/images/extensions/okta/app-oidc-grants.png) + +## SCIM-Enabled Applications + +The `features` attribute of Okta_Application nodes may contain the following SCIM-related values, indicating if SCIM is enabled and which protocol capabilities are supported: + +| Feature | Description | +|------------------------------|--------------------------------------------------------------------------------| +| PUSH_NEW_USERS | Supports pushing new users from Okta to the application | +| PUSH_PASSWORD_UPDATES | Supports pushing password updates from Okta to the application | +| PUSH_PENDING_USERS | Supports pushing users from Okta to the application in pending state | +| PUSH_PROFILE_UPDATES | Supports pushing profile updates from Okta to the application | +| PUSH_USER_DEACTIVATION | Supports pushing user deactivation from Okta to the application | +| REACTIVATE_USERS | Supports reactivating users in the application from Okta | +| IMPORT_NEW_USERS | Supports importing new users into Okta from the application | +| OPP_SCIM_INCREMENTAL_IMPORTS | Supports incremental imports of users from the application into Okta | +| IMPORT_PROFILE_UPDATES | Updates a linked user's app profile in Okta during manual or scheduled imports | +| GROUP_PUSH | Supports pushing groups and group memberships from Okta to the application | +| PROFILE_MASTERING | Supports profile mastering in Okta, allowing the application to be the source of truth for user profiles | diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx new file mode 100644 index 0000000..e416116 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx @@ -0,0 +1,32 @@ +--- +title: 'Okta_AuthorizationServer' +description: 'An authorization server in Okta' +icon: '/images/extensions/okta/okta_authorizationserver.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Authorization servers in Okta are used to issue OAuth 2.0 access tokens for API access. They define the scopes, claims, and access policies that control how tokens are issued and what permissions they grant. Each Okta organization has a default authorization server, and administrators can create additional custom authorization servers for specific use cases. + +Okta authorization servers are represented as Okta_AuthorizationServer nodes. + + +The relationships between authorization servers and applications are currently not evaluated in BloodHound. + +## Sample Property Values + +```yaml +id: ausz6ipkn4u0hDzyf697 +name: app creation +displayName: app creation +oktaDomain: contoso.okta.com +status: INACTIVE +issuer: https://contoso.okta.com/oauth2/ausz6ipkn4u0hDzyf697 +issuerMode: DYNAMIC +audiences: + - test +created: 2026-01-14T15:41:28+00:00 +lastUpdated: 2026-01-14T16:09:30+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx new file mode 100644 index 0000000..c336679 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx @@ -0,0 +1,34 @@ +--- +title: 'Okta_ClientSecret' +description: 'A secret used by applications to authenticate to the Okta API' +icon: '/images/extensions/okta/okta_clientsecret.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Client secrets are used by API service integrations and OIDC applications to authenticate with Okta and obtain access tokens. + +![Okta client secret creation](/images/extensions/okta/app-client-secret-creation.png) + +An application can have up to two client secrets configured, to allow for secret rotation. + +![Okta client secret rotation](/images/extensions/okta/app-client-secret-rotation.png) + +Client secrets are represented as Okta_ClientSecret nodes in BloodHound. + + +For security reasons, the OpenHound and OktaHound collectors do not collect client secrets, only their hashed identifiers. + +## Sample Property Values + +```yaml +id: ocsxqwizfyqsf0aVG697 +name: T1e6fl4jGqvPkgd94NKx5g +displayName: T1e6fl4jGqvPkgd94NKx5g +oktaDomain: contoso.okta.com +status: ACTIVE +created: 2025-11-24T12:24:08.000Z +lastUpdated: 2025-11-24T12:24:08.000Z +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx new file mode 100644 index 0000000..0e94243 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx @@ -0,0 +1,49 @@ +--- +title: 'Okta_CustomRole' +description: 'A custom role in Okta created by an administrator' +icon: '/images/extensions/okta/okta_customrole.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Custom roles can be created with specific [permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions/) and then assigned to [users](/opengraph/extensions/okta/nodes/okta_user), [groups](/opengraph/extensions/okta/nodes/okta_group), and [applications](/opengraph/extensions/okta/nodes/okta_application) over [resource sets](/opengraph/extensions/okta/nodes/okta_resourceset). [Complex conditions](https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/permission-conditions.htm) can be used if the custom admin role has one of the following permissions: + +- okta.users.read +- okta.users.manage +- okta.users.create + +Custom roles are represented as Okta_CustomRole and [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes, similar to built-in roles. + +## Sample Property Values + +```yaml +id: cr0wwdjuk0w96MpFr697 +name: IAM Readers +displayName: IAM Readers +oktaDomain: contoso.okta.com +created: 2025-10-29T12:45:55+00:00 +lastUpdated: 2025-10-30T13:35:36+00:00 +permissions: + - okta.iam.read +``` + +## Abusable Permissions of Custom Roles in Okta + +The following Okta permissions are particularly interesting from an offensive security perspective, as they can be abused to escalate privileges in hybrid scenarios: + +- okta.users.manage +- okta.users.credentials.manage +- okta.users.credentials.resetFactors +- okta.users.credentials.resetPassword +- okta.users.credentials.expirePassword +- okta.users.credentials.manageTemporaryAccessCode +- okta.groups.manage +- okta.groups.members.manage +- okta.apps.manage +- okta.apps.clientCredentials.read + + +The research on abusable Okta permissions is still ongoing. + diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx new file mode 100644 index 0000000..d10e0c2 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx @@ -0,0 +1,60 @@ +--- +title: 'Okta_Device' +description: 'A device registered in Okta, such as a mobile phone or a computer' +icon: '/images/extensions/okta/okta_device.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Devices in Okta represent the physical or virtual devices that users use to authenticate and access the Okta organization. Devices can optionally be managed by 3rd party MDM solutions, which allow administrators to enforce security compliance policies. + +Okta devices are represented as Okta_Device nodes. + +## Sample Property Values + +Windows device: + +```yaml +id: 4C4C4544-0057-4C10-8057-C8C04F573934@contoso.okta.com +name: PC01 +displayName: PC01 +oktaDomain: contoso.okta.com +oktaId: guoxrzqh8jBxYxEeJ697 +created: 2025-11-25T11:01:53+00:00 +lastUpdated: 2026-02-17T08:55:45+00:00 +status: ACTIVE +resourceType: UDDevice +platform: WINDOWS +manufacturer: Dell Inc. +model: XPS 14 9440 +osVersion: 10.0.26200.7623 +registered: true +secureHardwarePresent: true +jailBreak: false +udid: 4C4C4544-0057-4C10-8057-C8C04F573934 +objectSid: S-1-5-21-1084505731-826279434-3585917670 +serialNumber: HWLWW94 +``` + +iOS device: + +```yaml +id: guowq18eyhZaDlkkA697 +name: John's iPhone +displayName: John's iPhone +oktaDomain: contoso.okta.com +oktaId: guowq18eyhZaDlkkA697 +status: ACTIVE +resourceType: UDDevice +platform: IOS +manufacturer: APPLE +model: iPhone17,1 +osVersion: 18.6.2 +registered: true +secureHardwarePresent: true +jailBreak: false +created: 2025-10-23T17:16:46+00:00 +lastUpdated: 2025-10-23T17:16:47+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx new file mode 100644 index 0000000..6e8c114 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx @@ -0,0 +1,85 @@ +--- +title: 'Okta_Group' +description: 'An Okta user group' +icon: '/images/extensions/okta/okta_group.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. The built-in **Everyone** group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested. + +Okta groups are represented as Okta_Group nodes. + +## Sample Property Values + +Example of a group created directly in Okta: + +```yaml +id: 00gxg12p4kFOkyXLb697 +name: Engineering +displayName: Engineering +description: Engineering department group +oktaDomain: contoso.okta.com +hasRoleAssignments: false +oktaGroupType: OKTA_GROUP +objectClass: okta:user_group +created: 2025-11-14T08:00:25+00:00 +lastUpdated: 2025-11-14T08:00:25+00:00 +lastMembershipUpdated: 2025-11-14T08:00:25+00:00 +``` + +Example of a group synchronized from Active Directory: + +```yaml +id: 00gxga7s3yDJ71OzW697 +name: Sales +displayName: Sales +description: Sales department group +oktaDomain: contoso.okta.com +hasRoleAssignments: false +oktaGroupType: APP_GROUP +objectClass: okta:windows_security_principal +objectSid: S-1-5-21-71365889-924527929-2677699343-2536 +distinguishedName: CN=Sales,CN=Groups,DC=contoso,DC=local +samAccountName: Sales +domainQualifiedName: CONTOSO\Sales +groupScope: Global +groupType: Security +objectGuid: 4ab65ef0-ab82-4017-b5ee-1c20facd4d6a +created: 2025-11-14T12:58:13+00:00 +lastUpdated: 2025-11-14T13:05:44+00:00 +lastMembershipUpdated: 2025-11-14T12:58:13+00:00 +``` + +## Synchronization with External Directories + +Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes: + +![Group synchronized from AD](/images/extensions/okta/bloodhound-ad-synced-group.png) + +Nested (transitive) group memberships in Active Directory are always flattened (resolved) when synchronized to Okta, as illustrated below: + +```mermaid +graph TB + subgraph ad["Active Directory"] + ag1("Group A") + ag2("Group B") + u1("User 1") + u2("User 2") + u1 -- MemberOf --> ag1 + u2 -- MemberOf --> ag2 + ag2 -- MemberOf --> ag1 + end + subgraph Okta + og1("Okta_Group A") + og2("Okta_Group B") + u1o("Okta_User 1") + u2o("Okta_User 2") + u1o -- Okta_MemberOf --> og1 + u2o -- Okta_MemberOf --> og1 + u2o -- Okta_MemberOf --> og2 + end + ad == Sync ==> Okta +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx new file mode 100644 index 0000000..3473a29 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx @@ -0,0 +1,35 @@ +--- +title: 'Okta_IdentityProvider' +description: 'An identity provider trusted by Okta for authentication' +icon: '/images/extensions/okta/okta_identityprovider.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Identity Providers (IdPs) in Okta represent external authentication sources that can be used to authenticate users. These can include social identity providers (such as Google, Facebook, or Microsoft), enterprise identity providers using SAML or OIDC, or other Okta organizations in an Org2Org configuration. + +When users authenticate through an external identity provider, Okta can optionally create or link user accounts, enabling federated authentication across multiple systems. + +Okta identity providers are represented as Okta_IdentityProvider nodes. + + +The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated. + +## Sample Property Values + +```yaml +id: 0oazpi53t1cRNcPL4697 +name: Microsoft Entra ID +displayName: Microsoft Entra ID +oktaDomain: contoso.okta.com +created: 2026-01-31T15:21:37+00:00 +issuerMode: DYNAMIC +type: MICROSOFT +enabled: false +autoUserProvisioning: true +governedGroupIds: [] +protocolType: OIDC +url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx new file mode 100644 index 0000000..d7a72e8 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx @@ -0,0 +1,28 @@ +--- +title: 'Okta_JWK' +description: 'An Okta JSON Web Key' +icon: '/images/extensions/okta/okta_jwk.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the `private_key_jwt` client authentication method. This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key. A service application can have multiple JWKs configured for key rotation purposes. + +JWKs are represented as Okta_JWK nodes in BloodHound. + +## Sample Property Values + +```yaml +id: pksw0py294dQ80EdI697 +name: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 +displayName: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 +oktaDomain: contoso.okta.com +status: ACTIVE +kid: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 +kty: RSA +use: sig +created: 2025-10-02T10:14:44Z +lastUpdated: 2025-10-02T10:26:27Z +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx new file mode 100644 index 0000000..f9c60f1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx @@ -0,0 +1,26 @@ +--- +title: 'Okta_Organization' +description: 'An Okta organization' +icon: '/images/extensions/okta/okta_organization.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +The Organization entity represents the Okta tenant itself. It contains general information about the organization, such as its name, domain, and settings. + +The Okta organization is represented as a single Okta_Organization node. + +## Sample Property Values + +```yaml +id: 00ow0o8if0CNwsKmk697 +name: contoso.okta.com +displayName: Contoso +oktaDomain: contoso.okta.com +subdomain: contoso +status: ACTIVE +created: 2025-10-02T09:21:31+00:00 +lastUpdated: 2025-12-09T23:04:15+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx new file mode 100644 index 0000000..d0fa4d1 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx @@ -0,0 +1,45 @@ +--- +title: 'Okta_Policy' +description: 'A policy defining rules for authentication, password, or other features in Okta' +icon: '/images/extensions/okta/okta_policy.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Policies in Okta define the rules and conditions that govern authentication, authorization, and security behaviors within an organization. They control aspects such as password requirements, MFA enrollment, session management, and application access. + +Okta policies are represented as Okta_Policy nodes. + +## Sample Property Values + +```yaml +id: rstw0o8il8ktUxo3t697 +name: Okta Account Management Policy +displayName: Okta Account Management Policy +oktaDomain: contoso.okta.com +description: This policy defines how users must authenticate for authenticator enrollment, password reset, or unlock account. Password policy rules control whether to enforce this policy for password reset and unlock account. +type: ACCESS_POLICY +priority: 1 +system: false +created: 2025-10-02T09:21:37+00:00 +``` + +## Policy Types + +The following [policy types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) are supported by Okta: + +| Policy Type ID | Description | +|----------------|-------------| +| OKTA_SIGN_ON | [Global session policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-okta-sign-on-policies.htm) | +| PASSWORD | [Password policies](https://help.okta.com/en-us/content/topics/security/policies/about-password-policies.htm) | +| MFA_ENROLL | [Authenticator enrollment policies](https://help.okta.com/en-us/content/topics/security/policies/configure-mfa-policies.htm) | +| IDP_DISCOVERY | [Identity Provider routing rules](https://help.okta.com/en-us/content/topics/security/identity_provider_discovery.htm) | +| ACCESS_POLICY | [App sign-in policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-app-sign-on-policies.htm) | +| DEVICE_SIGNAL_COLLECTION | [Device signal collection policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/create-device-signal-collection-ruleset.htm) | +| PROFILE_ENROLLMENT | [User profile policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/create-profile-enrollment-policy.htm) | +| POST_AUTH_SESSION | [Identity Threat Protection policies](https://help.okta.com/oie/en-us/content/topics/itp/overview.htm) | +| ENTITY_RISK | [Entity risk policies](https://help.okta.com/oie/en-us/content/topics/itp/entity-risk-policy.htm) | + +The OpenHound collector specifically reads the `IDP_DISCOVERY` policies to check if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy. diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx new file mode 100644 index 0000000..cc79f64 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx @@ -0,0 +1,32 @@ +--- +title: 'Okta_Realm' +description: 'An Okta realm' +icon: '/images/extensions/okta/okta_realm.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Okta Realms are used to define authentication boundaries within an Okta organization. They allow administrators to segment users and applications based on different criteria, such as geographic location, business unit, or security requirements. + +Okta Realms are represented as Okta_Realm nodes. + + +Okta Realms are currently not supported due to licensing restrictions. + +## Sample Property Values + +```yaml +id: guor3k19x7pVQ6Abc0g7 +name: Car Co +displayName: Car Co +oktaDomain: contoso.okta.com +type: PARTNER +isDefault: false +domains: + - atko.com + - user.com +created: 2025-06-01T08:00:00.0000000+00:00 +lastUpdated: 2026-02-20T07:45:12.0000000+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx new file mode 100644 index 0000000..128db5c --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx @@ -0,0 +1,49 @@ +--- +title: 'Okta_ResourceSet' +description: 'A resource set containing users, groups, applications, and other Okta objects' +icon: '/images/extensions/okta/okta_resourceset.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Resource sets are collections of entities that can be used to scope custom role assignments in Okta. A resource set can contain the following object types: + +- [x] [Users](/opengraph/extensions/okta/nodes/okta_user) +- [x] [Groups](/opengraph/extensions/okta/nodes/okta_group) +- [x] [Applications](/opengraph/extensions/okta/nodes/okta_application) +- [x] [API Service Integrations](/opengraph/extensions/okta/nodes/okta_apiserviceintegration) +- [x] [Devices](/opengraph/extensions/okta/nodes/okta_device) +- [x] [Authorization servers](/opengraph/extensions/okta/nodes/okta_authorizationserver) +- [x] [Identity Providers](/opengraph/extensions/okta/nodes/okta_identityprovider) +- [x] [Policies](/opengraph/extensions/okta/nodes/okta_policy) + - [x] Entity risk policy + - [x] Session protection policy + - [x] Authentication policy + - [x] Global session policy + - [x] End user account management policy +- [ ] Shared Signals Framework (SSF) Receivers +- [ ] ~~Workflows~~ (Gaps in the Okta API) +- [ ] ~~Customizations~~ (Gaps in the Okta API) +- [ ] ~~Support cases~~ (Gaps in the Okta API) +- [ ] ~~Identity and Access Management Resources~~ (Gaps in the Okta API) + + +Only the marked resource types are currently supported as resource set members. Some resource types, such as Workflows, are not accessible via the Okta API at all. + +![Okta Resource Set displayed in BloodHound](/images/extensions/okta/bloodhound-resource-set.png) + +Okta resource sets are represented as Okta_ResourceSet nodes. + +## Sample Property Values + +```yaml +id: WORKFLOWS_IAM_POLICY@contoso.okta.com +name: Workflows Resource Set +displayName: Workflows Resource Set +oktaDomain: contoso.okta.com +description: A resource set managed by Workflows Administrator +created: 2025-10-22T13:29:26+00:00 +lastUpdated: 2025-10-22T13:29:26+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx new file mode 100644 index 0000000..0649ffd --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx @@ -0,0 +1,85 @@ +--- +title: 'Okta_Role' +description: 'A built-in role in Okta, such as Super Admin or Group Admin' +icon: '/images/extensions/okta/okta_role.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +Okta provides a handful of [built-in administrative roles](https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm) that can be assigned to users, groups, and applications to delegate administrative tasks. These roles have predefined permissions and cannot be modified. + +The following roles are organization-wide: + +- Super Administrator +- Organization Administrator +- API Access Management Administrator +- Mobile Administrator +- Workflows Administrator +- Report Administrator +- Read-only Administrator + +The most powerful role is the **Super Administrator**, which has full access to all features and settings in the Okta organization. + +The following roles can either be scoped to specific resources or assigned organization-wide: + +- Group Administrator (AKA User Administrator) +- Group Membership Administrator +- Help Desk Administrator +- Application Administrator + + +Although the Workflows Administrator role is a built-in role, the Okta API treats it as a custom role that is scoped to the built-in `Workflows Resource Set`. + +Okta built-in roles are represented as Okta_Role nodes. + +## Sample Property Values + +```yaml +id: APP_ADMIN@contoso.okta.com +name: Application Administrator +displayName: Application Administrator +oktaDomain: contoso.okta.com +permissions: + - okta.apps.manage + - okta.apps.read + - okta.apps.assignment.manage + - okta.apps.clientCredentials.read + - okta.users.appAssignment.manage + - okta.groups.appAssignment.manage + - okta.policies.manage + - okta.policies.read + - okta.users.read + - okta.groups.read + - okta.users.userprofile.manage + - okta.users.userprofile.read + - okta.profilesources.import.run + - okta.agents.register + - okta.realms.read +``` + +## Built-In Role Identifiers + +When working with roles using the Okta API, the built-in roles are referenced by the following identifiers: + +| Role Identifier | Role Name | +|-----------------------------|-------------------------------------| +| SUPER_ADMIN | Super Administrator | +| ORG_ADMIN | Organization Administrator | +| USER_ADMIN | Group Administrator | +| GROUP_MEMBERSHIP_ADMIN | Group Membership Administrator | +| APP_ADMIN | Application Administrator | +| API_ACCESS_MANAGEMENT_ADMIN | API Access Management Administrator | +| ~~API_ADMIN~~ | API Administrator (Deprecated?) | +| HELP_DESK_ADMIN | Help Desk Administrator | +| MOBILE_ADMIN | Mobile Administrator | +| WORKFLOWS_ADMIN | Workflows Administrator | +| REPORT_ADMIN | Report Administrator | +| READ_ONLY_ADMIN | Read-Only Administrator | + +To make the role identifiers unique, the OpenHound collector adds the organization domain name as a suffix to each role's ID, e.g., `SUPER_ADMIN@contoso.okta.com`. + +## Built-In Role Permissions + +Unlike custom roles, built-in roles have fixed permissions that cannot be changed. However, the exact OAuth 2.0 scopes granted to each built-in role are not publicly documented by Okta and cannot even be retrieved via the API. We therefore did the mapping by ourselves based on the role descriptions in the Okta documentation. Hence, the resulting permissions ingested to BloodHound are best-effort approximations and may not be 100% accurate. diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx new file mode 100644 index 0000000..da93987 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx @@ -0,0 +1,25 @@ +--- +title: 'Okta_RoleAssignment' +description: 'A set of permissions assigned to a user, group, or an application in Okta' +icon: '/images/extensions/okta/okta_roleassignment.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +To help visualize role assignments in BloodHound, Okta_RoleAssignment nodes are created for each role assignment in Okta. These nodes represent the relationship between a [user](/opengraph/extensions/okta/nodes/okta_user), [group](/opengraph/extensions/okta/nodes/okta_group), or [application](/opengraph/extensions/okta/nodes/okta_application) and a role ([built-in](/opengraph/extensions/okta/nodes/okta_role) or [custom](/opengraph/extensions/okta/nodes/okta_customrole)). + +## Sample Property Values + +```yaml +id: irbwnwe8vjjXl4FbX697_00uw2sodowQc75SUm697 +name: Workflows Administrator +displayName: Workflows Administrator +oktaDomain: contoso.okta.com +assignmentType: USER +type: WORKFLOWS_ADMIN +status: ACTIVE +created: 2025-10-22T13:29:26+00:00 +lastUpdated: 2025-10-22T13:29:26+00:00 +``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx new file mode 100644 index 0000000..ca3f078 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx @@ -0,0 +1,74 @@ +--- +title: 'Okta_User' +description: 'An Okta user account' +icon: '/images/extensions/okta/okta_user.png' +--- + +Applies to BloodHound Enterprise and CE + +## Overview + +User objects (AKA People) represent individuals who have access to the Okta organization. Each user has a unique identifier, username in the email address format, and various attributes such as email, first name, last name, and status. + +Okta users are represented as Okta_User nodes. + +## Sample Property Values + +```yaml +id: 00uw2sodn4ZPJJQyx697 +name: john.doe@contoso.com +displayName: John Doe +oktaDomain: contoso.okta.com +login: john.doe@contoso.com +email: john.doe@contoso.com +firstName: John +lastName: Doe +title: Senior Identity Engineer +department: Security Engineering +city: Seattle +state: WA +countryCode: US +status: ACTIVE +enabled: true +hasRoleAssignments: false +credentialProviderName: OKTA +credentialProviderType: OKTA +managerId: joe.smith@contoso.com +created: 2025-10-03T18:45:57+00:00 +activated: 2025-10-03T19:02:11+00:00 +passwordChanged: 2026-01-12T14:27:03+00:00 +lastLogin: 2026-02-20T09:41:55+00:00 +lastUpdated: 2025-10-29T11:09:47+00:00 +``` + +## User Status + +User status can have [multiple values](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User), as illustrated below: + +![Okta user status](https://developer.okta.com/docs/api/images/users/okta-user-status.png) + +To simplify analysis in BloodHound, the OpenHound collector maps the **Status** attribute to the virtual boolean **Enabled** attribute as follows: + +| Okta User Status | Enabled | Explanation | +|------------------|---------|----------------------------------| +| ACTIVE | ✅ | User can authenticate. | +| PASSWORD_EXPIRED | ✅ | User's password has expired but can still authenticate. | +| LOCKED_OUT | ✅ | User is locked out but can still authenticate after unlocking. | +| PROVISIONED | ✅ | User is provisioned but cannot authenticate yet. | +| RECOVERY | ✅ | User is in recovery mode and cannot authenticate. | +| SUSPENDED | ❌ | User is suspended and cannot authenticate. | +| STAGED | ❌ | User is staged and cannot authenticate yet. | +| DEPROVISIONED | ❌ | User is deprovisioned and cannot authenticate. | + + +This mapping is a simplification and may not cover all edge cases. Always refer to the actual **Status** attribute for precise user state information. + +## Authentication Factors + +Okta supports various authentication factors for multi-factor authentication (MFA), such as SMS, email, push notifications, and hardware tokens. In case of mobile and desktop applications, these authentication factors are associated with the [Device](/opengraph/extensions/okta/nodes/okta_device) entities. Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, but the number of enrolled factors is stored in the `authenticationFactors` attribute of the Okta_User nodes. + +## Synchronization with External Directories + +Users can be synchronized from external directories such as Active Directory (AD) or LDAP. When synchronized, certain attributes may be mapped from the external directory to the Okta user profile. + +![Additional Active Directory attributes](/images/extensions/okta/user-ad-attributes.png) diff --git a/docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx b/docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx new file mode 100644 index 0000000..e010b65 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx @@ -0,0 +1,55 @@ +--- +title: Privilege Zone Rules +description: Okta extension Privilege Zone rules +icon: "gem" +--- + +Applies to BloodHound Enterprise and CE +The following Privilege Zone rules can be imported into BloodHound to group nodes for Cypher query analysis and BloodHound Enterprise finding generation. + +This file is automatically generated from the [JSON Privilege Zone rule files](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules). + + +## Organization + +Organization nodes in Okta. + +Zone: Tier Zero + +```cypher +MATCH (n:Okta_Organization) +RETURN n +``` + +This rule is defined in the [organization.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules/organization.json) file. + +## Tier Zero Devices + +Devices associated with principals who have SUPER_ADMIN or ORG_ADMIN role assignments. + +Zone: Tier Zero + +```cypher +MATCH (n:Okta_Device)-[:Okta_DeviceOf]->(:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization) +WHERE r.type = "SUPER_ADMIN" +OR r.type = "ORG_ADMIN" +RETURN n +``` + +This rule is defined in the [tier0-devices.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules/tier0-devices.json) file. + +## Tier Zero Principals + +Principals with SUPER_ADMIN or ORG_ADMIN role assignments. + +Zone: Tier Zero + +```cypher +MATCH (n:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization) +WHERE r.type = "SUPER_ADMIN" +OR r.type = "ORG_ADMIN" +RETURN n +``` + +This rule is defined in the [tier0-principals.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules/tier0-principals.json) file. + diff --git a/docs/official-docs/opengraph/extensions/okta/queries.mdx b/docs/official-docs/opengraph/extensions/okta/queries.mdx new file mode 100644 index 0000000..310fe21 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/queries.mdx @@ -0,0 +1,586 @@ +--- +title: Cypher Queries +description: Okta extension Cypher queries +icon: code +--- + +Applies to BloodHound Enterprise and CE +The following custom Cypher queries can be imported into BloodHound to enhance visibility. + +This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches). + + +## Agents, Agent Pools, and Host Servers + +Lists Okta agents, their associated agent pools, and the AD servers hosting each agent. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(agent) +WHERE agent:Okta_Agent OR agent:Computer +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [ad-agents.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/ad-agents.json) file. + +## Principals with Admin Console Access + +Identifies principals with access to the Okta Admin Console. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(console:Okta_Application) +WHERE console.appType = "saasure" +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [admin-console-access.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/admin-console-access.json) file. + +## Application Assignments + +List all application assignments. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [app-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/app-assignments.json) file. + +## Application Credentials + +Lists all service application secrets and JWTs. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(credential) +WHERE credential:Okta_ClientSecret OR credential:Okta_JWK +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [app-credentials.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/app-credentials.json) file. + +## Devices + +List all devices, their owners, and any mobile admins. + +```cypher +MATCH path = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User) +OPTIONAL MATCH adminPath = (admin)-[:Okta_MobileAdmin]->(:Okta_Device) +WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application +RETURN path,adminPath +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [devices.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/devices.json) file. + +## Group Membership + +Retrieves all group membership relationships. + +```cypher +MATCH path = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [group-members.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/group-members.json) file. + +## Hybrid Relationships Inbound + +Retrieves all hybrid relationships from external systems to Okta. + +```cypher +MATCH path = (source)-[]->(:Okta) +WHERE NOT source:Okta +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [hybrid-inbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-inbound.json) file. + +## Hybrid Relationships Outbound + +Retrieves all hybrid relationships from Okta to external systems. + +```cypher +MATCH path = (:Okta)-[]->(target) +WHERE NOT target:Okta +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [hybrid-outbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-outbound.json) file. + +## Security Principal Synchronization + +Retrieves all users and groups that are synchronized TO or FROM Okta. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [hybrid-sync.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-sync.json) file. + +## Identity Provider Assignments - Direct Privileged Access + +Identity providers associated with users or groups that hold direct privileged role assignments in Okta. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE assignee:Okta_User OR assignee:Okta_Group +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [identity-providers-direct-privileged.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers-direct-privileged.json) file. + +## Identity Provider Assignments - Indirect Privileged Access + +Identity providers associated with users who hold privileged role assignments through group membership in Okta. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [identity-providers-indirect-privileged.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers-indirect-privileged.json) file. + +## Identity Provider Assignments + +Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee) +WHERE assignee:Okta_User OR assignee:Okta_Group +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [identity-providers.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers.json) file. + +## Organizational Structure + +Retrieves all manager relationships. + +```cypher +MATCH path = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [org-chart.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/org-chart.json) file. + +## Org Trust Relationships + +Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants. + +```cypher +MATCH path = (source)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-() +WHERE source:Okta_Application OR source:Okta_IdentityProvider +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [org-trust-relationships.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/org-trust-relationships.json) file. + +## Password and MFA Permissions + +Lists permissions to reset passwords and MFA factors. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(actor)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User) +WHERE actor:Okta_User OR actor:Okta_Group OR actor:Okta_Application +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [password-and-mfa-permissions.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/password-and-mfa-permissions.json) file. + +## Policy Mappings + +Retrieves all policy mappings. + +```cypher +MATCH policies = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Policy) +MATCH mappings = (:Okta_Policy)-[:Okta_PolicyMapping]->(:Okta) +RETURN policies,mappings +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [policy-mappings.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/policy-mappings.json) file. + +## Unrotated Active Access Keys on Privileged Apps + +Finds active JWKs or client secrets older than 365 days on applications that have role assignments. + +```cypher +MATCH path = (credential)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE (credential:Okta_JWK OR credential:Okta_ClientSecret) AND credential.status = "ACTIVE" AND datetime(credential.created) <= datetime() - duration("P365D") +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-app-unrotated-access-keys.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-app-unrotated-access-keys.json) file. + +## Applications with Role Assignments + +Applications that have roles assigned. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-apps.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-apps.json) file. + +## Synced Principals with Privileged Access (Direct) - Hybrid Edges + +Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta. + +```cypher +MATCH path = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE principal:Okta_User OR principal:Okta_Group OR principal:Okta_Application +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-hybrid-inbound-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-hybrid-inbound-direct.json) file. + +## Synced Principals with Privileged Access (Indirect) - Hybrid Edges + +Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta. + +```cypher +MATCH path = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE principal:Okta_User OR principal:Okta_Application +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-hybrid-inbound-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-hybrid-inbound-indirect.json) file. + +## Synced Principals with Privileged Access (Direct) - Okta Edges + +Users and groups synchronized from external sources that have privileged role assignments. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE provider:Okta_Application OR provider:Okta_IdentityProvider +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-principals-hybrid-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-principals-hybrid-direct.json) file. + +## Synced Principals with Privileged Access (Indirect) - Okta Edges + +Users synchronized from external sources that hold privileged role assignments through group membership in Okta. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE provider:Okta_Application OR provider:Okta_IdentityProvider +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-principals-hybrid-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-principals-hybrid-indirect.json) file. + +## Privileged Users without MFA (Direct) + +Users who do not have multi-factor authentication enabled and directly hold privileged role assignments. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.authenticationFactors = 0 +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-users-no-mfa-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-no-mfa-direct.json) file. + +## Privileged Users without MFA (Indirect) + +Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.authenticationFactors = 0 +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-users-no-mfa-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-no-mfa-indirect.json) file. + +## Privileged Users with Old Passwords (Direct) + +Finds users whose last password change was more than a year ago and directly hold privileged role assignments. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D") +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-users-old-passwords-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-old-passwords-direct.json) file. + +## Privileged Users with Old Passwords (Indirect) + +Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D") +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-users-old-passwords-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-old-passwords-indirect.json) file. + +## Privileged Users with Non-Active Status (Direct) + +Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.status <> "ACTIVE" +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-users-unexpected-status-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-unexpected-status-direct.json) file. + +## Privileged Users with Non-Active Status (Indirect) + +Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.status <> "ACTIVE" +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [privileged-users-unexpected-status-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-unexpected-status-indirect.json) file. + +## Read Client Secrets of Privileged Applications + +Searches for client secrets associated with privileged applications that are readable to non-Super Admins. + +```cypher +MATCH path = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [read-client-secrets.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/read-client-secrets.json) file. + +## Realm Membership + +Lists all Okta realms and the users assigned to them. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [realm-membership.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/realm-membership.json) file. + +## Resource Set Membership + +Lists all resource sets and their associated members. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [resource-set-membership.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/resource-set-membership.json) file. + +## Application Administrators and Managers + +List all Application Administrators and Managers. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_AppAdmin|Okta_ManageApp]->(app) +WHERE (admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application) AND (app:Okta_Application OR app:Okta_ApiServiceIntegration) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [role-app-admins.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-app-admins.json) file. + +## Role Assignments - Role Assignments and Scope + +Lists all role assignments and scope, including transitive group membership. + +```cypher +MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [role-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-assignments.json) file. + +## Role Assignments - All Custom Roles + +Lists all role assignments, linking principals to their assigned custom roles. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_CustomRole) +WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [role-custom-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-custom-assignments.json) file. + +## Role Assignments - All Built-in Roles + +Lists all role assignments, linking principals to their assigned built-in roles. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_Role) +WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [role-direct-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-direct-assignments.json) file. + +## Role Assignments - Group Administrators + +List all Group Administrators and Group Membership Administrators. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group) +WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [role-group-admins.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-group-admins.json) file. + +## SCIM Apps Receiving Password Updates + +Lists application-to-user assignments where the app receives password updates. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [scim-read-passwords.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/scim-read-passwords.json) file. + +## API Service Integration Creators + +Lists all API service integrations and their creators. + +```cypher +MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [service-integration-creators.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/service-integration-creators.json) file. + +## Stale Privileged Users (Direct) + +Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D") +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [stale-privileged-accounts-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/stale-privileged-accounts-direct.json) file. + +## Stale Privileged Users (Indirect) + +Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership. + +```cypher +MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) +WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D") +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [stale-privileged-accounts-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/stale-privileged-accounts-indirect.json) file. + +## Secure Web Authentication Applications + +Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications. + +```cypher +MATCH path = (:Okta_User)-[:Okta_SWA]->(target) +WHERE NOT target:Okta +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [swa-applications.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/swa-applications.json) file. + +## Inbound User and Group Synchronization + +Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups. + +```cypher +MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target) +WHERE target:Okta_User OR target:Okta_Group +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [sync-relationships-inbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/sync-relationships-inbound.json) file. + +## Outbound User and Group Synchronization + +Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups. + +```cypher +MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target) +WHERE source:Okta_User OR source:Okta_Group +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [sync-relationships-outbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/sync-relationships-outbound.json) file. + +## Tier Zero Principals and Devices + +Principals with SUPER_ADMIN or ORG_ADMIN role assignments and their associated devices. + +```cypher +MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(role:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization) +WHERE role.type = "SUPER_ADMIN" +OR role.type = "ORG_ADMIN" +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [tier0.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/tier0.json) file. + +## Users with API Tokens + +Retrieves all (privileged) users who have been assigned API tokens. + +```cypher +MATCH path = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization) +RETURN path +LIMIT 1000 +``` + +This query can be imported into BloodHound from the [users-api-tokens.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/users-api-tokens.json) file. + diff --git a/docs/official-docs/opengraph/extensions/okta/schema.mdx b/docs/official-docs/opengraph/extensions/okta/schema.mdx new file mode 100644 index 0000000..d48cfc0 --- /dev/null +++ b/docs/official-docs/opengraph/extensions/okta/schema.mdx @@ -0,0 +1,95 @@ +--- +title: Schema +description: Okta extension schema definition +icon: circle-nodes +--- + +Applies to BloodHound Enterprise and CE +## Metadata + +**Name:** SOOkta
+**Display Name:** Okta Extension (by SpecterOps)
+**Version:** v2.8.1
+**Namespace:** Okta
+**Environment Kind:** Okta_Organization
+**Source Kind:** Okta + + +This file is automatically generated from the [extension schema definition file](https://github.com/SpecterOps/openhound-okta/blob/main/extension/schema.json). + + +## Nodes + +| Icon | Node Kind | Display Name | +|------|-----------|--------------| +| ![Okta_Agent](/images/extensions/okta/okta_agent.png) | [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) | Okta Agent | +| ![Okta_AgentPool](/images/extensions/okta/okta_agentpool.png) | [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) | Okta Agent Pool | +| ![Okta_ApiServiceIntegration](/images/extensions/okta/okta_apiserviceintegration.png) | [Okta_ApiServiceIntegration](/opengraph/extensions/okta/nodes/okta_apiserviceintegration) | Okta API Service Integration | +| ![Okta_ApiToken](/images/extensions/okta/okta_apitoken.png) | [Okta_ApiToken](/opengraph/extensions/okta/nodes/okta_apitoken) | Okta API Token | +| ![Okta_Application](/images/extensions/okta/okta_application.png) | [Okta_Application](/opengraph/extensions/okta/nodes/okta_application) | Okta Application | +| ![Okta_AuthorizationServer](/images/extensions/okta/okta_authorizationserver.png) | [Okta_AuthorizationServer](/opengraph/extensions/okta/nodes/okta_authorizationserver) | Okta Authorization Server | +| ![Okta_ClientSecret](/images/extensions/okta/okta_clientsecret.png) | [Okta_ClientSecret](/opengraph/extensions/okta/nodes/okta_clientsecret) | Okta Client Secret | +| ![Okta_CustomRole](/images/extensions/okta/okta_customrole.png) | [Okta_CustomRole](/opengraph/extensions/okta/nodes/okta_customrole) | Okta Custom Role | +| ![Okta_Device](/images/extensions/okta/okta_device.png) | [Okta_Device](/opengraph/extensions/okta/nodes/okta_device) | Okta Device | +| ![Okta_Group](/images/extensions/okta/okta_group.png) | [Okta_Group](/opengraph/extensions/okta/nodes/okta_group) | Okta Group | +| ![Okta_IdentityProvider](/images/extensions/okta/okta_identityprovider.png) | [Okta_IdentityProvider](/opengraph/extensions/okta/nodes/okta_identityprovider) | Okta Identity Provider | +| ![Okta_JWK](/images/extensions/okta/okta_jwk.png) | [Okta_JWK](/opengraph/extensions/okta/nodes/okta_jwk) | Okta JWK | +| ![Okta_Organization](/images/extensions/okta/okta_organization.png) | [Okta_Organization](/opengraph/extensions/okta/nodes/okta_organization) | Okta Organization | +| ![Okta_Policy](/images/extensions/okta/okta_policy.png) | [Okta_Policy](/opengraph/extensions/okta/nodes/okta_policy) | Okta Policy | +| ![Okta_Realm](/images/extensions/okta/okta_realm.png) | [Okta_Realm](/opengraph/extensions/okta/nodes/okta_realm) | Okta Realm | +| ![Okta_ResourceSet](/images/extensions/okta/okta_resourceset.png) | [Okta_ResourceSet](/opengraph/extensions/okta/nodes/okta_resourceset) | Okta Resource Set | +| ![Okta_Role](/images/extensions/okta/okta_role.png) | [Okta_Role](/opengraph/extensions/okta/nodes/okta_role) | Okta Role | +| ![Okta_RoleAssignment](/images/extensions/okta/okta_roleassignment.png) | [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) | Okta Role Assignment | +| ![Okta_User](/images/extensions/okta/okta_user.png) | [Okta_User](/opengraph/extensions/okta/nodes/okta_user) | Okta User | + +## Edges + +| Relationship Kind | Traversable | Description | +|-------------------|:-----------:|-------------| +| [Okta_AddMember](/opengraph/extensions/okta/edges/okta_addmember) | ✅ | Ability to add or remove members in scoped Okta groups | +| [Okta_AgentMemberOf](/opengraph/extensions/okta/edges/okta_agentmemberof) | ✅ | Membership of an Okta agent in an agent pool | +| [Okta_AgentPoolFor](/opengraph/extensions/okta/edges/okta_agentpoolfor) | ✅ | Relationship between an AD agent pool and its backing AD application | +| [Okta_ApiTokenFor](/opengraph/extensions/okta/edges/okta_apitokenfor) | ✅ | User ownership of an Okta API token | +| [Okta_AppAdmin](/opengraph/extensions/okta/edges/okta_appadmin) | ✅ | Application administrator role assignment | +| [Okta_AppAssignment](/opengraph/extensions/okta/edges/okta_appassignment) | ❌ | Assignment of users or groups to an Okta application | +| [Okta_Contains](/opengraph/extensions/okta/edges/okta_contains) | ✅ | Contains relationship between the Okta organization and its objects | +| [Okta_CreatorOf](/opengraph/extensions/okta/edges/okta_creatorof) | ❌ | Creator relationship for API service integrations | +| [Okta_DeviceOf](/opengraph/extensions/okta/edges/okta_deviceof) | ❌ | Ownership relationship between a device and its assigned user | +| [Okta_GroupAdmin](/opengraph/extensions/okta/edges/okta_groupadmin) | ✅ | Group administrator role assignment | +| [Okta_GroupMembershipAdmin](/opengraph/extensions/okta/edges/okta_groupmembershipadmin) | ✅ | Group membership administrator role assignment | +| [Okta_GroupPull](/opengraph/extensions/okta/edges/okta_grouppull) | ✅ | Import of group memberships from an external application | +| [Okta_GroupPush](/opengraph/extensions/okta/edges/okta_grouppush) | ❌ | Provisioning of group memberships to an external application | +| [Okta_HasRole](/opengraph/extensions/okta/edges/okta_hasrole) | ❌ | Assignment of a built-in or custom role to a principal | +| [Okta_HasRoleAssignment](/opengraph/extensions/okta/edges/okta_hasroleassignment) | ❌ | Relationship between a principal and a role assignment | +| [Okta_HelpDeskAdmin](/opengraph/extensions/okta/edges/okta_helpdeskadmin) | ✅ | Help desk administrator role assignment | +| [Okta_HostsAgent](/opengraph/extensions/okta/edges/okta_hostsagent) | ✅ | Relationship between an AD server and the Okta agent running on that host | +| [Okta_IdentityProviderFor](/opengraph/extensions/okta/edges/okta_identityproviderfor) | ✅ | Trust relationship between an identity provider and Okta users | +| [Okta_IdpGroupAssignment](/opengraph/extensions/okta/edges/okta_idpgroupassignment) | ❌ | Identity provider group assignment to an Okta group | +| [Okta_InboundOrgSSO](/opengraph/extensions/okta/edges/okta_inboundorgsso) | ✅ | Single sign-on from an external organization into Okta | +| [Okta_InboundSSO](/opengraph/extensions/okta/edges/okta_inboundsso) | ✅ | Single sign-on from an external identity provider into Okta | +| [Okta_KerberosSSO](/opengraph/extensions/okta/edges/okta_kerberossso) | ✅ | Agentless desktop SSO relationship from on-prem AD user account to Okta AD application | +| [Okta_KeyOf](/opengraph/extensions/okta/edges/okta_keyof) | ✅ | JSON Web Key associated with an Okta application | +| [Okta_ManageApp](/opengraph/extensions/okta/edges/okta_manageapp) | ✅ | Ability to manage scoped Okta applications | +| [Okta_ManagerOf](/opengraph/extensions/okta/edges/okta_managerof) | ❌ | Manager relationship between Okta users | +| [Okta_MemberOf](/opengraph/extensions/okta/edges/okta_memberof) | ✅ | Membership of a user in an Okta group | +| [Okta_MembershipSync](/opengraph/extensions/okta/edges/okta_membershipsync) | ✅ | Bidirectional synchronization between Okta groups and external groups | +| [Okta_MobileAdmin](/opengraph/extensions/okta/edges/okta_mobileadmin) | ✅ | Mobile administrator role assignment | +| [Okta_OrgAdmin](/opengraph/extensions/okta/edges/okta_orgadmin) | ✅ | Organization administrator role assignment | +| [Okta_OrgSWA](/opengraph/extensions/okta/edges/okta_orgswa) | ❌ | Secure Web Authentication from an Okta application to an external organization | +| [Okta_OutboundOrgSSO](/opengraph/extensions/okta/edges/okta_outboundorgsso) | ✅ | Single sign-on from an Okta application to an external organization | +| [Okta_OutboundSSO](/opengraph/extensions/okta/edges/okta_outboundsso) | ✅ | Single sign-on from Okta to an external identity provider | +| [Okta_PasswordSync](/opengraph/extensions/okta/edges/okta_passwordsync) | ✅ | Password synchronization between user accounts via AD integration, Org2Org, or SCIM | +| [Okta_PolicyMapping](/opengraph/extensions/okta/edges/okta_policymapping) | ❌ | Association of a policy with an Okta application | +| [Okta_ReadClientSecret](/opengraph/extensions/okta/edges/okta_readclientsecret) | ✅ | Ability to read client secrets for scoped Okta applications | +| [Okta_ReadPasswordUpdates](/opengraph/extensions/okta/edges/okta_readpasswordupdates) | ✅ | Application can read password updates over the SCIM protocol | +| [Okta_RealmContains](/opengraph/extensions/okta/edges/okta_realmcontains) | ✅ | Contains relationship between an Okta realm and its users | +| [Okta_ResetFactors](/opengraph/extensions/okta/edges/okta_resetfactors) | ✅ | Ability to reset MFA factors for scoped Okta users | +| [Okta_ResetPassword](/opengraph/extensions/okta/edges/okta_resetpassword) | ✅ | Ability to reset passwords or temporary credentials for scoped Okta users | +| [Okta_ResourceSetContains](/opengraph/extensions/okta/edges/okta_resourcesetcontains) | ✅ | Membership of objects within an Okta resource set | +| [Okta_ScopedTo](/opengraph/extensions/okta/edges/okta_scopedto) | ❌ | Scope relationship between a role assignment and its target | +| [Okta_SecretOf](/opengraph/extensions/okta/edges/okta_secretof) | ✅ | Client secret associated with an application or service integration | +| [Okta_SuperAdmin](/opengraph/extensions/okta/edges/okta_superadmin) | ✅ | Super administrator role assignment | +| [Okta_SWA](/opengraph/extensions/okta/edges/okta_swa) | ❌ | Secure Web Authentication from Okta to an external application | +| [Okta_UserPull](/opengraph/extensions/okta/edges/okta_userpull) | ❌ | Import of users from an external application | +| [Okta_UserPush](/opengraph/extensions/okta/edges/okta_userpush) | ❌ | Provisioning of users to an external application | +| [Okta_UserSync](/opengraph/extensions/okta/edges/okta_usersync) | ❌ | Bidirectional synchronization between Okta users and external identities | From a63ab022cb7f55a5a266e56ba94157854c2cbdf7 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Mon, 20 Apr 2026 11:43:06 +0200 Subject: [PATCH 09/11] rm sample properties --- descriptions/nodes/Okta_Agent.md | 16 -- descriptions/nodes/Okta_AgentPool.md | 11 -- .../nodes/Okta_ApiServiceIntegration.md | 27 ---- descriptions/nodes/Okta_ApiToken.md | 16 -- descriptions/nodes/Okta_Application.md | 144 ------------------ .../nodes/Okta_AuthorizationServer.md | 16 -- descriptions/nodes/Okta_ClientSecret.md | 12 -- descriptions/nodes/Okta_CustomRole.md | 13 -- descriptions/nodes/Okta_Device.md | 47 ------ descriptions/nodes/Okta_Group.md | 41 ----- descriptions/nodes/Okta_IdentityProvider.md | 17 --- descriptions/nodes/Okta_JWK.md | 15 -- descriptions/nodes/Okta_Organization.md | 13 -- descriptions/nodes/Okta_Policy.md | 14 -- descriptions/nodes/Okta_Realm.md | 16 -- descriptions/nodes/Okta_ResourceSet.md | 12 -- descriptions/nodes/Okta_Role.md | 25 --- descriptions/nodes/Okta_RoleAssignment.md | 14 -- descriptions/nodes/Okta_User.md | 29 ---- 19 files changed, 498 deletions(-) diff --git a/descriptions/nodes/Okta_Agent.md b/descriptions/nodes/Okta_Agent.md index e5d05df..7018d4d 100644 --- a/descriptions/nodes/Okta_Agent.md +++ b/descriptions/nodes/Okta_Agent.md @@ -5,19 +5,3 @@ The Okta_Agent node represents an Okta Agent, which is a component used in Okta' One or more agents are grouped into Agent Pools, represented by the [Okta_AgentPool](Okta_AgentPool.md) nodes, to provide redundancy and load balancing. ![Active Directory Agent in BloodHound](../Images/bloodhound-ad-agent.png) - -## Sample Property Values - -```yaml -id: a53xfufl4rqWcHhQo697 -name: LON-SRV01 -displayName: LON-SRV01 -poolId: 0oaxg9rhdd7ncGCXv697 -oktaDomain: contoso.okta.com -poolName: contoso.local -operationalStatus: DISRUPTED -updateStatus: Cancelled -type: AD -version: 3.22.0 -lastConnection: 2026-01-15T02:29:40+00:00 -``` diff --git a/descriptions/nodes/Okta_AgentPool.md b/descriptions/nodes/Okta_AgentPool.md index 8b02229..17016c8 100644 --- a/descriptions/nodes/Okta_AgentPool.md +++ b/descriptions/nodes/Okta_AgentPool.md @@ -17,14 +17,3 @@ The following agent pool types are supported by Okta: The most common agent pool type is the Active Directory (AD) Agent Pool, which consists of one or more AD Agents that facilitate bi-directional object synchronization between Okta and on-premises Active Directory environments. ![Okta AD Agent Pools displayed in BloodHound](../Images/bloodhound-ad-agent-pool.png) - -## Sample Property Values - -```yaml -id: 0oaxg9rhdd7ncGCXv697_pool -name: contoso.local -displayName: contoso.local -oktaDomain: contoso.okta.com -operationalStatus: DISRUPTED -type: AD -``` diff --git a/descriptions/nodes/Okta_ApiServiceIntegration.md b/descriptions/nodes/Okta_ApiServiceIntegration.md index e74299f..b155b99 100644 --- a/descriptions/nodes/Okta_ApiServiceIntegration.md +++ b/descriptions/nodes/Okta_ApiServiceIntegration.md @@ -13,33 +13,6 @@ API service integrations in Okta represent OAuth 2.0 service (daemon) applicatio Okta API service integrations are represented as Okta_ApiServiceIntegration nodes. -## Sample Property Values - -```yaml -id: 0oaz7jy5f2oXnvtmN697 -name: Falcon Shield -displayName: Falcon Shield -oktaDomain: contoso.okta.com -appType: falconshieldapiservice -oauthScopes: - - okta.users.read - - okta.oauthIntegrations.read - - okta.threatInsights.read - - okta.devices.read - - okta.apiTokens.read - - okta.roles.read - - okta.logs.read - - okta.groups.read - - okta.apps.read - - okta.domains.read - - okta.factors.read - - okta.authenticators.read - - okta.policies.read - - okta.networkZones.read - - okta.features.read -createdAt: 2026-01-15T12:25:42.000Z -``` - ## Integration OAuth 2.0 Scopes Each API service integration comes with a pre-defined set of OAuth 2.0 scopes to access Okta APIs: diff --git a/descriptions/nodes/Okta_ApiToken.md b/descriptions/nodes/Okta_ApiToken.md index b07330b..284bacc 100644 --- a/descriptions/nodes/Okta_ApiToken.md +++ b/descriptions/nodes/Okta_ApiToken.md @@ -7,19 +7,3 @@ These tokens are always associated with a specific user in Okta, and the permiss The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers. Okta API tokens are represented as Okta_ApiToken nodes in BloodHound. - -## Sample Property Values - -```yaml -id: 00T36fk75smeJybKx697 -name: Postman -displayName: Postman -oktaDomain: contoso.okta.com -userId: 00uw0o8iizq37KgKP697 -clientName: Okta API -created: 2025-10-03T10:08:09+00:00 -lastUpdated: 2026-01-31T20:22:42+00:00 -expiresAt: 2026-03-02T20:22:42+00:00 -networkConnection: ANYWHERE -tokenWindow: 30.00:00:00 -``` diff --git a/descriptions/nodes/Okta_Application.md b/descriptions/nodes/Okta_Application.md index 4c5268e..91ea5e3 100644 --- a/descriptions/nodes/Okta_Application.md +++ b/descriptions/nodes/Okta_Application.md @@ -6,150 +6,6 @@ With the exception of API Service applications, Okta users and groups can be ass Okta applications are represented as Okta_Application nodes. -## Sample Property Values - -### Github Cloud - -```yaml -id: 0oawyp12cjglrkfId697 -name: Github Contoso -appType: githubcloud -displayName: Github Contoso -features: [] -githubOrg: Contoso -hasRoleAssignments: false -oktaDomain: contoso.okta.com -signOnMode: SAML_2_0 -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-10-31T06:08:00+00:00 -lastUpdated: 2025-10-31T06:08:01+00:00 -``` - -### Google Workspace - -```yaml -id: 0oax4r57x0V5NHL2W697 -afwOnly: false -appType: google -displayName: Google Workspace -domain: contoso.com -features: [] -hasRoleAssignments: false -name: Google Workspace -oktaDomain: contoso.okta.com -signOnMode: SAML_2_0 -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-11-05T09:06:48+00:00 -lastUpdated: 2025-11-05T09:07:21+00:00 -``` - -### Jamf Pro SAML - -```yaml -id: 0oax4r3ud0J2WjlNh697 -appType: jamfsoftwareserver -displayName: Jamf Pro SAML -domain: contoso.jamfcloud.com -features: [] -hasRoleAssignments: false -name: Jamf Pro SAML -oktaDomain: contoso.okta.com -signOnMode: SAML_2_0 -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-11-05T09:10:52+00:00 -lastUpdated: 2026-01-19T14:33:39+00:00 -``` - -### OpenHound Okta Collector - -```yaml -id: 0oaw0pujq5WtBiMYD697 -name: OpenHound Okta Collector -appType: oidc_client -clientType: service -displayName: OpenHound Okta Collector -features: [] -grantTypes: - - client_credentials -hasRoleAssignments: true -oauthScopes: - - okta.trustedOrigins.read - - okta.policies.read - - okta.linkedObjects.read - - okta.authModes.read - - okta.templates.read - - okta.apiTokens.read - - okta.factors.read - - okta.brands.read - - okta.authenticators.read - - okta.uischemas.read - - okta.logs.read - - okta.groups.read - - okta.identitySources.read - - okta.users.read - - okta.orgs.read - - okta.threatInsights.read - - okta.pushProviders.read - - okta.apps.read - - ssf.read - - okta.roles.read - - okta.networkZones.read - - okta.emailDomains.read - - okta.manifests.read - - okta.oauthIntegrations.read - - okta.domains.read - - okta.deviceAssurance.read - - okta.reports.read - - okta.authorizationServers.read - - okta.enduser.read - - okta.schemas.read - - okta.idps.read - - okta.agentPools.read - - okta.appGrants.read - - okta.inlineHooks.read - - okta.certificateAuthorities.read - - okta.devices.read - - okta.behaviors.read - - okta.profileMappings.read - - okta.captchas.read - - okta.clients.read - - okta.features.read - - okta.sessions.read - - okta.userTypes.read -oktaDomain: integrator-5415459.okta.com -signOnMode: OPENID_CONNECT -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-10-02T10:11:20+00:00 -lastUpdated: 2025-10-02T10:26:27+00:00 -``` - -### Active Directory Integration - -```yaml -id: 0oaxg9rhdd7ncGCXv697 -name: contoso.local -appType: active_directory -displayName: contoso.local -domainSid: S-1-5-21-71365889-924527929-2677699343 -features: - - IMPORT_PROFILE_UPDATES - - PROFILE_MASTERING - - OUTBOUND_DEL_AUTH - - IMPORT_USER_SCHEMA - - IMPORT_NEW_USERS -filterGroupsByOU: false -hasRoleAssignments: false -namingContext: contoso.local -oktaDomain: contoso.okta.com -status: ACTIVE -created: 2025-11-14T12:50:42+00:00 -lastUpdated: 2026-01-31T15:12:24+00:00 -``` - ## User Name Mapping User name mapping from Okta to SAML 2.0, OpenID Connect (OIDC), and Secure Web Authentication (SWA) applications is configurable in the Okta Admin Console, with the default setting being the Okta username pass-through, i.e., `${source.login}`. diff --git a/descriptions/nodes/Okta_AuthorizationServer.md b/descriptions/nodes/Okta_AuthorizationServer.md index 3db39be..b43dd69 100644 --- a/descriptions/nodes/Okta_AuthorizationServer.md +++ b/descriptions/nodes/Okta_AuthorizationServer.md @@ -6,19 +6,3 @@ Okta authorization servers are represented as Okta_AuthorizationServer nodes. > [!NOTE] > The relationships between authorization servers and applications are currently not evaluated in BloodHound. - -## Sample Property Values - -```yaml -id: ausz6ipkn4u0hDzyf697 -name: app creation -displayName: app creation -oktaDomain: contoso.okta.com -status: INACTIVE -issuer: https://contoso.okta.com/oauth2/ausz6ipkn4u0hDzyf697 -issuerMode: DYNAMIC -audiences: - - test -created: 2026-01-14T15:41:28+00:00 -lastUpdated: 2026-01-14T16:09:30+00:00 -``` diff --git a/descriptions/nodes/Okta_ClientSecret.md b/descriptions/nodes/Okta_ClientSecret.md index 6026776..426d56f 100644 --- a/descriptions/nodes/Okta_ClientSecret.md +++ b/descriptions/nodes/Okta_ClientSecret.md @@ -12,15 +12,3 @@ Client secrets are represented as Okta_ClientSecret nodes in BloodHound. > [!NOTE] > For security reasons, the OpenHound and OktaHound collectors do not collect client secrets, only their hashed identifiers. - -## Sample Property Values - -```yaml -id: ocsxqwizfyqsf0aVG697 -name: T1e6fl4jGqvPkgd94NKx5g -displayName: T1e6fl4jGqvPkgd94NKx5g -oktaDomain: contoso.okta.com -status: ACTIVE -created: 2025-11-24T12:24:08.000Z -lastUpdated: 2025-11-24T12:24:08.000Z -``` diff --git a/descriptions/nodes/Okta_CustomRole.md b/descriptions/nodes/Okta_CustomRole.md index 4bdbd12..446b42e 100644 --- a/descriptions/nodes/Okta_CustomRole.md +++ b/descriptions/nodes/Okta_CustomRole.md @@ -8,19 +8,6 @@ Custom roles can be created with specific [permissions](https://developer.okta.c Custom roles are represented as Okta_CustomRole and Okta_RoleAssignment nodes, similar to built-in roles. -## Sample Property Values - -```yaml -id: cr0wwdjuk0w96MpFr697 -name: IAM Readers -displayName: IAM Readers -oktaDomain: contoso.okta.com -created: 2025-10-29T12:45:55+00:00 -lastUpdated: 2025-10-30T13:35:36+00:00 -permissions: - - okta.iam.read -``` - ## Abusable Permissions of Custom Roles in Okta The following Okta permissions are particularly interesting from an offensive security perspective, as they can be abused to escalate privileges in hybrid scenarios: diff --git a/descriptions/nodes/Okta_Device.md b/descriptions/nodes/Okta_Device.md index 93d6b19..cb1a0cf 100644 --- a/descriptions/nodes/Okta_Device.md +++ b/descriptions/nodes/Okta_Device.md @@ -3,50 +3,3 @@ Devices in Okta represent the physical or virtual devices that users use to authenticate and access the Okta organization. Devices can optionally be managed by 3rd party MDM solutions, which allow administrators to enforce security compliance policies. Okta devices are represented as Okta_Device nodes. - -## Sample Property Values - -Windows device: - -```yaml -id: 4C4C4544-0057-4C10-8057-C8C04F573934@contoso.okta.com -name: PC01 -displayName: PC01 -oktaDomain: contoso.okta.com -oktaId: guoxrzqh8jBxYxEeJ697 -created: 2025-11-25T11:01:53+00:00 -lastUpdated: 2026-02-17T08:55:45+00:00 -status: ACTIVE -resourceType: UDDevice -platform: WINDOWS -manufacturer: Dell Inc. -model: XPS 14 9440 -osVersion: 10.0.26200.7623 -registered: true -secureHardwarePresent: true -jailBreak: false -udid: 4C4C4544-0057-4C10-8057-C8C04F573934 -objectSid: S-1-5-21-1084505731-826279434-3585917670 -serialNumber: HWLWW94 -``` - -iOS device: - -```yaml -id: guowq18eyhZaDlkkA697 -name: John's iPhone -displayName: John's iPhone -oktaDomain: contoso.okta.com -oktaId: guowq18eyhZaDlkkA697 -status: ACTIVE -resourceType: UDDevice -platform: IOS -manufacturer: APPLE -model: iPhone17,1 -osVersion: 18.6.2 -registered: true -secureHardwarePresent: true -jailBreak: false -created: 2025-10-23T17:16:46+00:00 -lastUpdated: 2025-10-23T17:16:47+00:00 -``` diff --git a/descriptions/nodes/Okta_Group.md b/descriptions/nodes/Okta_Group.md index fea6cd1..408b9ed 100644 --- a/descriptions/nodes/Okta_Group.md +++ b/descriptions/nodes/Okta_Group.md @@ -4,47 +4,6 @@ Groups in Okta are collections of users that can be used to manage access to app Okta groups are represented as Okta_Group nodes. -## Sample Property Values - -Example of a group created directly in Okta: - -```yaml -id: 00gxg12p4kFOkyXLb697 -name: Engineering -displayName: Engineering -description: Engineering department group -oktaDomain: contoso.okta.com -hasRoleAssignments: false -oktaGroupType: OKTA_GROUP -objectClass: okta:user_group -created: 2025-11-14T08:00:25+00:00 -lastUpdated: 2025-11-14T08:00:25+00:00 -lastMembershipUpdated: 2025-11-14T08:00:25+00:00 -``` - -Example of a group synchronized from Active Directory: - -```yaml -id: 00gxga7s3yDJ71OzW697 -name: Sales -displayName: Sales -description: Sales department group -oktaDomain: contoso.okta.com -hasRoleAssignments: false -oktaGroupType: APP_GROUP -objectClass: okta:windows_security_principal -objectSid: S-1-5-21-71365889-924527929-2677699343-2536 -distinguishedName: CN=Sales,CN=Groups,DC=contoso,DC=local -samAccountName: Sales -domainQualifiedName: CONTOSO\Sales -groupScope: Global -groupType: Security -objectGuid: 4ab65ef0-ab82-4017-b5ee-1c20facd4d6a -created: 2025-11-14T12:58:13+00:00 -lastUpdated: 2025-11-14T13:05:44+00:00 -lastMembershipUpdated: 2025-11-14T12:58:13+00:00 -``` - ## Synchronization with External Directories Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes: diff --git a/descriptions/nodes/Okta_IdentityProvider.md b/descriptions/nodes/Okta_IdentityProvider.md index e014f02..10418d7 100644 --- a/descriptions/nodes/Okta_IdentityProvider.md +++ b/descriptions/nodes/Okta_IdentityProvider.md @@ -8,20 +8,3 @@ Okta identity providers are represented as Okta_IdentityProvider nodes. > [!NOTE] > The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated. - -## Sample Property Values - -```yaml -id: 0oazpi53t1cRNcPL4697 -name: Microsoft Entra ID -displayName: Microsoft Entra ID -oktaDomain: contoso.okta.com -created: 2026-01-31T15:21:37+00:00 -issuerMode: DYNAMIC -type: MICROSOFT -enabled: false -autoUserProvisioning: true -governedGroupIds: [] -protocolType: OIDC -url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize -``` diff --git a/descriptions/nodes/Okta_JWK.md b/descriptions/nodes/Okta_JWK.md index bf19535..8aeea8a 100644 --- a/descriptions/nodes/Okta_JWK.md +++ b/descriptions/nodes/Okta_JWK.md @@ -3,18 +3,3 @@ JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the `private_key_jwt` client authentication method. This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key. A service application can have multiple JWKs configured for key rotation purposes. JWKs are represented as Okta_JWK nodes in BloodHound. - -## Sample Property Values - -```yaml -id: pksw0py294dQ80EdI697 -name: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 -displayName: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 -oktaDomain: contoso.okta.com -status: ACTIVE -kid: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 -kty: RSA -use: sig -created: 2025-10-02T10:14:44Z -lastUpdated: 2025-10-02T10:26:27Z -``` diff --git a/descriptions/nodes/Okta_Organization.md b/descriptions/nodes/Okta_Organization.md index 0ce5485..2d18df8 100644 --- a/descriptions/nodes/Okta_Organization.md +++ b/descriptions/nodes/Okta_Organization.md @@ -3,16 +3,3 @@ The Organization entity represents the Okta tenant itself. It contains general information about the organization, such as its name, domain, and settings. The Okta organization is represented as a single Okta_Organization node. - -## Sample Property Values - -```yaml -id: 00ow0o8if0CNwsKmk697 -name: contoso.okta.com -displayName: Contoso -oktaDomain: contoso.okta.com -subdomain: contoso -status: ACTIVE -created: 2025-10-02T09:21:31+00:00 -lastUpdated: 2025-12-09T23:04:15+00:00 -``` diff --git a/descriptions/nodes/Okta_Policy.md b/descriptions/nodes/Okta_Policy.md index aa6f4df..5f39f67 100644 --- a/descriptions/nodes/Okta_Policy.md +++ b/descriptions/nodes/Okta_Policy.md @@ -4,20 +4,6 @@ Policies in Okta define the rules and conditions that govern authentication, aut Okta policies are represented as Okta_Policy nodes. -## Sample Property Values - -```yaml -id: rstw0o8il8ktUxo3t697 -name: Okta Account Management Policy -displayName: Okta Account Management Policy -oktaDomain: contoso.okta.com -description: This policy defines how users must authenticate for authenticator enrollment, password reset, or unlock account. Password policy rules control whether to enforce this policy for password reset and unlock account. -type: ACCESS_POLICY -priority: 1 -system: false -created: 2025-10-02T09:21:37+00:00 -``` - ## Policy Types The following [policy types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) are supported by Okta: diff --git a/descriptions/nodes/Okta_Realm.md b/descriptions/nodes/Okta_Realm.md index 70d853f..a50068b 100644 --- a/descriptions/nodes/Okta_Realm.md +++ b/descriptions/nodes/Okta_Realm.md @@ -6,19 +6,3 @@ Okta Realms are represented as Okta_Realm nodes. > [!NOTE] > Okta Realms are currently not supported due to licensing restrictions. - -## Sample Property Values - -```yaml -id: guor3k19x7pVQ6Abc0g7 -name: Car Co -displayName: Car Co -oktaDomain: contoso.okta.com -type: PARTNER -isDefault: false -domains: - - atko.com - - user.com -created: 2025-06-01T08:00:00.0000000+00:00 -lastUpdated: 2026-02-20T07:45:12.0000000+00:00 -``` diff --git a/descriptions/nodes/Okta_ResourceSet.md b/descriptions/nodes/Okta_ResourceSet.md index c072e6d..e8e8a9f 100644 --- a/descriptions/nodes/Okta_ResourceSet.md +++ b/descriptions/nodes/Okta_ResourceSet.md @@ -27,15 +27,3 @@ Resource sets are collections of entities that can be used to scope custom role ![Okta Resource Set displayed in BloodHound](../Images/bloodhound-resource-set.png) Okta resource sets are represented as Okta_ResourceSet nodes. - -## Sample Property Values - -```yaml -id: WORKFLOWS_IAM_POLICY@contoso.okta.com -name: Workflows Resource Set -displayName: Workflows Resource Set -oktaDomain: contoso.okta.com -description: A resource set managed by Workflows Administrator -created: 2025-10-22T13:29:26+00:00 -lastUpdated: 2025-10-22T13:29:26+00:00 -``` diff --git a/descriptions/nodes/Okta_Role.md b/descriptions/nodes/Okta_Role.md index 07c5254..6e425f9 100644 --- a/descriptions/nodes/Okta_Role.md +++ b/descriptions/nodes/Okta_Role.md @@ -26,31 +26,6 @@ The following roles can either be scoped to specific resources or assigned organ Okta built-in roles are represented as Okta_Role nodes. -## Sample Property Values - -```yaml -id: APP_ADMIN@contoso.okta.com -name: Application Administrator -displayName: Application Administrator -oktaDomain: contoso.okta.com -permissions: - - okta.apps.manage - - okta.apps.read - - okta.apps.assignment.manage - - okta.apps.clientCredentials.read - - okta.users.appAssignment.manage - - okta.groups.appAssignment.manage - - okta.policies.manage - - okta.policies.read - - okta.users.read - - okta.groups.read - - okta.users.userprofile.manage - - okta.users.userprofile.read - - okta.profilesources.import.run - - okta.agents.register - - okta.realms.read -``` - ## Built-In Role Identifiers When working with roles using the Okta API, the built-in roles are referenced by the following identifiers: diff --git a/descriptions/nodes/Okta_RoleAssignment.md b/descriptions/nodes/Okta_RoleAssignment.md index c1cc20c..fe0b489 100644 --- a/descriptions/nodes/Okta_RoleAssignment.md +++ b/descriptions/nodes/Okta_RoleAssignment.md @@ -1,17 +1,3 @@ ## Overview To help visualize role assignments in BloodHound, Okta_RoleAssignment nodes are created for each role assignment in Okta. These nodes represent the relationship between a [user](Okta_User.md), [group](Okta_Group.md), or [application](Okta_Application.md) and a role ([built-in](Okta_Role.md) or [custom](Okta_CustomRole.md)). - -## Sample Property Values - -```yaml -id: irbwnwe8vjjXl4FbX697_00uw2sodowQc75SUm697 -name: Workflows Administrator -displayName: Workflows Administrator -oktaDomain: contoso.okta.com -assignmentType: USER -type: WORKFLOWS_ADMIN -status: ACTIVE -created: 2025-10-22T13:29:26+00:00 -lastUpdated: 2025-10-22T13:29:26+00:00 -``` diff --git a/descriptions/nodes/Okta_User.md b/descriptions/nodes/Okta_User.md index 5efe46b..5a0872a 100644 --- a/descriptions/nodes/Okta_User.md +++ b/descriptions/nodes/Okta_User.md @@ -4,35 +4,6 @@ User objects (AKA People) represent individuals who have access to the Okta orga Okta users are represented as Okta_User nodes. -## Sample Property Values - -```yaml -id: 00uw2sodn4ZPJJQyx697 -name: john.doe@contoso.com -displayName: John Doe -oktaDomain: contoso.okta.com -login: john.doe@contoso.com -email: john.doe@contoso.com -firstName: John -lastName: Doe -title: Senior Identity Engineer -department: Security Engineering -city: Seattle -state: WA -countryCode: US -status: ACTIVE -enabled: true -hasRoleAssignments: false -credentialProviderName: OKTA -credentialProviderType: OKTA -managerId: joe.smith@contoso.com -created: 2025-10-03T18:45:57+00:00 -activated: 2025-10-03T19:02:11+00:00 -passwordChanged: 2026-01-12T14:27:03+00:00 -lastLogin: 2026-02-20T09:41:55+00:00 -lastUpdated: 2025-10-29T11:09:47+00:00 -``` - ## User Status User status can have [multiple values](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User), as illustrated below: From 460c8ef30bc5c139047f998db46962e42150fb98 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Mon, 20 Apr 2026 11:44:24 +0200 Subject: [PATCH 10/11] add official-docsto gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index f47e4d7..1626df3 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,7 @@ output graph logs .vscode +docs/official-docs/ # Codex .codex From 655fa6f9c1239ca993166bbaa9c3ee953b711315 Mon Sep 17 00:00:00 2001 From: JonasBK Date: Mon, 20 Apr 2026 11:47:10 +0200 Subject: [PATCH 11/11] Stop tracking docs/official-docs --- .../images/extensions/okta/okta_agent.png | Bin 948 -> 0 bytes .../images/extensions/okta/okta_agentpool.png | Bin 1267 -> 0 bytes .../okta/okta_apiserviceintegration.png | Bin 979 -> 0 bytes .../images/extensions/okta/okta_apitoken.png | Bin 1117 -> 0 bytes .../extensions/okta/okta_application.png | Bin 835 -> 0 bytes .../okta/okta_authorizationserver.png | Bin 892 -> 0 bytes .../extensions/okta/okta_clientsecret.png | Bin 1117 -> 0 bytes .../extensions/okta/okta_customrole.png | Bin 1123 -> 0 bytes .../images/extensions/okta/okta_device.png | Bin 989 -> 0 bytes .../images/extensions/okta/okta_group.png | Bin 943 -> 0 bytes .../extensions/okta/okta_identityprovider.png | Bin 944 -> 0 bytes .../images/extensions/okta/okta_jwk.png | Bin 1117 -> 0 bytes .../extensions/okta/okta_organization.png | Bin 1290 -> 0 bytes .../images/extensions/okta/okta_policy.png | Bin 1066 -> 0 bytes .../images/extensions/okta/okta_realm.png | Bin 1047 -> 0 bytes .../extensions/okta/okta_resourceset.png | Bin 975 -> 0 bytes .../images/extensions/okta/okta_role.png | Bin 1123 -> 0 bytes .../extensions/okta/okta_roleassignment.png | Bin 1027 -> 0 bytes .../images/extensions/okta/okta_user.png | Bin 1056 -> 0 bytes .../opengraph/extensions/okta/docs.json | 84 --- .../extensions/okta/edges/okta_addmember.mdx | 24 - .../okta/edges/okta_agentmemberof.mdx | 32 - .../okta/edges/okta_agentpoolfor.mdx | 37 -- .../okta/edges/okta_apitokenfor.mdx | 28 - .../extensions/okta/edges/okta_appadmin.mdx | 28 - .../okta/edges/okta_appassignment.mdx | 40 -- .../extensions/okta/edges/okta_contains.mdx | 45 -- .../extensions/okta/edges/okta_creatorof.mdx | 24 - .../extensions/okta/edges/okta_deviceof.mdx | 25 - .../extensions/okta/edges/okta_groupadmin.mdx | 26 - .../okta/edges/okta_groupmembershipadmin.mdx | 23 - .../extensions/okta/edges/okta_grouppull.mdx | 21 - .../extensions/okta/edges/okta_grouppush.mdx | 21 - .../extensions/okta/edges/okta_hasrole.mdx | 29 - .../okta/edges/okta_hasroleassignment.mdx | 39 -- .../okta/edges/okta_helpdeskadmin.mdx | 24 - .../extensions/okta/edges/okta_hostsagent.mdx | 34 - .../okta/edges/okta_identityproviderfor.mdx | 26 - .../okta/edges/okta_idpgroupassignment.mdx | 25 - .../okta/edges/okta_inboundorgsso.mdx | 24 - .../extensions/okta/edges/okta_inboundsso.mdx | 24 - .../okta/edges/okta_kerberossso.mdx | 32 - .../extensions/okta/edges/okta_keyof.mdx | 28 - .../extensions/okta/edges/okta_manageapp.mdx | 24 - .../extensions/okta/edges/okta_managerof.mdx | 31 - .../extensions/okta/edges/okta_memberof.mdx | 27 - .../okta/edges/okta_membershipsync.mdx | 52 -- .../okta/edges/okta_mobileadmin.mdx | 23 - .../extensions/okta/edges/okta_orgadmin.mdx | 25 - .../extensions/okta/edges/okta_orgswa.mdx | 31 - .../okta/edges/okta_outboundorgsso.mdx | 38 -- .../okta/edges/okta_outboundsso.mdx | 36 -- .../okta/edges/okta_passwordsync.mdx | 56 -- .../okta/edges/okta_policymapping.mdx | 41 -- .../okta/edges/okta_readclientsecret.mdx | 33 - .../okta/edges/okta_readpasswordupdates.mdx | 25 - .../okta/edges/okta_realmcontains.mdx | 30 - .../okta/edges/okta_resetfactors.mdx | 23 - .../okta/edges/okta_resetpassword.mdx | 44 -- .../okta/edges/okta_resourcesetcontains.mdx | 32 - .../extensions/okta/edges/okta_scopedto.mdx | 39 -- .../extensions/okta/edges/okta_secretof.mdx | 26 - .../extensions/okta/edges/okta_superadmin.mdx | 23 - .../extensions/okta/edges/okta_swa.mdx | 28 - .../extensions/okta/edges/okta_userpull.mdx | 23 - .../extensions/okta/edges/okta_userpush.mdx | 25 - .../extensions/okta/edges/okta_usersync.mdx | 29 - .../extensions/okta/nodes/okta_agent.mdx | 31 - .../extensions/okta/nodes/okta_agentpool.mdx | 38 -- .../okta/nodes/okta_apiserviceintegration.mdx | 55 -- .../extensions/okta/nodes/okta_apitoken.mdx | 33 - .../okta/nodes/okta_application.mdx | 325 ---------- .../okta/nodes/okta_authorizationserver.mdx | 32 - .../okta/nodes/okta_clientsecret.mdx | 34 - .../extensions/okta/nodes/okta_customrole.mdx | 49 -- .../extensions/okta/nodes/okta_device.mdx | 60 -- .../extensions/okta/nodes/okta_group.mdx | 85 --- .../okta/nodes/okta_identityprovider.mdx | 35 -- .../extensions/okta/nodes/okta_jwk.mdx | 28 - .../okta/nodes/okta_organization.mdx | 26 - .../extensions/okta/nodes/okta_policy.mdx | 45 -- .../extensions/okta/nodes/okta_realm.mdx | 32 - .../okta/nodes/okta_resourceset.mdx | 49 -- .../extensions/okta/nodes/okta_role.mdx | 85 --- .../okta/nodes/okta_roleassignment.mdx | 25 - .../extensions/okta/nodes/okta_user.mdx | 74 --- .../extensions/okta/privilege-zone-rules.mdx | 55 -- .../opengraph/extensions/okta/queries.mdx | 586 ------------------ .../opengraph/extensions/okta/schema.mdx | 95 --- 89 files changed, 3384 deletions(-) delete mode 100644 docs/official-docs/images/extensions/okta/okta_agent.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_agentpool.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_apiserviceintegration.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_apitoken.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_application.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_authorizationserver.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_clientsecret.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_customrole.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_device.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_group.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_identityprovider.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_jwk.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_organization.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_policy.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_realm.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_resourceset.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_role.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_roleassignment.png delete mode 100644 docs/official-docs/images/extensions/okta/okta_user.png delete mode 100644 docs/official-docs/opengraph/extensions/okta/docs.json delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_addmember.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/queries.mdx delete mode 100644 docs/official-docs/opengraph/extensions/okta/schema.mdx diff --git a/docs/official-docs/images/extensions/okta/okta_agent.png b/docs/official-docs/images/extensions/okta/okta_agent.png deleted file mode 100644 index d4077f7e4143543be93ac1c951196f1701be2164..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 948 zcmV;l155mgP)E-96Zjo#Ntp#9p1a%|Mn2#lU&mKdf)dv-}~=-zX;)> z04ZPqNZ1|#&Gu{nMWA|ywHqP~zEB{7rqFRId3-INrF5)^iOGI7d zyC(V0n*tKRQxKmw z+j;TGJLZaf50opgW^HWR;H(SCfkb- z>AK7AMGXODy1kQU^XDT6nBVe_+1xM?#Rvw~$M<({1}{9^BfHz4a4Z;V4I5XY#S{?t zDYGNS!jG4{;UCMtsDzT3OZ_1>z7~=SO-ZnA`%~aPKsm_9q8NrX{2P zpZq^Wfnx}+WUG6UhIY734Y0ZId|%j-xqc{FHKW{ubTRSciq{RRdtU#W0wNJ{MYRT- z2mYeWxo%gS*6Kg2rhrsg_vWj6R}OJsG()P>JLXqO-6-h}^XI@ijx}Hg;K8Cqb|d(asU3~yRBN)f zff<9-(Gx02JgBKIsqq&H+X+|(`Y`%Jzot|JT2o!H_T*xk(!oV29s+QRoISoxDaIdt zz-jRi(sSWrA_!(bVI%LubvI~qF)08lNFjNC#*4|TyrUF5%pOL7DPkOHAOWi_Q)6)T zvURGJbolk#x|+GHHUqr%BM*xNQYX%OIbGqLms2+s#Ej+^}ImH9sdRN WQzhSk)ow}v0000ZKWH0w6vscZ-I7{^FQAA_@`*xGk*Vbbk_Gl`U~a6gpFIxE=}xwVY7r2>i@2{!@}Q@JDu2ALR76YP()rMMAVLFL+F zf^wyRsa!G1v?L$_8X$#3F=i&Sc)ijqDYsx4Rjw^2*xXvRNCa_M!b!k3dpH#1>ZSZ^ zDQ?8&uj3YpUGC^|$fSUX92jI~GW$lA1I$cjIppgH;bJ?mEdnwy1u!w5ZZi9mU$T@c zIsmusB>8yE!>v2XjtF?YlJmpnOr7+Y8z~Uc-WYHjTY0YE90g$D{Wu#>^WwnX&SN9k zA3=$ZS=o^Sk{*Qb{{>k3Mr%s7QblL_as;DZYdY}w(FERJi7&>N+a^&e>zw~8Xe|$R z0dWvT#x2kNJ{dV6tP&2zm>6Fs9Et((`0zefO*ty^KVYD8orcqDfmuiH;ErbXF&no%a(xn8Dz7h*ng2^f+y=b3bLk;}L%` zEpjg1^xl4O=#p&$exKYVI1q|+>f{vOUWt|LJR48*b`S#S&(|qcbo@RUt*GMn$!!Iv zL#D3_=m%QX`OiOF;LK=>QzxhFy>KXox3>?&s8XuvJb1Xk^yMM$eJ9epRMF9js_S`x zGt(kHEu|V@)J64FqGL>)OH-=o81*W_K!i=xD!H``<$nrjMHR!Sa&hWD$6aE}2@j%) z=yyxOMl_oF!NUcN?HVihQ?Bw$H#Aq*Y6X?)*&%@S9*aP!qVG$<8K_!O<=*#S+UsyA z#z-{DqqQ`fTdN|iU6jL)HGyiENnlT(xxw#~QKDn^x-msJw^q4*_pDRdF7hVyZu7?{ zFJHc3WH{M2fw$i}!11FAHn#GVD+TJ?H9(}Ob#G`zm7xzlY_i0+ne$X@e*?_-0C|gX zsl2}%oG4Xv^yi}eYD`hfIs>8j?sv+%vt`S7A@1c2z)CjNwsH`@Gz?*4t2_f7J93(d zb7|Ki<;c3JD9n8fpOz~60rj_sy!Y-24oZh#Nx4=~ znZ2f1d0#{H9=cOzufZe_3<4;_NzR;}>ufOjVV>O1RlaU2Z)-4dlDL3qAOR8e%5aik zAVTjuefF)U6;$fmH8Gk!PB&K7d0@d!dApE-G@TEpXF|9LGPdiyP_E(h7cP``$h~M0h)EqH(mZ8B zAY@(3QxOPt>CZ_sIu$8)NiW(VFYUqY5(~SyA%w;XE4zZbmpc4rX5Y@vjI&x_cC;O2@nF-fL?&ELFgMR6CQ>94#XEk7#*8H z%uWb90eW@vP&fjy`|^*EgKP>`9zuQ>bn=)kjH3V{U<(Mf^}x^!1e%UVZlG8YA$}!H zAv#cQ!e=30GsuT$PfiYU#_+7zkIG@J*DHIU03+cDTzU-thLe-4(E1_02Bia9fg-RD zWff@1)pO;Qcb#v%kl*MXZ~L<;_%LZcb^sYe1&=_iy%vM}{!xZkGzppuxp<`o>K690#WSzyOGmxcPZ<1vXxaRa>!quRISlLG(6s4cVU) zY=v;d3|0d^B(|ePoyozO+=^mB_PRk)!-x+(Uc2djFI`CRchEgre%Cz;6H9Pmrc#Lbf}CMRL!&u8;{)2kUjNBeImGT`b-yvU zo?*!cCX^fK^;a*uV|iLEUA6r9f;`)K$WibEKY{lAj<;-=-;trBSb(js-bu45bDHoY zRZM$+w_1Si(F%(t*dp$=mli@JZp0U$qhH)BxngENV)yOyN$J3x=6t#Us#GSlejzjt z2?Qlxgd_6Y+*#IVI3jC-puV?BzSa6&Zy-~L#DPU413F=D#9JIN$S0PZ*WceV-Sn~# zJuCf6RO?oS*V-V^Bzv8Z->HZZ>qa)52gbVwA@;zXz#5dSX<9NWFoX0D6&2AYaIsXN_4g0wY<65M-i6#Y0103c zI0XBmGy|OZPetiIqHeP&t+(ty1U>`T^1Gbc{st}Q;Plz!k!MqK?Yhgc;sV`K8RA`>Qba!-wkD#R4ho&n-wT|;`=)mZixvo%W#sihW}0iM~BdxeI? ziCUY}c~01zS`k97(P+;@=qf_4I7hiXU&rG={tHXEH9f3-UHt$6002ovPDHLkV1m1; B!HWO@ diff --git a/docs/official-docs/images/extensions/okta/okta_apitoken.png b/docs/official-docs/images/extensions/okta/okta_apitoken.png deleted file mode 100644 index cee2030e896a220f0c638f62ca301bf35f9f2192..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1117 zcmV-j1fu(iP)ZO=}xh6o#KDA~G0D<07eUh49!oAR`w|YcQ#yNN&1l(naKz z=_XQk-P!#Gmj6Kl*>zzlixNY@^2SY|V3`&#yy+NhqD81D4%tYi9myMwH|^r;jz_Xa zU+xP7SN9&xd*+;bzHZS!6d(zt0oCyU7>=h1>;vWi@9qi}*aZF^@Y!@I=!#oi&JK{W5_yN!>RZQy=y;3EAT;`~H?tD)Uc!rBb+!RoNJwOA<#ADlo21Lm1UCA zNDGHNcUs^nu$l-32O`g(l-YUv7iPl(KnsUholl_p$6DmfhK2UxrF6#z;&R#ws0h>Z z=i`;Wd~Vb)ST63OSE?P)pML!nt6wBq_Vh}X&tGiGpHqNwTgn4kCLZGl?X#Zbre*Qv z&%aRq`yW@CSEpwvJ|Fi!ov`;NMn^Gfbs47PK+%KnM+P9bxX_avU~TUYj9UHL{-c>` zGIO&8e8PP{?){D-Om4%$kpUDBkOGlp`iXPXvM3zCxwbzU@Ka1bB>(Mw(s!rr{d}9O z8t{_{1?A6_2a(%J&rJ0s2hc0$9rtUNb){tEYF!fH*MjU^OfJ)2n)!OzWaA_qfBqAS z&)3mCPB^$!TY>hlaf9M>4^OjUwR}C$(XEQ_j$8&jz@(dCC+OAAE^tFiB%l^JETDO= zopwR~q|B3Ff9qR55e|}#$GXaRfOkMozYR(*qT;)bXO84`X*W&dik(d@|rC8;_BS zMr^`Y&R-JFHi#5fBylaR&R-h_ADl$`p5cC+wE}F0)UbS(Hs;2atDW9|D23Q zSYKRVZ9dUet{WU21;CVHm;)%BlwHd!2><357f8=cyUKKfUa30!#2kPu$0njTNWDHi zBO9M(#Ot*qLk;**1AfwXr-^+uJ`}mxuvpsKmJzUlxO*)fk%G7niBvSg-pcY&L~hUu zFQxB~5Ea;LS3oLZ0D)9A!uJ2vlrHb=%BomH)E>Jjz1=3?0A2y#8}*Bk*Txz5KKYo5 z(b1vE^-7hct!-I9YKSj4oHE@8lM;{s$i`!=4>*`?92}Crx^OLK??(Zt#2R8e13(K0 z$;M~V!a)MQJ9bsmD^+UNC3@wY{K=d4rey=sa}GVMsz9E>htoVa98TMzAj~MobA_gh j5GFRc8qZ7g`NjVM#UqWr*hXB600000NkvXXu0mjf`b7yq diff --git a/docs/official-docs/images/extensions/okta/okta_application.png b/docs/official-docs/images/extensions/okta/okta_application.png deleted file mode 100644 index ee2bf6beef5a7e0b15969744e3e32d6eccdf7e95..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 835 zcmV-J1HAl+P)(V&b#SG0Pg_K4LrIm;&NukN2!}sp;k|t^H($+sb?!CLm z`+xVn?|tw8b=i}1zyp>BaI9&fmL7-AUX;|lNG|_P}qf3LX1&Z z2jcaNsAs^SA~$;?5PvFv>;<_Dtjs`R4-|P^8Pm`J6W9XGz5y7UgL7Tp$ZeF0V#H3` zF(QoS38RL5)g~XGZ=W1wjq!PjADzSg-l@%f0ZjBn;O2Ai`P(PgVZ~r`70L&MfD({| z$`)9N>$&~L`<@?%Tn0W&Im0lJ^{K%uNVM0IZ>%^$b; z2!x;~;v}mPAClX#h8r&!9g{@l2L7(b-iwaH+G_wNe5icgEbvl^iZ@zCv-ujA7#L=uF$p+j#ZBfyH%1c=|jZ967V3EfcUe@biFE@iFAL0Z0Q=z#-HZrCFf+ltk%1vfYj-?W~!92z&XF1i?}aN7iqINt%ZrW(Js$T)D|Hw&QmGRleGB9{{YG2`s>1gTRQ*% N002ovPDHLkV1o4nf!6>4 diff --git a/docs/official-docs/images/extensions/okta/okta_authorizationserver.png b/docs/official-docs/images/extensions/okta/okta_authorizationserver.png deleted file mode 100644 index c6e83af0944fa113b766d1c764979b080f580e75..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 892 zcmV-?1B3jDP)ZKTH!*9LGOgTu8NvhdMau@Vo21Uf(-f=r_5vckkZ&{_gkxH$wlg zfg-R3M$l+5U**s5W4E8|ptHAfF3_F$!P<7l1u84hO4Xr>;gG!f(TaZTR%HBg7brCaf6w zNl1RYaeZ=-GmbaJe^d^g04`8)M&-+gje}Ll-2ueJ9mft$kVjO{se8H2r(CEv;lsMz zFO}ZD-3__3pp5)+)P>^XDwKA>=U z7Sh9U^u>Ijoze?vLamWpNtH(B&;rUJ^;%~y=+5m)no!qF^}uU(wQOYzX%6;5+9(~0 z6B1H?-^g!>bgDZ<)pty(SmD?Q{41AZuNet5UyA%C3A%EuhN}x~hIM@y-H-~uE#!fj zw@}J)2pjPSCsg?`F}2yTeGRF=eq4Z12oFdXC*b|caGKKPosLts5OZsrQi6q9pjA1S zOg3mGR1w--A)h5S8zc=TWxxS=JPl6=986vu!G09)U25+~fKZ4vWIO|+p3cd_t(#G_ zR2%U7Pc)jvw6+Dj)RFg#Jg~>$!|5K^98Tk~5jBS6xlLdqM8!VQcwVN@Fa8fiZYiMH Si$Y)k0000ZO=}xh6o#KDA~G0D<07eUh49!oAR`w|YcQ#yNN&1l(naKz z=_XQk-P!#Gmj6Kl*>zzlixNY@^2SY|V3`&#yy+NhqD81D4%tYi9myMwH|^r;jz_Xa zU+xP7SN9&xd*+;bzHZS!6d(zt0oCyU7>=h1>;vWi@9qi}*aZF^@Y!@I=!#oi&JK{W5_yN!>RZQy=y;3EAT;`~H?tD)Uc!rBb+!RoNJwOA<#ADlo21Lm1UCA zNDGHNcUs^nu$l-32O`g(l-YUv7iPl(KnsUholl_p$6DmfhK2UxrF6#z;&R#ws0h>Z z=i`;Wd~Vb)ST63OSE?P)pML!nt6wBq_Vh}X&tGiGpHqNwTgn4kCLZGl?X#Zbre*Qv z&%aRq`yW@CSEpwvJ|Fi!ov`;NMn^Gfbs47PK+%KnM+P9bxX_avU~TUYj9UHL{-c>` zGIO&8e8PP{?){D-Om4%$kpUDBkOGlp`iXPXvM3zCxwbzU@Ka1bB>(Mw(s!rr{d}9O z8t{_{1?A6_2a(%J&rJ0s2hc0$9rtUNb){tEYF!fH*MjU^OfJ)2n)!OzWaA_qfBqAS z&)3mCPB^$!TY>hlaf9M>4^OjUwR}C$(XEQ_j$8&jz@(dCC+OAAE^tFiB%l^JETDO= zopwR~q|B3Ff9qR55e|}#$GXaRfOkMozYR(*qT;)bXO84`X*W&dik(d@|rC8;_BS zMr^`Y&R-JFHi#5fBylaR&R-h_ADl$`p5cC+wE}F0)UbS(Hs;2atDW9|D23Q zSYKRVZ9dUet{WU21;CVHm;)%BlwHd!2><357f8=cyUKKfUa30!#2kPu$0njTNWDHi zBO9M(#Ot*qLk;**1AfwXr-^+uJ`}mxuvpsKmJzUlxO*)fk%G7niBvSg-pcY&L~hUu zFQxB~5Ea;LS3oLZ0D)9A!uJ2vlrHb=%BomH)E>Jjz1=3?0A2y#8}*Bk*Txz5KKYo5 z(b1vE^-7hct!-I9YKSj4oHE@8lM;{s$i`!=4>*`?92}Crx^OLK??(Zt#2R8e13(K0 z$;M~V!a)MQJ9bsmD^+UNC3@wY{K=d4rey=sa}GVMsz9E>htoVa98TMzAj~MobA_gh j5GFRc8qZ7g`NjVM#UqWr*hXB600000NkvXXu0mjf`b7yq diff --git a/docs/official-docs/images/extensions/okta/okta_customrole.png b/docs/official-docs/images/extensions/okta/okta_customrole.png deleted file mode 100644 index 9cfcd1b037f580a80bd0d493787d52f7657dda32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1123 zcmV-p1f2VcP)a$O^jLO1utTw_Ap*&ZPp(UnnxOG zcRt?dnRjO1d8diSp#tN;Z6M+(04YaV2A%@?8En@?1Xu$8J!4sN2&{^x8f_}@12Ah> z_y$zEhkH;$3UZf>+~ozp(DGOX3qv!=#M2!9V>s>10Y6d2Bh>_`zzQ%5;Ex3ePew|F z^^w=4iKp$VHQ<(;2sZ(vMRK(*sPNU)HIz_$L&TLZv^<-O36A$oisZM7VyX&I zfxiINH=r_fXBf%baxQWkR^f!r#RLaQ-4@Z0!xNqg@)esrIy3gkAG!3+DhA4oM9e;xv({#bzEjgTw(=HdoN zyGH=111kP+dQk^EOQi`g_f3v=k9hxT7bVor95_LbFXUI{&^myL1rLU=M_AJ1uERstqK1er$9d2;y;$>lc<^{s^5 z<)tmC*j||MAYyyf&GUc29}C!@w>=c&wGvW3n*aw_q$EJ@l0TaO$t&5PJ_!g50rl5k z2`OB^7b6o-v-R_9hVG0Y$x>OLtzTYa=FB>FO2>Rus@3r{MA)zjR%O+xK8->Gc7U*% zE7bLZq2+mYcct{dxwvsAGN+v));)+UrmovA5)KdQQc=LTp&6)yoizu_T{7XxelpMB zp(k|$v0hpoo7XB>Wa972m&gTjVu7qfBe1d_=>bFUu`%bvL#2#w(3D7 z2af@Eo}_9HwhAY_efl?Mu23?jZ||2%J@N{U$AE4pBy%8K<7VVMLCS56q2-sokuKW?x6I^qV_D+SmhQh?7ls512J1tq0R2@bY(fCI$cQ%W3~EBc$j zZ@|=X&XjXoIXc1}TaujF}qgm}L zlDw8sjdl@hO?&GR9>E=8QeHWNw%`AbPYaryS4 z$pL!%2AQ~gn_xKZ;E>PlGw=)WlV6WAap`mNvYFxEmEZWZS87Y>@eVR_?gxCTGhV8d z6048q(^g3}TZK}%S8R>Foyr)4t%A_g>I79cix-8D(4uyM=+ngUFLNHT8s`C-r>2;tYGvN@$7 zayvuOGe=G?5w0)81%+C^_UoM`n@(WkidX`C>QL7N^m+&6Z9oA|0$o{u3ENH^SK7VU z4Jg1Sh!d<^u;qz$1>s_3itGxidpq*BUmId}lf8f%M;&HTLYApL<5BU3** z`nHlwRQEZm0gSapdHVn;cxsIVFuRppB69j-(-TqEqt=PITg_o|h=%4XI}X^41;OH1}8@yEkCx%TUb6S&YQK#E8Kfg>`d zMa0=-nbMwy_bb42;JdP!?aOceg%%pYI}q%M+{_ugdVEvI^3X^3Z4lq1A zLu~Te0SlAg*-E~UU5;sYBS4C{fhf-a@as{+U(KNEQ9Q>7tleVf3_g9_!OU-ve*2=a zG+RJ8?v9Jq2ymZ+7pM0*WO3RE4KakO@LsCGnaEm{Q00000 LNkvXXu0mjfsmaZS diff --git a/docs/official-docs/images/extensions/okta/okta_group.png b/docs/official-docs/images/extensions/okta/okta_group.png deleted file mode 100644 index 7ec63f5d4e1e98e20e4c8c42ba25196c6429d32c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 943 zcmV;g15o^lP)igj(pWE7+(OI!lIg53%|(^a?*zk7G@l9zZ(=FjD>w~NqI~EpF^uMpSd;Jr zC49elb>Sd9_KOlfx(t&73qUHFkey#Qw$~(Z5f}S`ty~aCOwZBY<$Zn;DmAz_>HiJ` z_6_gnBaq5x;pLNP%*uz7a-MJflL6h_AU-~Jdd1`;GD;guRJt;%klhS0WlTIVU6(~$3_Rax7N_#h+`{_hw-0dQC5 z%|&HsASfuaGeXOxTT5>yEn~AY0WCgg=D9NO&nd+4>a{8GoQ7XSfS|;B(Hw%J>1EhH z4Xma^lNI+BFfp}m`S}aTIRNl(HcZc?g{IF@bW<(q>kU485L0koZ=I-6sR^Sf0Sdv+ zJEil@5qU>apq)~C-{f1JkljEj0MbOXJ?-|35=?-*zKr|(JMPp(YYS;Kvt}L&nk+kp^l(PTdJ3jSTRI&hswd%i(0M3mg={y5xPbDZXs<&{m#(1aelrj4 zEC48})35+c=dqAs1pL>DaBD@nUq)fViJDuzPVltfzRmlonTugK&=8)?dAlZ@6N=MVz8)S>R znpICE#hR?Pi1eJ7zO2Uax~49l0$048Hp4=EsIKQ0ko3l?$PR6!w3mpu<9|g(6eVc4 RWx4ZJ!n%=6vux}D`*Gv#0)NJUZ-}^q@q*6v`BHY1-rPULI($} z6ohtBno<`9L9L_GkEMeO4Q|%bR&Y_ViIbgtd7Xq55{D=_)Zx7QzM7=(#r)yIyYJn1 z&;Oot?)m5-I5Z#wi~_oA02r>Z25bYB5PLU;4lDu(A;+SNU_*2?`KAH0z?6D%sSid5 zAlUyDi%dfT8t?Va@M=f(o_m~ z+64@PI7yIuUMj=(cNl&I>(h?8Qay)FH=mc_J_2NEFPY z*ZPr7+mEANSn)d9!10VSnETHBn=8yJ5^hZdflHQd6G+ri|Fd*r-Uj!&YefA^ggKZM+hWFFKv!%;%i(N<+lPHxB zZ*XTAt`5l6v;Wxh`h^l6#tEx6`>~=3WQwK)5I^)-7t?BsLJ9*Z+#hPqZ)FfQWN3Ub)U23 zd1^up@rPulUmUERxG-zmzKCStil2ZYVF1xgKfJ!(o}zT@xukHQikQ1@QHu3p5U8r0 z-%7ewP&Ri7AH>%iG;2(@fF!_p8t#Q`OdjN6*}3l?wFe=fNK7H^86dYKo0hwM@`Q6+ z3MTye?X+e-t<51dXUom1j>L(u&FK>V*_`^JA!=0ZxrSvTM8y@H_I!(gC;kTnYAo;= SjeKkX0000ZO=}xh6o#KDA~G0D<07eUh49!oAR`w|YcQ#yNN&1l(naKz z=_XQk-P!#Gmj6Kl*>zzlixNY@^2SY|V3`&#yy+NhqD81D4%tYi9myMwH|^r;jz_Xa zU+xP7SN9&xd*+;bzHZS!6d(zt0oCyU7>=h1>;vWi@9qi}*aZF^@Y!@I=!#oi&JK{W5_yN!>RZQy=y;3EAT;`~H?tD)Uc!rBb+!RoNJwOA<#ADlo21Lm1UCA zNDGHNcUs^nu$l-32O`g(l-YUv7iPl(KnsUholl_p$6DmfhK2UxrF6#z;&R#ws0h>Z z=i`;Wd~Vb)ST63OSE?P)pML!nt6wBq_Vh}X&tGiGpHqNwTgn4kCLZGl?X#Zbre*Qv z&%aRq`yW@CSEpwvJ|Fi!ov`;NMn^Gfbs47PK+%KnM+P9bxX_avU~TUYj9UHL{-c>` zGIO&8e8PP{?){D-Om4%$kpUDBkOGlp`iXPXvM3zCxwbzU@Ka1bB>(Mw(s!rr{d}9O z8t{_{1?A6_2a(%J&rJ0s2hc0$9rtUNb){tEYF!fH*MjU^OfJ)2n)!OzWaA_qfBqAS z&)3mCPB^$!TY>hlaf9M>4^OjUwR}C$(XEQ_j$8&jz@(dCC+OAAE^tFiB%l^JETDO= zopwR~q|B3Ff9qR55e|}#$GXaRfOkMozYR(*qT;)bXO84`X*W&dik(d@|rC8;_BS zMr^`Y&R-JFHi#5fBylaR&R-h_ADl$`p5cC+wE}F0)UbS(Hs;2atDW9|D23Q zSYKRVZ9dUet{WU21;CVHm;)%BlwHd!2><357f8=cyUKKfUa30!#2kPu$0njTNWDHi zBO9M(#Ot*qLk;**1AfwXr-^+uJ`}mxuvpsKmJzUlxO*)fk%G7niBvSg-pcY&L~hUu zFQxB~5Ea;LS3oLZ0D)9A!uJ2vlrHb=%BomH)E>Jjz1=3?0A2y#8}*Bk*Txz5KKYo5 z(b1vE^-7hct!-I9YKSj4oHE@8lM;{s$i`!=4>*`?92}Crx^OLK??(Zt#2R8e13(K0 z$;M~V!a)MQJ9bsmD^+UNC3@wY{K=d4rey=sa}GVMsz9E>htoVa98TMzAj~MobA_gh j5GFRc8qZ7g`NjVM#UqWr*hXB600000NkvXXu0mjf`b7yq diff --git a/docs/official-docs/images/extensions/okta/okta_organization.png b/docs/official-docs/images/extensions/okta/okta_organization.png deleted file mode 100644 index e98cb538ece1b6c7e67a7a3ee34ccdeb01a28435..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1290 zcmV+l1@-!gP)Mot=wQ6jR+*o#IqVhPxq$lv^0$!j=Vzl7)(a zfdNLCBBYZF(giU=`xgX+Q0Z_8DGM18=`pYbi3Eu(L5(x^PVGg)=5o%RJNQTJ^P4m& zt@@QL`SttweZKGWJn!>7uf)-z1K$GYf$`V_uoZir0lxz6W2}8B#(_n^JLa<(BX}UB zL*{hg2jF`6K`9m)nw}27S$Z?$s3Ebt4^86?%Q8>$(bgettMP6rsFc8%Yiviibdf$x9fFW%K~7iQUPFhbu}f| zeg8fo<60JWy`GZG6bfX=#=_wl89%o(G(DXX9yE0}a8Gcg64-t7CLsg9Yx>P*N;YSj z;p=&sAYW$%z8^Gorcj{YY|x90)r9D^ zT4eJ1#5a+(r2XVJD&bcyzIyyvNFW}~O0kINI4NQwvW9`AX$hs0rU|Y4`=v{Oe+vFr zWC05>dISCg=rkHQ&!0!*FYnyJa~%FW;E0{9R>|b^iTPpEp6mq9eBPj}do0|+(DtN9Nop0e+hjQ4G{hRpX=FQOeYxotoJxCxVu?39& zM@{Jte(e!9rQkP;&w=mztyZqPzD{;xA{7%yg=<-~7Z&LGM{@^%=UZ`^!!9N(KpFh{ zJ#yi~@h&D$pT^I7!t6&O5R$l#e?0^I)SNTTsOp9J!40ZrbTvz6)!V?2BIQTLIPieu zUrrzJnU~W+==f#~uje{}i||d{X8(G=!V!1;7pOS^Y_lcW+W-In07*qoM6N<$g8QCe ARsaA1 diff --git a/docs/official-docs/images/extensions/okta/okta_policy.png b/docs/official-docs/images/extensions/okta/okta_policy.png deleted file mode 100644 index 5d7b34301265e1b823b21002f11a8aa2737ecad5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1066 zcmV+_1l9YAP)ZOK2Nc6ox;miv(iFGA>~RQL2>5Mp3tVO74B?58XVo1rx&O+Xdpe{0KppfbnXjkoG zbd`}tGkUl`49wg+=luVix%b?2#uyx4;3HrT2v{zFW6Sjn_ywpA;oB7fAOrk6uNYNLU55!>)uC(ofT; zBJRe@rz=84$M1O0^3FOiCkJI7Wgl_o>={>w2QLqJ^3@Y|cXpY2f2!~Lh|EUV-PxsC zZ%V*Fz#hDdKmarJZ2Yw0_|Kd5Ci~C#(NY?fa;0O==l79RlSF1CjGrIxX|ES`mOow= zkC%aC5rGt-MB`Czes%92k1Vkm(E4 z7$=6`qJH{&I3iFY9@i^rHu7jCm zy2(q$(#Yfh+nd{ziXBM_pWlZZl*Qw94`yyBG8?fuXw(}cle_td#-rkP&O<9-TU50% zasG5Uz{!V&E6^4oU6kxEUbTxF7QK8}cFCj%_yBO+$GsvmFu8-RWt%IWeomCIGO~a{ zY(2mqfGx2IBo-4R3vja4i@Lad?ZK>K#EE5t>%!K~rff4=W%5Sj@QUyKh-9$$vgs`O?YtQ32>T!cga{S0Jp;_6 zH5QK{2W8GpoNMnEy{PlH@s`q2iF_{KT?MUS)|?|Zs{ue`_~umOl+9^3yqIAW?YWoM kFTxCQm3Qs=9s_>ye~?OamESkVJ^%m!07*qoM6N<$g5VASeEwMP$ez;X&6HM3qGnUc6OW+;*ts z4uKAWx@794^HNWR8oXt&tW5DDXG;bn2?7BPsXPd2DEN%6MP5$I;!N)F?p>a2%eu4M ze&OKWyZ3(I-~E2?{r)__J9Hoo@aUx@|swuo-mQbZQmOdq=7q6WC^gMJ6er19iXvSk4zo zl}wj#8isv~cRMDX+Mb+h1KFFDxJd!SA=l?)30Ai%gyV)M;;R^R+q^2}81+wZ$g_?z z6BW>bV?bX_rulZ~fSEb{PUI37Bb!&H9A~YjRALFm5~>2O*%y;(zNe32)mGQru<)cp!a5zqrb21JnYa?itY!xbX$`RY~$ zfYVlE>NyE5M468zWU$I;h}h2KmE2TvfKmU1vsRP$)opj~eRZ3&R#P6ZsZh>FE`SrS zy#||M-{NH!P`#Ku#|^OYrEq=T-TkB&4%6?3Ox zb60%);N~LRRY1|o6T-0sYt=ey)jHu=!q;Af%hC`v9Dg4k_!5#TnM9HqC-IoR_I7F& z`FfxM4S=&&lc5hc1eI(V^ieYm`<7a=H8ezC-UE?x|7$25dw?Bq1}0GK)b{wQuyHLa z-V~%7Tfe#iMLATr?h!?+TPKv#YF diff --git a/docs/official-docs/images/extensions/okta/okta_resourceset.png b/docs/official-docs/images/extensions/okta/okta_resourceset.png deleted file mode 100644 index 17e5e04911f20ed887807a58b802c74f76cffa5a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 975 zcmV;=12FuFP)I%rPJlEQzWG zescm>fU{yF7;w`X^x{`tcs&lho*Dom(G(edjyJJs9t_8L6PuRLxeDB%ghomcZ~}h; zO#mG&D(8;}EP>xcLd((@3iDt%CblMk{l!QWBhX|DcluQq*U#;yaZ8;o!TE?pQ=IA< zBRQpG3g2&%DM`Qyya$}YfSbFQ_EB3?y(r-V>Fg}0dPW%!PYDtYNScrdSZWUj+&ujA z;F1LAqy55jK_bT-tE6xK0NVVji%`!2)>f}7JY@-J4SIPr`hko-w+Z+k7=d{W_%Kw@ zvzv!=Y<_#_El>YR796<2QO)Ti+t{<+W1B=In&Qxz$70z4#KkrHfu@cYl@mX1wf@i- z3iJEm1PM(q81Ir9^OaZGCgHAIM?%wuo4SCZDh%6C1H2eGlH+Ra7ls)RYqoEgkH#%^ z+_|_Hug78SCA2KNet9I8E(K@?BgokGbGwK{Q(V6FGH1{0sll(h#Ijkzi0!lny%iNM zkjc&#>~*xLV%nx)#%qbyvO|*Pvk1s`T5fD`tP#^%1=ws5sI2`Lg5>5+%8E%X0R{K~ zhI_0OBGHtXPAV8x3<*tNF#;KVPE2Pk0(nKmvOz9Ebzm0G+*Kq>IGwr6Qf3rL%WTEW1saITg_aa5$sSZF=?ZM>%0s z1V42>%x@%L*DAdO*et0>Jc{JsEBfMW?w zUpxBpKXz{0h`VmxqJ&4HDSrNKSiJf)M(q)ozgeg;83A?x9BonQDzh=U77BBJ-rpxp z;kFtRnZ#L)_6&eV)kVia6~F3Y{SRv_Z;3=xeEMv*X3t|pa-(WDM$NhCX4MA_Qhswf x$P$~=d^j=GDB5!;rin0AJi~l@K7!2~e*-i%OY+qbX1)Lb002ovPDHLkV1g=gwXgsH diff --git a/docs/official-docs/images/extensions/okta/okta_role.png b/docs/official-docs/images/extensions/okta/okta_role.png deleted file mode 100644 index 9cfcd1b037f580a80bd0d493787d52f7657dda32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1123 zcmV-p1f2VcP)a$O^jLO1utTw_Ap*&ZPp(UnnxOG zcRt?dnRjO1d8diSp#tN;Z6M+(04YaV2A%@?8En@?1Xu$8J!4sN2&{^x8f_}@12Ah> z_y$zEhkH;$3UZf>+~ozp(DGOX3qv!=#M2!9V>s>10Y6d2Bh>_`zzQ%5;Ex3ePew|F z^^w=4iKp$VHQ<(;2sZ(vMRK(*sPNU)HIz_$L&TLZv^<-O36A$oisZM7VyX&I zfxiINH=r_fXBf%baxQWkR^f!r#RLaQ-4@Z0!xNqg@)esrIy3gkAG!3+DhA4oM9e;xv({#bzEjgTw(=HdoN zyGH=111kP+dQk^EOQi`g_f3v=k9hxT7bVor95_LbFXUI{&^myL1rLU=M_AJ1uERstqK1er$9d2;y;$>lc<^{s^5 z<)tmC*j||MAYyyf&GUc29}C!@w>=c&wGvW3n*aw_q$EJ@l0TaO$t&5PJ_!g50rl5k z2`OB^7b6o-v-R_9hVG0Y$x>OLtzTYa=FB>FO2>Rus@3r{MA)zjR%O+xK8->Gc7U*% zE7bLZq2+mYcct{dxwvsAGN+v));)+UrmovA5)KdQQc=LTp&6)yoizu_T{7XxelpMB zp(k|$v0hpoo7XB>Wa972m&gTjVu7qfBe1d_=>bFUu`%bvL#2#w(3D7 z2af@Eo}_9HwhAY_efl?Mu23?jZ||2%J@N{U$AE4pBy%8K<7VVMLCS56q2-sokuKW?x6I^qV_D+SmhQh?7ls512J1tq0R2@bY(fCI$cQ%W3~EBc$j zZ@|=X&XjXoIXc1}TKpL6o$VDUg{3wpsW(JX(J=AG9)!XGm3S$05RpZ9$U$o znxU5D#hn_<9UH`Cf@W(&jSbL*g0)(qHg6@p+5$J5_MED`N=Pq5V!}FmT zHaS2oNkozWH6WLiyu!2Z4Ag>}ig+51=df|8;azwHF75@CeLi$`< ziadmW<+E|9F*qHBBJL2gL|i~*_DZqBo5%J?5l`cb{c0#;!X0q|2S8KFE4=y9p1E>s zWby0kUSi+(UpCQ7T4JAnKLw9r$n==w1BTUc9-n&GfTO*4XLlf)7nzK&O)-)cL z^+X|#=diYWH~hQA81C5`6&)8+0OK=f*7ylHo`ZR8pypN7yh`^~XCeTlL5$1IAaXeRqxmsD zj&GiBarnANf7EBs>MleMU=EG&)mi~;fWhei_dJ~&0Cs+FeRxm;+;cacve_BLy=($> ztwB?-4$=EG3l%1N{VwLQ z5jIVjJ&k}+L<>=#0ifnp^z{ZxUM2fkHoDau&*AdlOHrB~Ux(=cT|~ycv_EA;(z2iB5)DH#6H*MxlPIy{||&%dCV~!NxA?4002ovPDHLkV1n1#?P>r3 diff --git a/docs/official-docs/images/extensions/okta/okta_user.png b/docs/official-docs/images/extensions/okta/okta_user.png deleted file mode 100644 index 18f764474dea816920e037de96d451778aa18106..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1056 zcmV+*1mF9KP)ZKWrOi7{-4-pY7T;_Qn09P)pPiifkcO4N|hOkY-{_2IxeW zGG(f#PL^q0y^Eqed{yEJf zopg8Kz2EcP`+e{Gy>E!%P=JqtB_LY64N;Tbj^*eCGNraPtnLfFakB9m4y%dFn9Ef-ns%CJf++erUqfdUL zFUD1X0+az|HW}g3REm@=or>H-)97)h+~h^8Yl)b`<_Y`kmfMxtWQ5ge<*ms9QnJMA zw8CsMGQ?qx+ZXjKU@0FD^WFPtVv^VX1hs9jUf0>u45CtqixF?J3+X89b)5tAXcEwY z4LDwc9K!Ydl%Mcj^RKIi{P3?f^zPQ>1b4INy+vyVpKb43k5fR!^1wr2W-$}v=B2pj zB;W37Jo!gE@qX*D3!xBm!qtwr7?IfRm{yoh0Ba${dh7$Ne~|GFwU4&`D}66bE@Aa=YTvavAv_<(0#LgaQ9(otVyKfDtT7B!2R zbJp#WL_c2_;=z*5=a&=i6JI#zI%bEBD>o2uB^oTvE>9-NJBZE4WtJ!1#o1x=R62w> zx%lJ5OM#3neE+)5cH0<`-|~r`QC$1&H2|ke@-Q}`8)RSyxLVcC;HO=u$KRcyBbRrh zVY1O+n^4sZ>-MFLsA8_}cKiiwwz_;%ZP_OnLLnh@H=FcKMlcl0b*V1^we38qg;GuD z_N%%pIfy^I{i<%S1DwA*=Bh}D8jk0Uj;F!Bou=occHG-(dj3$U_QtwhljxsHFIruy zy6I@}c<*HH_k){FRX6P=+lGWF4xS04Lr0_Mb#IrBV`JlZMt={0C>$x(^b>1b?fB<+ zH;meg8p=i`7L*uG^JpycR5&ygmQABavD~m8SNfbo zHKBso57+0C5uQvdoFzV0Yu4JoM4Z6&Q2~~S3Xq;lMtFEeMQO3zWK$HS4aC{wSd`Kq zm!k10000 - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_AddMember edges represent custom role permissions that allow a principal (user, group, or application) to add or remove members in scoped Okta groups. These edges are created when a custom role includes the `okta.groups.members.manage` or `okta.groups.manage` permissions. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - g1("Okta_Group Finance") - g2("Okta_Group Tier 0 Admins") - app1("Okta_Application Automation") - u1 -- Okta_AddMember --> g1 - app1 -- Okta_AddMember --> g2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx deleted file mode 100644 index 1edd756..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_agentmemberof.mdx +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: 'Okta_AgentMemberOf' -description: 'Membership of an Okta agent in an agent pool' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -Okta_AgentMemberOf edges represent membership of an [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) in an [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool). - -Active Directory Agent Pools and their agents can be visualized in BloodHound as follows: - -```mermaid -graph LR - ap1("Okta_AgentPool contoso.com") - ap2("Okta_AgentPool adatum.com") - a1("Okta_Agent CONTOSO-SRV1") - a2("Okta_Agent CONTOSO-SRV2") - a3("Okta_Agent ADATUM-SRV1") - a1 -- Okta_AgentMemberOf --> ap1 - a2 -- Okta_AgentMemberOf --> ap1 - a3 -- Okta_AgentMemberOf --> ap2 -``` - - -Traversable edges between [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) and AD Domain nodes are not modeled in the current version of the Okta BloodHound extension. Support for this is planned for a future release. - diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx deleted file mode 100644 index 7768ad3..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_agentpoolfor.mdx +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: 'Okta_AgentPoolFor' -description: 'Relationship between an AD agent pool and its backing AD application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -Okta_AgentPoolFor edges connect an AD [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) to the backing [Okta_Application](/opengraph/extensions/okta/nodes/okta_application) used for directory integration. -```mermaid -graph TB - subgraph Active Directory - d1("Domain contoso.com") - c1("Computer CONTOSO-SRV1$") - c2("Computer CONTOSO-SRV2$") - d1 -- Contains --> c1 - d1 -- Contains --> c2 - end - - subgraph Okta - ap1("Okta_AgentPool contoso.com") - a1("Okta_Agent CONTOSO-SRV1") - a2("Okta_Agent CONTOSO-SRV2") - app1("Okta_Application AD contoso.com") - a1 -- Okta_AgentMemberOf --> ap1 - a2 -- Okta_AgentMemberOf --> ap1 - ap1 -- Okta_AgentPoolFor --> app1 - end - - c1 -- Okta_HostsAgent --> a1 - c2 -- Okta_HostsAgent --> a2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx deleted file mode 100644 index a5263ea..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_apitokenfor.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'Okta_ApiTokenFor' -description: 'User ownership of an Okta API token' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ApiTokenFor edges represent the API token assignments for users in Okta, represented by the [Okta_User](/opengraph/extensions/okta/nodes/okta_user) nodes: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - t1("Okta_ApiToken Test App") - t2("Okta_ApiToken Postman") - t3("Okta_ApiToken Python Script") - org("Okta_Organization contoso.okta.com") - t1 -- Okta_ApiTokenFor --> u1 - t2 -- Okta_ApiTokenFor --> u2 - t3 -- Okta_ApiTokenFor --> u2 - u2 -- Okta_SuperAdmin --> org -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx deleted file mode 100644 index f2b2156..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_appadmin.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'Okta_AppAdmin' -description: 'Application administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_AppAdmin edges represent Application Administrator role assignments. Application Administrators can manage application configurations, user assignments, and provisioning settings for their assigned applications. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group Salesforce Admins") - app1("Okta_Application GitHub") - app2("Okta_Application Salesforce") - is1("Okta_APIServiceIntegration Elastic Agent") - u2 -- Okta_MemberOf --> g1 - u1 -- Okta_AppAdmin --> app1 - g1 -- Okta_AppAdmin --> app2 - u1 -- Okta_AppAdmin --> is1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx deleted file mode 100644 index 9ca1b1f..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_appassignment.mdx +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: 'Okta_AppAssignment' -description: 'Assignment of users or groups to an Okta application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -Only users that are assigned to applications can access them. Users can be assigned to applications directly or indirectly through group memberships. - -The non-traversable Okta_AppAssignment edges represent the application assignments for users and groups in Okta: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - u3("Okta_User mary\@contoso.com") - u4("Okta_User bob\@contoso.com") - u5("Okta_User alice\@contoso.com") - g1("Okta_Group Engineering") - e("Okta_Group Everyone") - a1("Okta_Application SalesForce") - a2("Okta_Application GitHub") - a3("Okta_Application VPN") - e -. Okta_AppAssignment .-> a1 - u1 -- Okta_MemberOf --> e - u2 -- Okta_MemberOf --> e - u3 -- Okta_MemberOf --> e - u4 -- Okta_MemberOf --> e - u3 -- Okta_MemberOf --> g1 - u4 -- Okta_MemberOf --> g1 - g1 -. Okta_AppAssignment .-> a2 - u4 -. Okta_AppAssignment .-> a3 - u5 -. Okta_AppAssignment .-> a3 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx deleted file mode 100644 index dcc763d..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_contains.mdx +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: 'Okta_Contains' -description: 'Contains relationship between the Okta organization and its objects' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_Contains edges represent the containment relationships between the organization and other entities in Okta. The organization node will have Okta_Contains edges to all other nodes in the graph, with some exceptions. - -```mermaid -graph LR - org("Okta_Organization contoso.okta.com") - user1("Okta_User john\@contoso.com") - group1("Okta_Group IT") - app1("Okta_Application GitHub") - role1("Okta_Role Super Admin") - device1("Okta_Device John's MacBook") - realm1("Okta_Realm EU") - cr1("Okta_CustomRole Help Desk") - rs1("Okta_ResourceSet HR Resources") - ap1("Okta_AgentPool AD Sync Pool") - as1("Okta_AuthorizationServer Default Server") - ip1("Okta_IdentityProvider Google IdP") - is1("Okta_APIServiceIntegration Elastic Agent") - p1("Okta_Policy Idp Discovery Policy") - org -- Okta_Contains --> user1 - org -- Okta_Contains --> group1 - org -- Okta_Contains --> app1 - org -- Okta_Contains --> role1 - org -- Okta_Contains --> device1 - org -- Okta_Contains --> cr1 - org -- Okta_Contains --> realm1 - org -- Okta_Contains --> rs1 - org -- Okta_Contains --> ap1 - org -- Okta_Contains --> as1 - org -- Okta_Contains --> ip1 - org -- Okta_Contains --> is1 - org -- Okta_Contains --> p1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx deleted file mode 100644 index 688d6c5..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_creatorof.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: 'Okta_CreatorOf' -description: 'Creator relationship for API service integrations' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_CreatorOf edges represent the creator relationships between API Service Integration instances and users in Okta: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - is1("Okta_APIServiceIntegration Elastic Agent") - is2("Okta_APIServiceIntegration Falcon Shield") - u1 -. Okta_CreatorOf .-> is1 - u2 -. Okta_CreatorOf .-> is2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx deleted file mode 100644 index c612769..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_deviceof.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'Okta_DeviceOf' -description: 'Ownership relationship between a device and its assigned user' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_DeviceOf edges represent the ownership relationships between users and devices in Okta: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - d1("Okta_Device John's MacBook") - d2("Okta_Device Steve's iPhone") - d1 -. Okta_DeviceOf .-> u1 - d1 -. Okta_DeviceOf .-> u2 - d2 -. Okta_DeviceOf .-> u2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx deleted file mode 100644 index f8fc66c..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_groupadmin.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: 'Okta_GroupAdmin' -description: 'Group administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_GroupAdmin edges represent Group Administrator (also known as User Administrator) role assignments. Group Administrators can manage users and groups within their assigned scope. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group Marketing") - u1 -- Okta_GroupAdmin --> u2 - u1 -- Okta_GroupAdmin --> g1 - u2 -- Okta_MemberOf --> g1 -``` - -Target group memberships are flattened when the assignment is evaluated. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx deleted file mode 100644 index 0c3b01c..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_groupmembershipadmin.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: 'Okta_GroupMembershipAdmin' -description: 'Group membership administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_GroupMembershipAdmin edges represent Group Membership Administrator role assignments. Group Membership Administrators can add and remove members from groups within their assigned scope but cannot modify the groups themselves. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - g1("Okta_Group Marketing") - g2("Okta_Group Sales") - u1 -- Okta_GroupMembershipAdmin --> g1 - u1 -- Okta_GroupMembershipAdmin --> g2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx deleted file mode 100644 index 39b4564..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppull.mdx +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: 'Okta_GroupPull' -description: 'Import of group memberships from an external application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_GroupPull edges represent the group synchronization relationships from applications to Okta: - -```mermaid -graph LR - g1("Okta_Group HR") - app1("Okta_Application contoso.com") - app1 -- Okta_GroupPull --> g1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx deleted file mode 100644 index a748e43..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_grouppush.mdx +++ /dev/null @@ -1,21 +0,0 @@ ---- -title: 'Okta_GroupPush' -description: 'Provisioning of group memberships to an external application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_GroupPush edges represent the group push assignments to applications. This indicates group provisioning and membership synchronization from Okta to external applications. - -```mermaid -graph LR - g1("Okta_Group Engineering") - app1("Okta_Application contoso.com") - g1 -. Okta_GroupPush .-> app1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx deleted file mode 100644 index f546182..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_hasrole.mdx +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: 'Okta_HasRole' -description: 'Assignment of a built-in or custom role to a principal' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_HasRole edges represent the role assignments for users in Okta: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - g1("Okta_Group IT") - a1("Okta_Application Python Script") - r1("Okta_Role Group Administrator") - r2("Okta_Role Application Administrator") - u1 -. Okta_HasRole .-> r1 - g1 -. Okta_HasRole .-> r1 - g1 -. Okta_HasRole .-> r2 - a1 -. Okta_HasRole .-> r2 - u2 -- Okta_MemberOf --> g1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx deleted file mode 100644 index 9a6f64c..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_hasroleassignment.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: 'Okta_HasRoleAssignment' -description: 'Relationship between a principal and a role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The Okta_HasRoleAssignment edges connect users, groups, and applications to their respective [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes. The [Okta_ScopedTo](/opengraph/extensions/okta/edges/okta_scopedto) edges connect the [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes to the resources they are scoped to, such as the organization or specific groups or applications. - -```mermaid -graph TB - ra1("Okta_RoleAssignment Help Desk Administrator") - ra2("Okta_RoleAssignment Super Administrator") - r1("Okta_Role Help Desk Administrator") - r2("Okta_Role Super Administrator") - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - u3("Okta_User alice\@contoso.com") - g1("Okta_Group Seattle Help Desk") - g2("Okta_Group Seattle Office") - org("Okta_Organization contoso.okta.com") - - u1 -- Okta_MemberOf --> g1 - g1 -. Okta_HasRoleAssignment .-> ra1 - g1 -. Okta_HasRole .-> r1 - g1 -- Okta_HelpDeskAdmin --> u3 - u3 -- Okta_MemberOf --> g2 - ra1 -. Okta_ScopedTo .-> g2 - u2 -. Okta_HasRoleAssignment .-> ra2 - ra2 -. Okta_ScopedTo .-> org - u2 -- Okta_SuperAdmin --> org - u2 -. Okta_HasRole .-> r2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx deleted file mode 100644 index 2c24393..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_helpdeskadmin.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: 'Okta_HelpDeskAdmin' -description: 'Help desk administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_HelpDeskAdmin edges represent Help Desk Administrator role assignments. Help Desk Administrators can perform password resets, unlock accounts, and reset MFA factors for users within their assigned scope. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - g1("Okta_Group Help Desk") - u2("Okta_User alice\@contoso.com") - u3("Okta_User bob\@contoso.com") - u1 -- Okta_HelpDeskAdmin --> u2 - g1 -- Okta_HelpDeskAdmin --> u3 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx deleted file mode 100644 index 2992119..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_hostsagent.mdx +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: 'Okta_HostsAgent' -description: 'Relationship between an AD server and the Okta agent running on that host' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -Hybrid Okta_HostsAgent edges connect an AD Computer node to the [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) running on that host. - -```mermaid -graph LR - subgraph ad["Active Directory"] - d1("Domain contoso.com") - c1("Computer LON-SRV1$") - c2("Computer NY-SRV2$") - d1 -- Contains --> c1 - d1 -- Contains --> c2 - end - subgraph okta["Okta"] - ap1("Okta_AgentPool contoso.com") - a1("Okta_Agent LON-SRV1") - a2("Okta_Agent NY-SRV2") - a1 -- Okta_AgentMemberOf --> ap1 - a2 -- Okta_AgentMemberOf --> ap1 - end - c1 -- Okta_HostsAgent --> a1 - c2 -- Okta_HostsAgent --> a2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx deleted file mode 100644 index 6c089a6..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_identityproviderfor.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: 'Okta_IdentityProviderFor' -description: 'Trust relationship between an identity provider and Okta users' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_IdentityProviderFor edges represent the relationships between identity providers and the users who authenticate through them: - -```mermaid -graph LR - idp1("Okta_IdentityProvider Google") - idp2("Okta_IdentityProvider Contoso SAML") - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@gmail.com") - u3("Okta_User bob\@contoso.com") - idp1 -- Okta_IdentityProviderFor --> u2 - idp2 -- Okta_IdentityProviderFor --> u1 - idp2 -- Okta_IdentityProviderFor --> u3 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx deleted file mode 100644 index 99b7765..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_idpgroupassignment.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'Okta_IdpGroupAssignment' -description: 'Identity provider group assignment to an Okta group' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_IdpGroupAssignment edges represent groups automatically assigned to users based on identity provider attributes or user claims: - -```mermaid -graph LR - idp1("Okta_IdentityProvider Microsoft Login") - g1("Okta_Group Contractors") - g2("Okta_Group Employees") - g3("Okta_Group Entra ID Users") - idp1 -. Okta_IdpGroupAssignment .-> g1 - idp1 -. Okta_IdpGroupAssignment .-> g2 - idp1 -. Okta_IdpGroupAssignment .-> g3 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx deleted file mode 100644 index f132d1d..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundorgsso.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: 'Okta_InboundOrgSSO' -description: 'Single sign-on from an external organization into Okta' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The Okta_InboundOrgSSO and [Okta_InboundSSO](/opengraph/extensions/okta/edges/okta_inboundsso) hybrid edges connect external tenants and users to Okta entities: - -```mermaid -graph LR - t1("AZTenant Contoso") - idp1("Okta_IdentityProvider Microsoft Login") - u1("AZUser alice\@contoso.com") - ou1("Okta_User alice\@contoso.com") - t1 -- Okta_InboundOrgSSO --> idp1 - u1 -- Okta_InboundSSO --> ou1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx deleted file mode 100644 index e5bf4fe..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_inboundsso.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: 'Okta_InboundSSO' -description: 'Single sign-on from an external identity provider into Okta' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The [Okta_InboundOrgSSO](/opengraph/extensions/okta/edges/okta_inboundorgsso) and Okta_InboundSSO hybrid edges connect external tenants and users to Okta entities: - -```mermaid -graph LR - t1("AZTenant Contoso") - idp1("Okta_IdentityProvider Microsoft Login") - u1("AZUser alice\@contoso.com") - ou1("Okta_User alice\@contoso.com") - t1 -- Okta_InboundOrgSSO --> idp1 - u1 -- Okta_InboundSSO --> ou1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx deleted file mode 100644 index a7d250c..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_kerberossso.mdx +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: 'Okta_KerberosSSO' -description: 'Agentless desktop SSO relationship from on-prem AD user account to Okta AD application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -Hybrid traversable Okta_KerberosSSO edges represent [agentless desktop SSO](https://help.okta.com/en-us/content/topics/directory/ad-dsso-about-workflow.htm) trust from an on-prem AD User account to an AD-backed [Okta_Application](/opengraph/extensions/okta/nodes/okta_application). - -```mermaid -graph LR - subgraph ad["Active Directory"] - d1("Domain contoso.com") - u1("User SPN:HTTP/contoso.kerberos.okta.com") - u2("User jane.doe\@contoso.com") - d1 -- "Contains" --> u1 - d1 -- "Contains" --> u2 - end - subgraph okta["Okta"] - app1("Okta_Application contoso.com") - u3("Okta_User jane.doe\@contoso.com") - app1 -. Okta_UserPull .-> u3 - end - u1 -- Okta_KerberosSSO --> app1 - u2 -. Okta_UserSync .-> u3 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx deleted file mode 100644 index b4e5b35..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_keyof.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'Okta_KeyOf' -description: 'JSON Web Key associated with an Okta application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_KeyOf edges represent the relationships between applications [Okta_Application](/opengraph/extensions/okta/nodes/okta_application) and their JWKs: - -```mermaid -graph LR - app1("Okta_Application OpenHound Okta Collector") - app2("Okta_Application Security Scanner") - key1("Okta_JWK ABC123") - key2("Okta_JWK DEF456") - key3("Okta_JWK GHI789") - key1 -- Okta_KeyOf --> app1 - key2 -- Okta_KeyOf --> app2 - key3 -- Okta_KeyOf --> app2 -``` - -Possession of the private key corresponding to a JWK allows an attacker to authenticate as the application. The Okta_KeyOf edge can be used in BloodHound to understand which applications use JWK-based authentication and trace potential attack paths involving compromised private keys. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx deleted file mode 100644 index 14e6f34..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_manageapp.mdx +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: 'Okta_ManageApp' -description: 'Ability to manage scoped Okta applications' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ManageApp edges correspond to the `okta.apps.manage` custom role permissions that allow a principal (user, group, or application) to fully manage Okta applications and their members. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - g1("Okta_Group App Operators") - app1("Okta_Application GitHub") - app2("Okta_Application Salesforce") - u1 -- Okta_ManageApp --> app1 - g1 -- Okta_ManageApp --> app2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx deleted file mode 100644 index d7b034a..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_managerof.mdx +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: 'Okta_ManagerOf' -description: 'Manager relationship between Okta users' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -Okta uses the `Manager` and `ManagerId` user profile attributes to represent managerial relationships. Unfortunately, these attributes can have any arbitrary value and their referential integrity is not enforced by Okta. They are not even synchronized from external directories by default. - -Our recommendation is to map the `ManagerId` attribute to the login of the manager in Okta. When synchronizing users from Active Directory, the `getManagerUser("active_directory").login` mapping expression can be used to achieve this. Such values are automatically recognized by the OpenHound Okta collector. - -The **non-traversable** Okta_ManagerOf edges represent the organizational structure in BloodHound: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - u3("Okta_User mary\@contoso.com") - u4("Okta_User bob\@contoso.com") - u5("Okta_User alice\@contoso.com") - u1 -. Okta_ManagerOf .-> u2 - u1 -. Okta_ManagerOf .-> u3 - u3 -. Okta_ManagerOf .-> u4 - u3 -. Okta_ManagerOf .-> u5 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx deleted file mode 100644 index b23dd95..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_memberof.mdx +++ /dev/null @@ -1,27 +0,0 @@ ---- -title: 'Okta_MemberOf' -description: 'Membership of a user in an Okta group' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_MemberOf edges represent the membership relationships between users and groups in Okta: - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - u3("Okta_User mary\@contoso.com") - g1("Okta_Group Marketing") - g2("Okta_Group Sales") - u1 -- Okta_MemberOf --> g1 - u2 -- Okta_MemberOf --> g1 - u2 -- Okta_MemberOf --> g2 - u3 -- Okta_MemberOf --> g2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx deleted file mode 100644 index 1637d18..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_membershipsync.mdx +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: 'Okta_MembershipSync' -description: 'Bidirectional synchronization between Okta groups and external groups' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable hybrid Okta_MembershipSync edges represent the synchronization relationships between groups in external directories and their corresponding groups in Okta: - -```mermaid -graph TB - subgraph ad["Active Directory"] - adg1("Group IT") - adg2("Group HR") - end - subgraph okta["Okta Org A"] - g1("Okta_Group IT") - g2("Okta_Group HR") - adg1 -- Okta_MembershipSync --> g1 - g2 -- Okta_MembershipSync --> adg2 - end - subgraph okta2["Okta Org B"] - g3("Okta_Group IT") - g1 -- Okta_MembershipSync --> g3 - end -``` - -```mermaid -graph LR - subgraph source_org["Okta Org Contoso"] - u1("Okta_User alice\@contoso.com") - g1("Okta_Group IT") - app1("Okta_Application Adatum Org2Org App") - end - subgraph target_org["Okta Org Adatum"] - u2("Okta_User alice\@adatum.com") - g2("Okta_Group IT") - app2("Okta_Application Contoso Sync API Service") - end - u1 -->|Okta_MemberOf| g1 - u1 .->|Okta_UserSync| u2 - u1 .->|Okta_UserPush| app1 - u2 -->|Okta_MemberOf| g2 - g1 .->|Okta_GroupPush| app1 - g1 -->|Okta_MembershipSync| g2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx deleted file mode 100644 index 3e25dc0..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_mobileadmin.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: 'Okta_MobileAdmin' -description: 'Mobile administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_MobileAdmin edges represent Mobile Administrator role assignments. Mobile Administrators can manage mobile device settings and configurations within their assigned scope. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - d1("Okta_Device Alice's iPhone") - d2("Okta_Device Bob's MacBook") - u1 -- Okta_MobileAdmin --> d1 - u1 -- Okta_MobileAdmin --> d2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx deleted file mode 100644 index 9940df9..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_orgadmin.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'Okta_OrgAdmin' -description: 'Organization administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_OrgAdmin edges represent Organization Administrator role assignments. Organization Administrators can manage most organizational settings except for administrative role assignments and some security settings. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group IT") - d1("Okta_Device John's MacBook") - u1 -- Okta_OrgAdmin --> u2 - u1 -- Okta_OrgAdmin --> g1 - u1 -- Okta_OrgAdmin --> d1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx deleted file mode 100644 index 43055ae..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_orgswa.mdx +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: 'Okta_OrgSWA' -description: 'Secure Web Authentication from an Okta application to an external organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_OrgSWA edges represent the Secure Web Authentication (SWA) relationships between Okta applications and supported external organizations or tenants. SWA stores user credentials in Okta and automatically fills them in when users access the application, which is less secure than federated SSO protocols. - -```mermaid -graph LR - subgraph okta["OpenHound Okta"] - direction TB - o("Okta_Organization contoso.okta.com") - app1("Okta_Application Jamf Pro SWA") - o -- Okta_Contains --> app1 - end - subgraph "Jamf" - direction TB - jamf("jamf_SSOIntegration contoso.jamfcloud.com-SSO") - app1 -. Okta_OrgSWA .-> jamf - end -``` - -The respective BloodHound collectors, e.g., OpenHound Github for GitHub organizations and OpenHound Jamf for Jamf Pro tenants, must be used to gather the external node information. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx deleted file mode 100644 index ab9b1bd..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundorgsso.mdx +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: 'Okta_OutboundOrgSSO' -description: 'Single sign-on from an Okta application to an external organization' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_OutboundOrgSSO edges represent the Single Sign-On (SSO) relationships between Okta applications and supported external organizations or tenants, such as GitHub Enterprise or Jamf Pro, using SAML 2.0 or OIDC protocols. - -```mermaid -graph LR - subgraph okta["OpenHound Okta"] - direction TB - o("Okta_Organization contoso.okta.com") - app1("Okta_Application GitHub Enterprise Cloud") - app2("Okta_Application Jamf Pro SAML") - o -- Okta_Contains --> app1 - o -- Okta_Contains --> app2 - end - subgraph "GitHub" - direction TB - ghorg("GH_Organization Contoso") - app1 -- Okta_OutboundOrgSSO --> ghorg - end - subgraph "Jamf" - direction TB - jamf("jamf_SSOIntegration contoso.jamfcloud.com-SSO") - app2 -- Okta_OutboundOrgSSO --> jamf - end -``` - -The respective BloodHound collectors, e.g., OpenHound Github for GitHub organizations and OpenHound Jamf for Jamf Pro tenants, must be used to gather the external node information. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx deleted file mode 100644 index 050131b..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_outboundsso.mdx +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: 'Okta_OutboundSSO' -description: 'Single sign-on from Okta to an external identity provider' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable hybrid Okta_OutboundSSO edges represent Single Sign-On relationships between Okta users and their linked accounts in external applications using federated authentication (SAML 2.0 or OIDC). - -```mermaid -graph LR - subgraph okta["Okta"] - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - end - subgraph github["GitHub"] - ghu1("GH_User john\@contoso.com") - ghu2("GH_User alice\@contoso.com") - end - subgraph jamf["Jamf"] - jamfu1("jamf_Account john\@contoso.com") - end - subgraph snowflake["Snowflake"] - snu1("SNOW_User john\@contoso.com") - end - u1 -- Okta_OutboundSSO --> ghu1 - u1 -- Okta_OutboundSSO --> jamfu1 - u2 -- Okta_OutboundSSO --> ghu2 - u1 -- Okta_OutboundSSO --> snu1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx deleted file mode 100644 index 0de6bc3..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_passwordsync.mdx +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: 'Okta_PasswordSync' -description: 'Password synchronization between user accounts via AD integration, Org2Org, or SCIM' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_PasswordSync edge represents password synchronization between user accounts. This indicates that credentials are synchronized from a source user to a target user. - -In **Active Directory** hybrid setups, this edge is created between User (AD) and [Okta_User](/opengraph/extensions/okta/nodes/okta_user) when delegated authentication or password push is enabled. In **Org2Org** setups, this edge is created between [Okta_User](/opengraph/extensions/okta/nodes/okta_user) nodes across organizations when password synchronization is configured. - - -The Okta API does not indicate if the actual password or a randomly generated value is pushed to the other organization. - -### Active Directory Hybrid - -```mermaid -graph LR - subgraph ad["Active Directory"] - adu1("User john\@contoso.com") - end - subgraph okta["Okta"] - u1("Okta_User john\@contoso.com") - adu1 -->|Okta_PasswordSync| u1 - adu1 .->|Okta_UserSync| u1 - end -``` - -### Org2Org - -```mermaid -graph LR - subgraph source_org["Okta Org Contoso"] - u1("Okta_User alice\@contoso.com") - app1("Okta_Application Adatum Org2Org App") - end - subgraph target_org["Okta Org Adatum"] - u2("Okta_User alice\@adatum.com") - idp2("Okta_IdentityProvider Contoso Org2Org OIDC") - app2("Okta_Application Contoso Sync API Service") - end - u1 -->|Okta_PasswordSync| u2 - u1 -->|Okta_OutboundSSO| u2 - u1 .->|Okta_UserSync| u2 - u1 .->|Okta_UserPush| app1 - u1 .->|Okta_AppAssignment| app1 - app1 -->|Okta_ReadPasswordUpdates| u1 - app1 -->|Okta_OutboundOrgSSO| idp2 - idp2 -->|Okta_IdentityProviderFor| u2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx deleted file mode 100644 index b2578ab..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_policymapping.mdx +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: 'Okta_PolicyMapping' -description: 'Association of a policy with an Okta application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_PolicyMapping edges represent the association between a policy and the resources to which it is applied. - - -Only application targets are supported in the current version of the Okta BloodHound extension. - -```mermaid -graph LR - o["Okta_Organization contoso.okta.com"] - p1["Okta_Policy Idp Discovery Policy {Type: 'IDP_DISCOVERY'}"] - p2["Okta_Policy Active Directory Policy {Type: 'PASSWORD'}"] - p3["Okta_Policy Okta Admin Console {Type: 'ACCESS_POLICY'}"] - p4["Okta_Policy Any two factors {Type: 'ACCESS_POLICY'}"] - p5["Okta_Policy Default Policy {Type: 'PROFILE_ENROLLMENT'}"] - a1["Okta_Application Okta Admin Console"] - a2["Okta_Application Salesforce"] - a3["Okta_Application Intranet Portal"] - o -->|Okta_Contains| p1 - o -->|Okta_Contains| p2 - o -->|Okta_Contains| p3 - p3 -->|Okta_PolicyMapping| a1 - o -->|Okta_Contains| p4 - p4 -->|Okta_PolicyMapping| a2 - p4 -->|Okta_PolicyMapping| a3 - o -->|Okta_Contains| p5 - p5 -->|Okta_PolicyMapping| a1 - p5 -->|Okta_PolicyMapping| a2 - p5 -->|Okta_PolicyMapping| a3 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx deleted file mode 100644 index 9a046cb..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_readclientsecret.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: 'Okta_ReadClientSecret' -description: 'Ability to read client secrets for scoped Okta applications' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ReadClientSecret edges represent permissions that allow a principal (user, group, or application) to read OAuth client secrets for scoped Okta applications. These edges are created for the **Application Administrator**, **API Access Management Administrator**, and **Read-only Administrator** built-in roles and for custom roles with the `okta.apps.clientCredentials.read` permission. - -```mermaid -graph TD - org("Okta_Organization contoso.okta.com") - u1("Okta_User john\@contoso.com") - g1("Okta_Group Auditors") - app1("Okta_Application HR Sync") - secret1("Okta_ClientSecret abcdefgh") - r1("Okta_Role Read-only Administrator") - u1 -- Okta_MemberOf --> g1 - g1 -- Okta_ReadClientSecret --> secret1 - secret1 -- Okta_SecretOf --> app1 - app1 -- Okta_SuperAdmin --> org - g1 -. Okta_HasRole .-> r1 -``` - -## Potential Attack Scenarios - -An attacker with the ability to read client secrets for an application assigned the Super Administrator role could potentially use the client secret to authenticate as that application and perform privileged actions in Okta. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx deleted file mode 100644 index 61220c8..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_readpasswordupdates.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'Okta_ReadPasswordUpdates' -description: 'Application can read password updates over the SCIM protocol' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ReadPasswordUpdates edges represent applications that can read password updates over SCIM. - -```mermaid -graph LR - org("Okta_Organization contoso.okta.com") - app("Okta_Application SCIM App") - user("Okta_User john\@contoso.com") - user2("Okta_User steve\@contoso.com") - app -- Okta_ReadPasswordUpdates --> user - user -- Okta_SuperAdmin --> org - user2 -- Okta_AppAdmin --> app -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx deleted file mode 100644 index a295da1..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_realmcontains.mdx +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: 'Okta_RealmContains' -description: 'Contains relationship between an Okta realm and its users' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_RealmContains edges represent containment relationships between realms and the users assigned to those realms. - -```mermaid -graph LR - r1("Okta_Realm EU") - r2("Okta_Realm US") - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - u3("Okta_User bob\@contoso.com") - r1 -- Okta_RealmContains --> u1 - r1 -- Okta_RealmContains --> u2 - r2 -- Okta_RealmContains --> u3 -``` - - -Okta Realms are currently not supported by BloodHound due to licensing restrictions. - diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx deleted file mode 100644 index 6759ca6..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_resetfactors.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: 'Okta_ResetFactors' -description: 'Ability to reset MFA factors for scoped Okta users' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ResetFactors edges represent custom role permissions that allow a principal to reset MFA authenticators for scoped Okta users. These edges are created when a custom role includes the `okta.users.credentials.resetFactors` or `okta.users.credentials.manage` permissions. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group Tier 1 Support") - g1 -- Okta_ResetFactors --> u1 - u2 -- Okta_ResetFactors --> u1 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx deleted file mode 100644 index 62b799c..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_resetpassword.mdx +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'Okta_ResetPassword' -description: 'Ability to reset passwords or temporary credentials for scoped Okta users' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ResetPassword edges represent custom role permissions that allow a principal (user, group, or application) to reset passwords or temporary credentials for scoped Okta users. These edges are created when a custom role includes password management permissions such as `okta.users.credentials.resetPassword`, `okta.users.credentials.manage`, `okta.users.credentials.manageTemporaryAccessCode`, or `okta.users.manage`. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group Help Desk") - app1("Okta_Application Automation") - g1 -- Okta_ResetPassword --> u2 - g1 -- Okta_ResetFactors --> u2 - app1 -- Okta_ResetPassword --> u1 -``` - -The edge is calculated based on custom role scoping. - -```mermaid -graph TD - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group Help Desk") - rs("Okta_ResourceSet Frontline Workers") - a("Okta_RoleAssignment Authentication Admins") - r("Okta_CustomRole Authentication Admins") - g1 -. Okta_HasRole .-> r - a -. Okta_ScopedTo .-> rs - g1 -. Okta_HasRoleAssignment .-> a - rs -- Okta_ResourceSetContains --> u2 - u1 -- Okta_MemberOf --> g1 - g1 -- Okta_ResetPassword --> u2 - g1 -- Okta_ResetFactors --> u2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx deleted file mode 100644 index 8e63d8e..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_resourcesetcontains.mdx +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: 'Okta_ResourceSetContains' -description: 'Membership of objects within an Okta resource set' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_ResourceSetContains edges represent the membership relationships between resource sets and their member entities in Okta: - -```mermaid -graph LR - rs1("Okta_ResourceSet Sales Department Resources") - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - g1("Okta_Group Sales Team") - a1("Okta_Application GitHub") - d1("Okta_Device John's MacBook") - rs1 -- Okta_ResourceSetContains --> u1 - rs1 -- Okta_ResourceSetContains --> g1 - rs1 -- Okta_ResourceSetContains --> a1 - rs1 -- Okta_ResourceSetContains --> d1 - u2 -- Okta_MemberOf --> g1 - rs1 -- Okta_ResourceSetContains --> u2 -``` - -Note that users can also be members of resource sets indirectly through group memberships. The intermediate group will not appear in the graph, but the user membership will be resolved by the collector. diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx deleted file mode 100644 index bd1bd55..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_scopedto.mdx +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: 'Okta_ScopedTo' -description: 'Scope relationship between a role assignment and its target' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The [Okta_HasRoleAssignment](/opengraph/extensions/okta/edges/okta_hasroleassignment) edges connect users, groups, and applications to their respective [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes. The Okta_ScopedTo edges connect the [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes to the resources they are scoped to, such as the organization or specific groups or applications. - -```mermaid -graph TB - ra1("Okta_RoleAssignment Help Desk Administrator") - ra2("Okta_RoleAssignment Super Administrator") - r1("Okta_Role Help Desk Administrator") - r2("Okta_Role Super Administrator") - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - u3("Okta_User alice\@contoso.com") - g1("Okta_Group Seattle Help Desk") - g2("Okta_Group Seattle Office") - org("Okta_Organization contoso.okta.com") - - u1 -- Okta_MemberOf --> g1 - g1 -. Okta_HasRoleAssignment .-> ra1 - g1 -. Okta_HasRole .-> r1 - g1 -- Okta_HelpDeskAdmin --> u3 - u3 -- Okta_MemberOf --> g2 - ra1 -. Okta_ScopedTo .-> g2 - u2 -. Okta_HasRoleAssignment .-> ra2 - ra2 -. Okta_ScopedTo .-> org - u2 -- Okta_SuperAdmin --> org - u2 -. Okta_HasRole .-> r2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx deleted file mode 100644 index a4c47f5..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_secretof.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: 'Okta_SecretOf' -description: 'Client secret associated with an application or service integration' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_SecretOf edges represent the relationship between service applications or API service integrations and their associated client secrets, represented by the [Okta_ClientSecret](/opengraph/extensions/okta/nodes/okta_clientsecret) nodes. - -```mermaid -graph LR - is1("Okta_APIServiceIntegration Elastic Agent") - is2("Okta_APIServiceIntegration Falcon Shield") - cs1("Okta_ClientSecret pdWB5I2I1LJ_cUAzD9fB1w") - cs2("Okta_ClientSecret lLRrn0i2tIa5YowaQuTdtQ") - cs3("Okta_ClientSecret EpGPhXPYLxqY2JEWRjTSAQ") - cs1 -- Okta_SecretOf --> is1 - cs2 -- Okta_SecretOf --> is2 - cs3 -- Okta_SecretOf --> is2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx deleted file mode 100644 index 6f6f70d..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_superadmin.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: 'Okta_SuperAdmin' -description: 'Super administrator role assignment' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: true - -## General Information - -The traversable Okta_SuperAdmin edges represent Super Administrator role assignments to the Okta organization. Super Administrators have full access to all features and settings in the Okta organization. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - app1("Okta_Application Service Account") - org("Okta_Organization contoso.okta.com") - u1 -- Okta_SuperAdmin --> org - app1 -- Okta_SuperAdmin --> org -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx deleted file mode 100644 index f300144..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_swa.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'Okta_SWA' -description: 'Secure Web Authentication from Okta to an external application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable hybrid Okta_SWA edges represent Secure Web Authentication relationships between Okta users and their linked accounts in external applications. SWA stores user credentials in Okta and automatically fills them in, which is less secure than federated SSO. - -```mermaid -graph LR - subgraph okta["Okta"] - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - end - subgraph op["1Password Business"] - opu1("OP_User john\@contoso.com") - opu2("OP_User alice\@contoso.com") - end - u1 -. Okta_SWA .-> opu1 - u2 -. Okta_SWA .-> opu2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx deleted file mode 100644 index 81328a7..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_userpull.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -title: 'Okta_UserPull' -description: 'Import of users from an external application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The Okta_UserPull edges represent user import relationships from external applications to Okta. - -```mermaid -graph LR - app1("Okta_Application Workday") - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - app1 -. Okta_UserPull .-> u1 - app1 -. Okta_UserPull .-> u2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx deleted file mode 100644 index d2bf678..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_userpush.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'Okta_UserPush' -description: 'Provisioning of users to an external application' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable Okta_UserPush edges represent user provisioning relationships from Okta to external applications. When configured, Okta can automatically create, update, or deactivate user accounts in integrated applications using protocols like SCIM or LDAP. - -```mermaid -graph LR - u1("Okta_User john\@contoso.com") - u2("Okta_User alice\@contoso.com") - app1("Okta_Application GitHub Enterprise Cloud") - app2("Okta_Application Salesforce") - u1 -. Okta_UserPush .-> app1 - u2 -. Okta_UserPush .-> app1 - u2 -. Okta_UserPush .-> app2 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx b/docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx deleted file mode 100644 index 799625e..0000000 --- a/docs/official-docs/opengraph/extensions/okta/edges/okta_usersync.mdx +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: 'Okta_UserSync' -description: 'Bidirectional synchronization between Okta users and external identities' ---- - -Applies to BloodHound Enterprise and CE - -## Edge Schema - -Traversable: false - -## General Information - -The non-traversable hybrid Okta_UserSync edges represent bidirectional user synchronization relationships between Okta and external directories or applications. These edges indicate that user accounts are linked and synchronized between systems. - -```mermaid -graph LR - subgraph ad["Active Directory"] - adu1("User john\@contoso.com") - end - subgraph okta["Okta"] - u1("Okta_User john\@contoso.com") - adu1 -. Okta_UserSync .-> u1 - end - subgraph snowflake["Snowflake"] - snu1("SNOW_User john\@contoso.com") - u1 -. Okta_UserSync .-> snu1 - end -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx deleted file mode 100644 index b3dcaac..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_agent.mdx +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: 'Okta_Agent' -description: 'A synchronization or authentication agent in Okta' -icon: '/images/extensions/okta/okta_agent.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -The Okta_Agent node represents an Okta Agent, which is a component used in Okta's integration with on-premises systems. Okta Agents facilitate communication between the Okta cloud and on-premises applications or directories, enabling features such as single sign-on (SSO) and user provisioning. - -One or more agents are grouped into Agent Pools, represented by the [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) nodes, to provide redundancy and load balancing. - -![Active Directory Agent in BloodHound](/images/extensions/okta/bloodhound-ad-agent.png) - -## Sample Property Values - -```yaml -id: a53xfufl4rqWcHhQo697 -name: LON-SRV01 -displayName: LON-SRV01 -poolId: 0oaxg9rhdd7ncGCXv697 -oktaDomain: contoso.okta.com -poolName: contoso.local -operationalStatus: DISRUPTED -updateStatus: Cancelled -type: AD -version: 3.22.0 -lastConnection: 2026-01-15T02:29:40+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx deleted file mode 100644 index 7553eba..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_agentpool.mdx +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: 'Okta_AgentPool' -description: 'A pool of synchronization or authentication agents in Okta' -icon: '/images/extensions/okta/okta_agentpool.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -The Okta_AgentPool nodes represent Okta Agent Pools, which are collections of Okta Agents (represented as [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) nodes) that work together to provide high availability and load balancing for on-premises integrations. - -The following agent pool types are supported by Okta: - -| Agent Pool Type | Description | -|-----------------|-------------| -| AD | [Active Directory](https://help.okta.com/en-us/content/topics/directory/ad-agent-integration-implementation-options.htm) | -| IWA | [Integrated Windows Authentication (Kerberos/NTLM)](https://help.okta.com/en-us/content/topics/directory/ad-iwa-learn.htm) | -| LDAP | [Lightweight Directory Access Protocol](https://help.okta.com/en-us/content/topics/directory/ldap-agent-supported-directories.htm) | -| RADIUS | [RADIUS authentication proxy](https://help.okta.com/en-us/content/topics/integrations/radius-best-pract-flow.htm) | -| MFA | | -| OPP | | -| RUM | | - -The most common agent pool type is the Active Directory (AD) Agent Pool, which consists of one or more AD Agents that facilitate bi-directional object synchronization between Okta and on-premises Active Directory environments. - -![Okta AD Agent Pools displayed in BloodHound](/images/extensions/okta/bloodhound-ad-agent-pool.png) - -## Sample Property Values - -```yaml -id: 0oaxg9rhdd7ncGCXv697_pool -name: contoso.local -displayName: contoso.local -oktaDomain: contoso.okta.com -operationalStatus: DISRUPTED -type: AD -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx deleted file mode 100644 index 5883e96..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_apiserviceintegration.mdx +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: 'Okta_ApiServiceIntegration' -description: 'An API service integration' -icon: '/images/extensions/okta/okta_apiserviceintegration.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -API service integrations in Okta represent OAuth 2.0 service (daemon) applications that can be granted machine-to-machine access to Okta APIs. There are some important differences between API service integrations and [regular OIDC service applications in Okta](/opengraph/extensions/okta/nodes/okta_application): - -| Feature | Service Applications | API Service Integrations | -|----------------------------------------------|----------------------|--------------------------| -| Can be created manually: | ✅ | ❌ | -| Can be added from the OIN Catalog: | ✅ | ✅ | -| Require role assignments: | ✅ | ❌ | -| Support authentication using client secrets: | ✅ | ✅ | -| Support authentication using private keys: | ✅ | ❌ | -| Admins can read cleartext client secrets: | ✅ | ❌ | - -Okta API service integrations are represented as Okta_ApiServiceIntegration nodes. - -## Sample Property Values - -```yaml -id: 0oaz7jy5f2oXnvtmN697 -name: Falcon Shield -displayName: Falcon Shield -oktaDomain: contoso.okta.com -appType: falconshieldapiservice -oauthScopes: - - okta.users.read - - okta.oauthIntegrations.read - - okta.threatInsights.read - - okta.devices.read - - okta.apiTokens.read - - okta.roles.read - - okta.logs.read - - okta.groups.read - - okta.apps.read - - okta.domains.read - - okta.factors.read - - okta.authenticators.read - - okta.policies.read - - okta.networkZones.read - - okta.features.read -createdAt: 2026-01-15T12:25:42.000Z -``` - -## Integration OAuth 2.0 Scopes - -Each API service integration comes with a pre-defined set of OAuth 2.0 scopes to access Okta APIs: - -![Okta API service integration scopes in BloodHound](/images/extensions/okta/bloodhound-api-service-integration-scopes.png) diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx deleted file mode 100644 index 1799971..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_apitoken.mdx +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: 'Okta_ApiToken' -description: 'A secret used by users to authenticate to the Okta API' -icon: '/images/extensions/okta/okta_apitoken.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -API tokens (also known as SSWS tokens) in Okta are used to authenticate and authorize access to the Okta API. They are typically used by applications and scripts that need to interact with Okta programmatically. - -These tokens are always associated with a specific user in Okta, and the permissions of the token are determined by the role assignments of that user. For example, if a user has the Super Administrator role, any API token generated by that user will have full access to all API endpoints. Moreover, the long-lived API tokens are typically stored in plaintext in application configuration files or environment variables, making them a high-value target for attackers. - -The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers. - -Okta API tokens are represented as Okta_ApiToken nodes in BloodHound. - -## Sample Property Values - -```yaml -id: 00T36fk75smeJybKx697 -name: Postman -displayName: Postman -oktaDomain: contoso.okta.com -userId: 00uw0o8iizq37KgKP697 -clientName: Okta API -created: 2025-10-03T10:08:09+00:00 -lastUpdated: 2026-01-31T20:22:42+00:00 -expiresAt: 2026-03-02T20:22:42+00:00 -networkConnection: ANYWHERE -tokenWindow: 30.00:00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx deleted file mode 100644 index f7d6a11..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_application.mdx +++ /dev/null @@ -1,325 +0,0 @@ ---- -title: 'Okta_Application' -description: 'An application registered in Okta, such as a SAML app or an OIDC app' -icon: '/images/extensions/okta/okta_application.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Applications in Okta represent the various software applications and services that users can access through the Okta organization. Applications can be configured to use different authentication methods, such as SAML, OIDC, or SWA. These protocols can either be configured manually by administrators or automatically by adding an application from Okta's App Integration Catalog, which provides a wide range of pre-configured cloud and on-premises application templates. - -With the exception of API Service applications, Okta users and groups can be assigned to applications. Users can also be synchronized TO and FROM applications in Okta, typically using the SCIM protocol. For example, when integrating with GitHub Enterprise Cloud, Okta can be configured to automatically create user accounts in GitHub when users are assigned to the GitHub application in Okta. - -Okta applications are represented as Okta_Application nodes. - -## Sample Property Values - -### Github Cloud - -```yaml -id: 0oawyp12cjglrkfId697 -name: Github Contoso -appType: githubcloud -displayName: Github Contoso -features: [] -githubOrg: Contoso -hasRoleAssignments: false -oktaDomain: contoso.okta.com -signOnMode: SAML_2_0 -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-10-31T06:08:00+00:00 -lastUpdated: 2025-10-31T06:08:01+00:00 -``` - -### Google Workspace - -```yaml -id: 0oax4r57x0V5NHL2W697 -afwOnly: false -appType: google -displayName: Google Workspace -domain: contoso.com -features: [] -hasRoleAssignments: false -name: Google Workspace -oktaDomain: contoso.okta.com -signOnMode: SAML_2_0 -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-11-05T09:06:48+00:00 -lastUpdated: 2025-11-05T09:07:21+00:00 -``` - -### Jamf Pro SAML - -```yaml -id: 0oax4r3ud0J2WjlNh697 -appType: jamfsoftwareserver -displayName: Jamf Pro SAML -domain: contoso.jamfcloud.com -features: [] -hasRoleAssignments: false -name: Jamf Pro SAML -oktaDomain: contoso.okta.com -signOnMode: SAML_2_0 -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-11-05T09:10:52+00:00 -lastUpdated: 2026-01-19T14:33:39+00:00 -``` - -### OpenHound Okta Collector - -```yaml -id: 0oaw0pujq5WtBiMYD697 -name: OpenHound Okta Collector -appType: oidc_client -clientType: service -displayName: OpenHound Okta Collector -features: [] -grantTypes: - - client_credentials -hasRoleAssignments: true -oauthScopes: - - okta.trustedOrigins.read - - okta.policies.read - - okta.linkedObjects.read - - okta.authModes.read - - okta.templates.read - - okta.apiTokens.read - - okta.factors.read - - okta.brands.read - - okta.authenticators.read - - okta.uischemas.read - - okta.logs.read - - okta.groups.read - - okta.identitySources.read - - okta.users.read - - okta.orgs.read - - okta.threatInsights.read - - okta.pushProviders.read - - okta.apps.read - - ssf.read - - okta.roles.read - - okta.networkZones.read - - okta.emailDomains.read - - okta.manifests.read - - okta.oauthIntegrations.read - - okta.domains.read - - okta.deviceAssurance.read - - okta.reports.read - - okta.authorizationServers.read - - okta.enduser.read - - okta.schemas.read - - okta.idps.read - - okta.agentPools.read - - okta.appGrants.read - - okta.inlineHooks.read - - okta.certificateAuthorities.read - - okta.devices.read - - okta.behaviors.read - - okta.profileMappings.read - - okta.captchas.read - - okta.clients.read - - okta.features.read - - okta.sessions.read - - okta.userTypes.read -oktaDomain: integrator-5415459.okta.com -signOnMode: OPENID_CONNECT -status: ACTIVE -userNameMapping: ${source.login} -created: 2025-10-02T10:11:20+00:00 -lastUpdated: 2025-10-02T10:26:27+00:00 -``` - -### Active Directory Integration - -```yaml -id: 0oaxg9rhdd7ncGCXv697 -name: contoso.local -appType: active_directory -displayName: contoso.local -domainSid: S-1-5-21-71365889-924527929-2677699343 -features: - - IMPORT_PROFILE_UPDATES - - PROFILE_MASTERING - - OUTBOUND_DEL_AUTH - - IMPORT_USER_SCHEMA - - IMPORT_NEW_USERS -filterGroupsByOU: false -hasRoleAssignments: false -namingContext: contoso.local -oktaDomain: contoso.okta.com -status: ACTIVE -created: 2025-11-14T12:50:42+00:00 -lastUpdated: 2026-01-31T15:12:24+00:00 -``` - -## User Name Mapping - -User name mapping from Okta to SAML 2.0, OpenID Connect (OIDC), and Secure Web Authentication (SWA) applications is configurable in the Okta Admin Console, with the default setting being the Okta username pass-through, i.e., `${source.login}`. - -| Application username format | Mapping template | -|-------------------------------|-------------------------------------------------------------| -| Okta username | `${source.login}` | -| Email | `${source.email}` | -| Okta username prefix | `${fn:substringBefore(source.login, "@")}` | -| Email prefix | `${fn:substringBefore(source.email, "@")}` | -| AD Employee ID | `${source.employeeID}` | -| AD SAM account name | `${source.samAccountName}` | -| AD SAM account name + domain | `${source.samAccountName}@${source.instance.namingContext}` | -| AD user principal name | `${source.userName}` | -| AD user principal name prefix | `${fn:substringBefore(source.userName, "@")}` | -| (None) | `NONE` | -| Custom | ? | - -## API Service Applications - -This application type is the most interesting one from the security perspective, as it represents OAuth 2.0 service (daemon) applications that can be granted machine-to-machine access to Okta APIs, without any user interaction. These applications can be assigned administrative roles, e.g., Super Admin, and OAuth 2.0 scope grants, e.g., `okta.users.manage`. Any API operation must be allowed by both the assigned roles and the granted scopes. - -![Okta Application scopes and roles in BloodHound](/images/extensions/okta/bloodhound-app-scopes.png) - -## Hybrid Edges - -For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, OpenHound can create hybrid edges in BloodHound to represent the relationships between these external systems and Okta. - -```mermaid -graph TB - subgraph ad["Active Directory"] - direction LR - domain("Domain contoso.com") - adu1("User john\@contoso.com") - adu2("User steve\@contoso.com") - adg1("Group IT") - domain -- Contains --> adu1 - domain -- Contains --> adu2 - domain -- Contains --> adg1 - adu1 -- MemberOf --> adg1 - end - subgraph okta["Okta"] - direction LR - org("Okta_Organization contoso.okta.com") - u1("Okta_User john\@contoso.com") - u2("Okta_User steve\@contoso.com") - g1("Okta_Group IT") - gha("Okta_Application GitHub Enterprise Cloud") - jmfa("Okta_Application Jamf Pro SAML") - org -- Okta_Contains --> u1 - org -- Okta_Contains --> u2 - org -- Okta_Contains --> g1 - u1 -- Okta_MemberOf --> g1 - u2 -- Okta_AppAdmin --> gha - g1 -. Okta_AppAssignment .-> gha - u1 -. Okta_AppAssignment .-> jmfa - end - subgraph gh["GitHub Enterprise Cloud"] - direction LR - ghorg("GH_Organization Contoso") - ghu1("GH_User john\@contoso.com") - ghorg -- GH_Contains --> ghu1 - end - subgraph jamf["Jamf Pro Cloud"] - direction LR - jamft("jamf_SSOIntegration contoso.jamfcloud.com-SSO") - jmfu1("jamf_Account john\@contoso.com") - end - adu1 -. Okta_UserSync .-> u1 - adu2 -. Okta_UserSync .-> u2 - adg1 -- Okta_MembershipSync --> g1 - gha -- Okta_OutboundOrgSSO --> ghorg - jmfa -- Okta_OutboundOrgSSO --> jamft - u1 -- Okta_OutboundSSO --> ghu1 - u1 -- Okta_OutboundSSO --> jmfu1 -``` - -### Active Directory Synchronization - -When Okta's Active Directory (AD) integration is configured for user and group synchronization, the connected AD domain is represented as an Okta_Application node in BloodHound. This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. - -The synchronization is performed by domain-joined servers with the Okta AD Agent installed. This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, making it a high-value target for attackers. - -![Okta AD agent settings](/images/extensions/okta/okta-ad-agent.png) - -Authentication can be delegated from Okta to AD in multiple ways: - -- [Agentless Desktop SSO](https://help.okta.com/oie/en-us/content/topics/directory/ad-dsso-about-workflow.htm) -- [Password Synchronization](https://help.okta.com/oie/en-us/content/topics/directory/installing_configuring_active_directory_password_sync_agent.htm) -- Active Directory Federation Services (ADFS) integration with Okta as a SAML IdP - - -There is no documented API available to determine the authentication delegation method(s) configured for an AD-backed Okta application. The collector therefore performs some heuristics that might not be 100% accurate in all cases. - -### GitHub Enterprise Cloud Organizations - -When integrating Okta with GitHub Enterprise Cloud, each GitHub organization connected to Okta is represented as a separate Okta_Application node in BloodHound. - -![Properties of the GitHub Application node](/images/extensions/okta/bloodhound-github-properties.png) - -### Jamf Pro - -When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate Okta_Application node in BloodHound. The differentiator is the `domainFQDN` property: - -![Jamf Pro SAML application in BloodHound](/images/extensions/okta/bloodhound-jamf-saml-properties.png) - -It is also possible to integrate Jamf Pro with Okta using Secure Web Authentication (SWA), but this option is less secure. - -![Jamf Pro SWA settings](/images/extensions/okta/app-jamf-swa.png) - -## Google Workspace - -Similarly to the Jamf Pro SAML applications, each Google Workspace (formerly G Suite) instance connected to Okta using SAML 2.0 is represented as a separate Okta_Application node in BloodHound and is identified by the `domainFQDN` property: - -![Google Workspace SAML application in BloodHound](/images/extensions/okta/bloodhound-google-saml-properties.png) - -The SAML 2.0 protocol should always be preferred to SWA when integrating Okta with Google Workspace: - -![Google Workspace sign-in protocol settings](/images/extensions/okta/app-google-protocol-selector.png) - -## Generic SAML 2.0 Applications - -The assertion consumer service (ACS) URLs of generic (non-Catalog) Okta SAML 2.0 applications are exposed via the `url` attribute in BloodHound. - -![Okta SAML application in BloodHound](/images/extensions/okta/bloodhound-app-saml.png) - -## Generic Secure Web Authentication (SWA) Applications - -Secure Web Authentication (SWA) is an Okta technology that provides Single Sign-On (SSO) functionality to external web applications that don't support federated protocols. SWA applications store user credentials in Okta and automatically fill them in when users access the application through the Okta dashboard. - -The app's login page URL is exposed via the `url` attribute in BloodHound. - -![Okta SWA application in BloodHound](/images/extensions/okta/bloodhound-app-swa.png) - -## Generic OpenID Connect (OIDC) Applications - -Okta supports three types of OIDC applications: - -- Web Application -- Single-Page Application (SPA) -- Native Application - -The default redirect URI of generic (non-Catalog) Okta OIDC single-page applications (SPAs) starts with `http://localhost:8080/`, making it hard to identify the actual application address. The optional Okta-initiated sign-in flow URL is therefore exposed in the `url` attribute in BloodHound instead, if configured. - -OIDC applications can be granted OAuth 2.0 scopes to access Okta APIs on behalf of users: - -![Okta application OIDC grants](/images/extensions/okta/app-oidc-grants.png) - -## SCIM-Enabled Applications - -The `features` attribute of Okta_Application nodes may contain the following SCIM-related values, indicating if SCIM is enabled and which protocol capabilities are supported: - -| Feature | Description | -|------------------------------|--------------------------------------------------------------------------------| -| PUSH_NEW_USERS | Supports pushing new users from Okta to the application | -| PUSH_PASSWORD_UPDATES | Supports pushing password updates from Okta to the application | -| PUSH_PENDING_USERS | Supports pushing users from Okta to the application in pending state | -| PUSH_PROFILE_UPDATES | Supports pushing profile updates from Okta to the application | -| PUSH_USER_DEACTIVATION | Supports pushing user deactivation from Okta to the application | -| REACTIVATE_USERS | Supports reactivating users in the application from Okta | -| IMPORT_NEW_USERS | Supports importing new users into Okta from the application | -| OPP_SCIM_INCREMENTAL_IMPORTS | Supports incremental imports of users from the application into Okta | -| IMPORT_PROFILE_UPDATES | Updates a linked user's app profile in Okta during manual or scheduled imports | -| GROUP_PUSH | Supports pushing groups and group memberships from Okta to the application | -| PROFILE_MASTERING | Supports profile mastering in Okta, allowing the application to be the source of truth for user profiles | diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx deleted file mode 100644 index e416116..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_authorizationserver.mdx +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: 'Okta_AuthorizationServer' -description: 'An authorization server in Okta' -icon: '/images/extensions/okta/okta_authorizationserver.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Authorization servers in Okta are used to issue OAuth 2.0 access tokens for API access. They define the scopes, claims, and access policies that control how tokens are issued and what permissions they grant. Each Okta organization has a default authorization server, and administrators can create additional custom authorization servers for specific use cases. - -Okta authorization servers are represented as Okta_AuthorizationServer nodes. - - -The relationships between authorization servers and applications are currently not evaluated in BloodHound. - -## Sample Property Values - -```yaml -id: ausz6ipkn4u0hDzyf697 -name: app creation -displayName: app creation -oktaDomain: contoso.okta.com -status: INACTIVE -issuer: https://contoso.okta.com/oauth2/ausz6ipkn4u0hDzyf697 -issuerMode: DYNAMIC -audiences: - - test -created: 2026-01-14T15:41:28+00:00 -lastUpdated: 2026-01-14T16:09:30+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx deleted file mode 100644 index c336679..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_clientsecret.mdx +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: 'Okta_ClientSecret' -description: 'A secret used by applications to authenticate to the Okta API' -icon: '/images/extensions/okta/okta_clientsecret.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Client secrets are used by API service integrations and OIDC applications to authenticate with Okta and obtain access tokens. - -![Okta client secret creation](/images/extensions/okta/app-client-secret-creation.png) - -An application can have up to two client secrets configured, to allow for secret rotation. - -![Okta client secret rotation](/images/extensions/okta/app-client-secret-rotation.png) - -Client secrets are represented as Okta_ClientSecret nodes in BloodHound. - - -For security reasons, the OpenHound and OktaHound collectors do not collect client secrets, only their hashed identifiers. - -## Sample Property Values - -```yaml -id: ocsxqwizfyqsf0aVG697 -name: T1e6fl4jGqvPkgd94NKx5g -displayName: T1e6fl4jGqvPkgd94NKx5g -oktaDomain: contoso.okta.com -status: ACTIVE -created: 2025-11-24T12:24:08.000Z -lastUpdated: 2025-11-24T12:24:08.000Z -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx deleted file mode 100644 index 0e94243..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_customrole.mdx +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: 'Okta_CustomRole' -description: 'A custom role in Okta created by an administrator' -icon: '/images/extensions/okta/okta_customrole.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Custom roles can be created with specific [permissions](https://developer.okta.com/docs/api/openapi/okta-management/guides/permissions/) and then assigned to [users](/opengraph/extensions/okta/nodes/okta_user), [groups](/opengraph/extensions/okta/nodes/okta_group), and [applications](/opengraph/extensions/okta/nodes/okta_application) over [resource sets](/opengraph/extensions/okta/nodes/okta_resourceset). [Complex conditions](https://help.okta.com/oie/en-us/content/topics/security/custom-admin-role/permission-conditions.htm) can be used if the custom admin role has one of the following permissions: - -- okta.users.read -- okta.users.manage -- okta.users.create - -Custom roles are represented as Okta_CustomRole and [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) nodes, similar to built-in roles. - -## Sample Property Values - -```yaml -id: cr0wwdjuk0w96MpFr697 -name: IAM Readers -displayName: IAM Readers -oktaDomain: contoso.okta.com -created: 2025-10-29T12:45:55+00:00 -lastUpdated: 2025-10-30T13:35:36+00:00 -permissions: - - okta.iam.read -``` - -## Abusable Permissions of Custom Roles in Okta - -The following Okta permissions are particularly interesting from an offensive security perspective, as they can be abused to escalate privileges in hybrid scenarios: - -- okta.users.manage -- okta.users.credentials.manage -- okta.users.credentials.resetFactors -- okta.users.credentials.resetPassword -- okta.users.credentials.expirePassword -- okta.users.credentials.manageTemporaryAccessCode -- okta.groups.manage -- okta.groups.members.manage -- okta.apps.manage -- okta.apps.clientCredentials.read - - -The research on abusable Okta permissions is still ongoing. - diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx deleted file mode 100644 index d10e0c2..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_device.mdx +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: 'Okta_Device' -description: 'A device registered in Okta, such as a mobile phone or a computer' -icon: '/images/extensions/okta/okta_device.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Devices in Okta represent the physical or virtual devices that users use to authenticate and access the Okta organization. Devices can optionally be managed by 3rd party MDM solutions, which allow administrators to enforce security compliance policies. - -Okta devices are represented as Okta_Device nodes. - -## Sample Property Values - -Windows device: - -```yaml -id: 4C4C4544-0057-4C10-8057-C8C04F573934@contoso.okta.com -name: PC01 -displayName: PC01 -oktaDomain: contoso.okta.com -oktaId: guoxrzqh8jBxYxEeJ697 -created: 2025-11-25T11:01:53+00:00 -lastUpdated: 2026-02-17T08:55:45+00:00 -status: ACTIVE -resourceType: UDDevice -platform: WINDOWS -manufacturer: Dell Inc. -model: XPS 14 9440 -osVersion: 10.0.26200.7623 -registered: true -secureHardwarePresent: true -jailBreak: false -udid: 4C4C4544-0057-4C10-8057-C8C04F573934 -objectSid: S-1-5-21-1084505731-826279434-3585917670 -serialNumber: HWLWW94 -``` - -iOS device: - -```yaml -id: guowq18eyhZaDlkkA697 -name: John's iPhone -displayName: John's iPhone -oktaDomain: contoso.okta.com -oktaId: guowq18eyhZaDlkkA697 -status: ACTIVE -resourceType: UDDevice -platform: IOS -manufacturer: APPLE -model: iPhone17,1 -osVersion: 18.6.2 -registered: true -secureHardwarePresent: true -jailBreak: false -created: 2025-10-23T17:16:46+00:00 -lastUpdated: 2025-10-23T17:16:47+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx deleted file mode 100644 index 6e8c114..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_group.mdx +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: 'Okta_Group' -description: 'An Okta user group' -icon: '/images/extensions/okta/okta_group.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Groups in Okta are collections of users that can be used to manage access to applications and resources. Groups can be created manually or synchronized from external directories such as Active Directory. The built-in **Everyone** group always contains all users in the Okta organization. Only users can be members of groups and groups cannot be nested. - -Okta groups are represented as Okta_Group nodes. - -## Sample Property Values - -Example of a group created directly in Okta: - -```yaml -id: 00gxg12p4kFOkyXLb697 -name: Engineering -displayName: Engineering -description: Engineering department group -oktaDomain: contoso.okta.com -hasRoleAssignments: false -oktaGroupType: OKTA_GROUP -objectClass: okta:user_group -created: 2025-11-14T08:00:25+00:00 -lastUpdated: 2025-11-14T08:00:25+00:00 -lastMembershipUpdated: 2025-11-14T08:00:25+00:00 -``` - -Example of a group synchronized from Active Directory: - -```yaml -id: 00gxga7s3yDJ71OzW697 -name: Sales -displayName: Sales -description: Sales department group -oktaDomain: contoso.okta.com -hasRoleAssignments: false -oktaGroupType: APP_GROUP -objectClass: okta:windows_security_principal -objectSid: S-1-5-21-71365889-924527929-2677699343-2536 -distinguishedName: CN=Sales,CN=Groups,DC=contoso,DC=local -samAccountName: Sales -domainQualifiedName: CONTOSO\Sales -groupScope: Global -groupType: Security -objectGuid: 4ab65ef0-ab82-4017-b5ee-1c20facd4d6a -created: 2025-11-14T12:58:13+00:00 -lastUpdated: 2025-11-14T13:05:44+00:00 -lastMembershipUpdated: 2025-11-14T12:58:13+00:00 -``` - -## Synchronization with External Directories - -Similarly to users, groups can also be synchronized from external directories. The Okta API exposes the original Active Directory attributes: - -![Group synchronized from AD](/images/extensions/okta/bloodhound-ad-synced-group.png) - -Nested (transitive) group memberships in Active Directory are always flattened (resolved) when synchronized to Okta, as illustrated below: - -```mermaid -graph TB - subgraph ad["Active Directory"] - ag1("Group A") - ag2("Group B") - u1("User 1") - u2("User 2") - u1 -- MemberOf --> ag1 - u2 -- MemberOf --> ag2 - ag2 -- MemberOf --> ag1 - end - subgraph Okta - og1("Okta_Group A") - og2("Okta_Group B") - u1o("Okta_User 1") - u2o("Okta_User 2") - u1o -- Okta_MemberOf --> og1 - u2o -- Okta_MemberOf --> og1 - u2o -- Okta_MemberOf --> og2 - end - ad == Sync ==> Okta -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx deleted file mode 100644 index 3473a29..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_identityprovider.mdx +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: 'Okta_IdentityProvider' -description: 'An identity provider trusted by Okta for authentication' -icon: '/images/extensions/okta/okta_identityprovider.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Identity Providers (IdPs) in Okta represent external authentication sources that can be used to authenticate users. These can include social identity providers (such as Google, Facebook, or Microsoft), enterprise identity providers using SAML or OIDC, or other Okta organizations in an Org2Org configuration. - -When users authenticate through an external identity provider, Okta can optionally create or link user accounts, enabling federated authentication across multiple systems. - -Okta identity providers are represented as Okta_IdentityProvider nodes. - - -The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated. - -## Sample Property Values - -```yaml -id: 0oazpi53t1cRNcPL4697 -name: Microsoft Entra ID -displayName: Microsoft Entra ID -oktaDomain: contoso.okta.com -created: 2026-01-31T15:21:37+00:00 -issuerMode: DYNAMIC -type: MICROSOFT -enabled: false -autoUserProvisioning: true -governedGroupIds: [] -protocolType: OIDC -url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx deleted file mode 100644 index d7a72e8..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_jwk.mdx +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: 'Okta_JWK' -description: 'An Okta JSON Web Key' -icon: '/images/extensions/okta/okta_jwk.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -JSON Web Keys (JWKs) are used by OAuth 2.0 client applications to authenticate with Okta using the `private_key_jwt` client authentication method. This is an asymmetric authentication mechanism where the application possesses a private key and Okta stores the corresponding public key. A service application can have multiple JWKs configured for key rotation purposes. - -JWKs are represented as Okta_JWK nodes in BloodHound. - -## Sample Property Values - -```yaml -id: pksw0py294dQ80EdI697 -name: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 -displayName: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 -oktaDomain: contoso.okta.com -status: ACTIVE -kid: ncxmNARybDrxlemwkrvyphCYQ2VwMG9cxV95jgVziZ4 -kty: RSA -use: sig -created: 2025-10-02T10:14:44Z -lastUpdated: 2025-10-02T10:26:27Z -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx deleted file mode 100644 index f9c60f1..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_organization.mdx +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: 'Okta_Organization' -description: 'An Okta organization' -icon: '/images/extensions/okta/okta_organization.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -The Organization entity represents the Okta tenant itself. It contains general information about the organization, such as its name, domain, and settings. - -The Okta organization is represented as a single Okta_Organization node. - -## Sample Property Values - -```yaml -id: 00ow0o8if0CNwsKmk697 -name: contoso.okta.com -displayName: Contoso -oktaDomain: contoso.okta.com -subdomain: contoso -status: ACTIVE -created: 2025-10-02T09:21:31+00:00 -lastUpdated: 2025-12-09T23:04:15+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx deleted file mode 100644 index d0fa4d1..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_policy.mdx +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: 'Okta_Policy' -description: 'A policy defining rules for authentication, password, or other features in Okta' -icon: '/images/extensions/okta/okta_policy.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Policies in Okta define the rules and conditions that govern authentication, authorization, and security behaviors within an organization. They control aspects such as password requirements, MFA enrollment, session management, and application access. - -Okta policies are represented as Okta_Policy nodes. - -## Sample Property Values - -```yaml -id: rstw0o8il8ktUxo3t697 -name: Okta Account Management Policy -displayName: Okta Account Management Policy -oktaDomain: contoso.okta.com -description: This policy defines how users must authenticate for authenticator enrollment, password reset, or unlock account. Password policy rules control whether to enforce this policy for password reset and unlock account. -type: ACCESS_POLICY -priority: 1 -system: false -created: 2025-10-02T09:21:37+00:00 -``` - -## Policy Types - -The following [policy types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) are supported by Okta: - -| Policy Type ID | Description | -|----------------|-------------| -| OKTA_SIGN_ON | [Global session policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-okta-sign-on-policies.htm) | -| PASSWORD | [Password policies](https://help.okta.com/en-us/content/topics/security/policies/about-password-policies.htm) | -| MFA_ENROLL | [Authenticator enrollment policies](https://help.okta.com/en-us/content/topics/security/policies/configure-mfa-policies.htm) | -| IDP_DISCOVERY | [Identity Provider routing rules](https://help.okta.com/en-us/content/topics/security/identity_provider_discovery.htm) | -| ACCESS_POLICY | [App sign-in policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/about-app-sign-on-policies.htm) | -| DEVICE_SIGNAL_COLLECTION | [Device signal collection policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/create-device-signal-collection-ruleset.htm) | -| PROFILE_ENROLLMENT | [User profile policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/create-profile-enrollment-policy.htm) | -| POST_AUTH_SESSION | [Identity Threat Protection policies](https://help.okta.com/oie/en-us/content/topics/itp/overview.htm) | -| ENTITY_RISK | [Entity risk policies](https://help.okta.com/oie/en-us/content/topics/itp/entity-risk-policy.htm) | - -The OpenHound collector specifically reads the `IDP_DISCOVERY` policies to check if the [Agentless Desktop SSO](https://help.okta.com/en-us/content/topics/directory/configuring_agentless_sso.htm) feature is enabled in the organization through at least one such policy. diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx deleted file mode 100644 index cc79f64..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_realm.mdx +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: 'Okta_Realm' -description: 'An Okta realm' -icon: '/images/extensions/okta/okta_realm.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Okta Realms are used to define authentication boundaries within an Okta organization. They allow administrators to segment users and applications based on different criteria, such as geographic location, business unit, or security requirements. - -Okta Realms are represented as Okta_Realm nodes. - - -Okta Realms are currently not supported due to licensing restrictions. - -## Sample Property Values - -```yaml -id: guor3k19x7pVQ6Abc0g7 -name: Car Co -displayName: Car Co -oktaDomain: contoso.okta.com -type: PARTNER -isDefault: false -domains: - - atko.com - - user.com -created: 2025-06-01T08:00:00.0000000+00:00 -lastUpdated: 2026-02-20T07:45:12.0000000+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx deleted file mode 100644 index 128db5c..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_resourceset.mdx +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: 'Okta_ResourceSet' -description: 'A resource set containing users, groups, applications, and other Okta objects' -icon: '/images/extensions/okta/okta_resourceset.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Resource sets are collections of entities that can be used to scope custom role assignments in Okta. A resource set can contain the following object types: - -- [x] [Users](/opengraph/extensions/okta/nodes/okta_user) -- [x] [Groups](/opengraph/extensions/okta/nodes/okta_group) -- [x] [Applications](/opengraph/extensions/okta/nodes/okta_application) -- [x] [API Service Integrations](/opengraph/extensions/okta/nodes/okta_apiserviceintegration) -- [x] [Devices](/opengraph/extensions/okta/nodes/okta_device) -- [x] [Authorization servers](/opengraph/extensions/okta/nodes/okta_authorizationserver) -- [x] [Identity Providers](/opengraph/extensions/okta/nodes/okta_identityprovider) -- [x] [Policies](/opengraph/extensions/okta/nodes/okta_policy) - - [x] Entity risk policy - - [x] Session protection policy - - [x] Authentication policy - - [x] Global session policy - - [x] End user account management policy -- [ ] Shared Signals Framework (SSF) Receivers -- [ ] ~~Workflows~~ (Gaps in the Okta API) -- [ ] ~~Customizations~~ (Gaps in the Okta API) -- [ ] ~~Support cases~~ (Gaps in the Okta API) -- [ ] ~~Identity and Access Management Resources~~ (Gaps in the Okta API) - - -Only the marked resource types are currently supported as resource set members. Some resource types, such as Workflows, are not accessible via the Okta API at all. - -![Okta Resource Set displayed in BloodHound](/images/extensions/okta/bloodhound-resource-set.png) - -Okta resource sets are represented as Okta_ResourceSet nodes. - -## Sample Property Values - -```yaml -id: WORKFLOWS_IAM_POLICY@contoso.okta.com -name: Workflows Resource Set -displayName: Workflows Resource Set -oktaDomain: contoso.okta.com -description: A resource set managed by Workflows Administrator -created: 2025-10-22T13:29:26+00:00 -lastUpdated: 2025-10-22T13:29:26+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx deleted file mode 100644 index 0649ffd..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_role.mdx +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: 'Okta_Role' -description: 'A built-in role in Okta, such as Super Admin or Group Admin' -icon: '/images/extensions/okta/okta_role.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -Okta provides a handful of [built-in administrative roles](https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm) that can be assigned to users, groups, and applications to delegate administrative tasks. These roles have predefined permissions and cannot be modified. - -The following roles are organization-wide: - -- Super Administrator -- Organization Administrator -- API Access Management Administrator -- Mobile Administrator -- Workflows Administrator -- Report Administrator -- Read-only Administrator - -The most powerful role is the **Super Administrator**, which has full access to all features and settings in the Okta organization. - -The following roles can either be scoped to specific resources or assigned organization-wide: - -- Group Administrator (AKA User Administrator) -- Group Membership Administrator -- Help Desk Administrator -- Application Administrator - - -Although the Workflows Administrator role is a built-in role, the Okta API treats it as a custom role that is scoped to the built-in `Workflows Resource Set`. - -Okta built-in roles are represented as Okta_Role nodes. - -## Sample Property Values - -```yaml -id: APP_ADMIN@contoso.okta.com -name: Application Administrator -displayName: Application Administrator -oktaDomain: contoso.okta.com -permissions: - - okta.apps.manage - - okta.apps.read - - okta.apps.assignment.manage - - okta.apps.clientCredentials.read - - okta.users.appAssignment.manage - - okta.groups.appAssignment.manage - - okta.policies.manage - - okta.policies.read - - okta.users.read - - okta.groups.read - - okta.users.userprofile.manage - - okta.users.userprofile.read - - okta.profilesources.import.run - - okta.agents.register - - okta.realms.read -``` - -## Built-In Role Identifiers - -When working with roles using the Okta API, the built-in roles are referenced by the following identifiers: - -| Role Identifier | Role Name | -|-----------------------------|-------------------------------------| -| SUPER_ADMIN | Super Administrator | -| ORG_ADMIN | Organization Administrator | -| USER_ADMIN | Group Administrator | -| GROUP_MEMBERSHIP_ADMIN | Group Membership Administrator | -| APP_ADMIN | Application Administrator | -| API_ACCESS_MANAGEMENT_ADMIN | API Access Management Administrator | -| ~~API_ADMIN~~ | API Administrator (Deprecated?) | -| HELP_DESK_ADMIN | Help Desk Administrator | -| MOBILE_ADMIN | Mobile Administrator | -| WORKFLOWS_ADMIN | Workflows Administrator | -| REPORT_ADMIN | Report Administrator | -| READ_ONLY_ADMIN | Read-Only Administrator | - -To make the role identifiers unique, the OpenHound collector adds the organization domain name as a suffix to each role's ID, e.g., `SUPER_ADMIN@contoso.okta.com`. - -## Built-In Role Permissions - -Unlike custom roles, built-in roles have fixed permissions that cannot be changed. However, the exact OAuth 2.0 scopes granted to each built-in role are not publicly documented by Okta and cannot even be retrieved via the API. We therefore did the mapping by ourselves based on the role descriptions in the Okta documentation. Hence, the resulting permissions ingested to BloodHound are best-effort approximations and may not be 100% accurate. diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx deleted file mode 100644 index da93987..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_roleassignment.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: 'Okta_RoleAssignment' -description: 'A set of permissions assigned to a user, group, or an application in Okta' -icon: '/images/extensions/okta/okta_roleassignment.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -To help visualize role assignments in BloodHound, Okta_RoleAssignment nodes are created for each role assignment in Okta. These nodes represent the relationship between a [user](/opengraph/extensions/okta/nodes/okta_user), [group](/opengraph/extensions/okta/nodes/okta_group), or [application](/opengraph/extensions/okta/nodes/okta_application) and a role ([built-in](/opengraph/extensions/okta/nodes/okta_role) or [custom](/opengraph/extensions/okta/nodes/okta_customrole)). - -## Sample Property Values - -```yaml -id: irbwnwe8vjjXl4FbX697_00uw2sodowQc75SUm697 -name: Workflows Administrator -displayName: Workflows Administrator -oktaDomain: contoso.okta.com -assignmentType: USER -type: WORKFLOWS_ADMIN -status: ACTIVE -created: 2025-10-22T13:29:26+00:00 -lastUpdated: 2025-10-22T13:29:26+00:00 -``` diff --git a/docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx b/docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx deleted file mode 100644 index ca3f078..0000000 --- a/docs/official-docs/opengraph/extensions/okta/nodes/okta_user.mdx +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: 'Okta_User' -description: 'An Okta user account' -icon: '/images/extensions/okta/okta_user.png' ---- - -Applies to BloodHound Enterprise and CE - -## Overview - -User objects (AKA People) represent individuals who have access to the Okta organization. Each user has a unique identifier, username in the email address format, and various attributes such as email, first name, last name, and status. - -Okta users are represented as Okta_User nodes. - -## Sample Property Values - -```yaml -id: 00uw2sodn4ZPJJQyx697 -name: john.doe@contoso.com -displayName: John Doe -oktaDomain: contoso.okta.com -login: john.doe@contoso.com -email: john.doe@contoso.com -firstName: John -lastName: Doe -title: Senior Identity Engineer -department: Security Engineering -city: Seattle -state: WA -countryCode: US -status: ACTIVE -enabled: true -hasRoleAssignments: false -credentialProviderName: OKTA -credentialProviderType: OKTA -managerId: joe.smith@contoso.com -created: 2025-10-03T18:45:57+00:00 -activated: 2025-10-03T19:02:11+00:00 -passwordChanged: 2026-01-12T14:27:03+00:00 -lastLogin: 2026-02-20T09:41:55+00:00 -lastUpdated: 2025-10-29T11:09:47+00:00 -``` - -## User Status - -User status can have [multiple values](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User), as illustrated below: - -![Okta user status](https://developer.okta.com/docs/api/images/users/okta-user-status.png) - -To simplify analysis in BloodHound, the OpenHound collector maps the **Status** attribute to the virtual boolean **Enabled** attribute as follows: - -| Okta User Status | Enabled | Explanation | -|------------------|---------|----------------------------------| -| ACTIVE | ✅ | User can authenticate. | -| PASSWORD_EXPIRED | ✅ | User's password has expired but can still authenticate. | -| LOCKED_OUT | ✅ | User is locked out but can still authenticate after unlocking. | -| PROVISIONED | ✅ | User is provisioned but cannot authenticate yet. | -| RECOVERY | ✅ | User is in recovery mode and cannot authenticate. | -| SUSPENDED | ❌ | User is suspended and cannot authenticate. | -| STAGED | ❌ | User is staged and cannot authenticate yet. | -| DEPROVISIONED | ❌ | User is deprovisioned and cannot authenticate. | - - -This mapping is a simplification and may not cover all edge cases. Always refer to the actual **Status** attribute for precise user state information. - -## Authentication Factors - -Okta supports various authentication factors for multi-factor authentication (MFA), such as SMS, email, push notifications, and hardware tokens. In case of mobile and desktop applications, these authentication factors are associated with the [Device](/opengraph/extensions/okta/nodes/okta_device) entities. Other authentication factors, such as YubiKeys and Google Authenticator, are not represented as separate nodes in BloodHound, but the number of enrolled factors is stored in the `authenticationFactors` attribute of the Okta_User nodes. - -## Synchronization with External Directories - -Users can be synchronized from external directories such as Active Directory (AD) or LDAP. When synchronized, certain attributes may be mapped from the external directory to the Okta user profile. - -![Additional Active Directory attributes](/images/extensions/okta/user-ad-attributes.png) diff --git a/docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx b/docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx deleted file mode 100644 index e010b65..0000000 --- a/docs/official-docs/opengraph/extensions/okta/privilege-zone-rules.mdx +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Privilege Zone Rules -description: Okta extension Privilege Zone rules -icon: "gem" ---- - -Applies to BloodHound Enterprise and CE -The following Privilege Zone rules can be imported into BloodHound to group nodes for Cypher query analysis and BloodHound Enterprise finding generation. - -This file is automatically generated from the [JSON Privilege Zone rule files](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules). - - -## Organization - -Organization nodes in Okta. - -Zone: Tier Zero - -```cypher -MATCH (n:Okta_Organization) -RETURN n -``` - -This rule is defined in the [organization.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules/organization.json) file. - -## Tier Zero Devices - -Devices associated with principals who have SUPER_ADMIN or ORG_ADMIN role assignments. - -Zone: Tier Zero - -```cypher -MATCH (n:Okta_Device)-[:Okta_DeviceOf]->(:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization) -WHERE r.type = "SUPER_ADMIN" -OR r.type = "ORG_ADMIN" -RETURN n -``` - -This rule is defined in the [tier0-devices.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules/tier0-devices.json) file. - -## Tier Zero Principals - -Principals with SUPER_ADMIN or ORG_ADMIN role assignments. - -Zone: Tier Zero - -```cypher -MATCH (n:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(r:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization) -WHERE r.type = "SUPER_ADMIN" -OR r.type = "ORG_ADMIN" -RETURN n -``` - -This rule is defined in the [tier0-principals.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/privilege_zone_rules/tier0-principals.json) file. - diff --git a/docs/official-docs/opengraph/extensions/okta/queries.mdx b/docs/official-docs/opengraph/extensions/okta/queries.mdx deleted file mode 100644 index 310fe21..0000000 --- a/docs/official-docs/opengraph/extensions/okta/queries.mdx +++ /dev/null @@ -1,586 +0,0 @@ ---- -title: Cypher Queries -description: Okta extension Cypher queries -icon: code ---- - -Applies to BloodHound Enterprise and CE -The following custom Cypher queries can be imported into BloodHound to enhance visibility. - -This file is automatically generated from the [JSON query files](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches). - - -## Agents, Agent Pools, and Host Servers - -Lists Okta agents, their associated agent pools, and the AD servers hosting each agent. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_AgentPool)<-[:Okta_AgentMemberOf|Okta_HostsAgent*1..2]-(agent) -WHERE agent:Okta_Agent OR agent:Computer -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [ad-agents.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/ad-agents.json) file. - -## Principals with Admin Console Access - -Identifies principals with access to the Okta Admin Console. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(console:Okta_Application) -WHERE console.appType = "saasure" -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [admin-console-access.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/admin-console-access.json) file. - -## Application Assignments - -List all application assignments. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_AppAssignment]->(:Okta_Application) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [app-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/app-assignments.json) file. - -## Application Credentials - -Lists all service application secrets and JWTs. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)<-[:Okta_SecretOf|Okta_KeyOf]->(credential) -WHERE credential:Okta_ClientSecret OR credential:Okta_JWK -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [app-credentials.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/app-credentials.json) file. - -## Devices - -List all devices, their owners, and any mobile admins. - -```cypher -MATCH path = (:Okta_Device)-[:Okta_DeviceOf]->(:Okta_User) -OPTIONAL MATCH adminPath = (admin)-[:Okta_MobileAdmin]->(:Okta_Device) -WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application -RETURN path,adminPath -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [devices.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/devices.json) file. - -## Group Membership - -Retrieves all group membership relationships. - -```cypher -MATCH path = (:Okta_User)-[:Okta_MemberOf]->(:Okta_Group) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [group-members.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/group-members.json) file. - -## Hybrid Relationships Inbound - -Retrieves all hybrid relationships from external systems to Okta. - -```cypher -MATCH path = (source)-[]->(:Okta) -WHERE NOT source:Okta -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [hybrid-inbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-inbound.json) file. - -## Hybrid Relationships Outbound - -Retrieves all hybrid relationships from Okta to external systems. - -```cypher -MATCH path = (:Okta)-[]->(target) -WHERE NOT target:Okta -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [hybrid-outbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-outbound.json) file. - -## Security Principal Synchronization - -Retrieves all users and groups that are synchronized TO or FROM Okta. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_UserPull|Okta_UserPush|Okta_GroupPull|Okta_GroupPush]->(:Okta) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [hybrid-sync.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/hybrid-sync.json) file. - -## Identity Provider Assignments - Direct Privileged Access - -Identity providers associated with users or groups that hold direct privileged role assignments in Okta. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE assignee:Okta_User OR assignee:Okta_Group -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [identity-providers-direct-privileged.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers-direct-privileged.json) file. - -## Identity Provider Assignments - Indirect Privileged Access - -Identity providers associated with users who hold privileged role assignments through group membership in Okta. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [identity-providers-indirect-privileged.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers-indirect-privileged.json) file. - -## Identity Provider Assignments - -Lists all identity providers and the users and groups they are associated with, including per-user trust relationships and automatic group assignments. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_IdentityProvider)-[:Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(assignee) -WHERE assignee:Okta_User OR assignee:Okta_Group -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [identity-providers.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/identity-providers.json) file. - -## Organizational Structure - -Retrieves all manager relationships. - -```cypher -MATCH path = (:Okta_User)-[:Okta_ManagerOf]->(:Okta_User) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [org-chart.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/org-chart.json) file. - -## Org Trust Relationships - -Lists all org-to-org trust relationships including inbound and outbound SSO federation, Secure Web Authentication (SWA), and Kerberos SSO relationships between Okta applications and supported external organizations or tenants. - -```cypher -MATCH path = (source)-[:Okta_InboundOrgSSO|Okta_OutboundOrgSSO|Okta_OrgSWA|Okta_KerberosSSO]-() -WHERE source:Okta_Application OR source:Okta_IdentityProvider -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [org-trust-relationships.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/org-trust-relationships.json) file. - -## Password and MFA Permissions - -Lists permissions to reset passwords and MFA factors. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(actor)-[:Okta_ResetPassword|Okta_ResetFactors|Okta_HelpDeskAdmin|Okta_OrgAdmin|Okta_GroupAdmin]->(:Okta_User) -WHERE actor:Okta_User OR actor:Okta_Group OR actor:Okta_Application -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [password-and-mfa-permissions.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/password-and-mfa-permissions.json) file. - -## Policy Mappings - -Retrieves all policy mappings. - -```cypher -MATCH policies = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Policy) -MATCH mappings = (:Okta_Policy)-[:Okta_PolicyMapping]->(:Okta) -RETURN policies,mappings -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [policy-mappings.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/policy-mappings.json) file. - -## Unrotated Active Access Keys on Privileged Apps - -Finds active JWKs or client secrets older than 365 days on applications that have role assignments. - -```cypher -MATCH path = (credential)-[:Okta_KeyOf|Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE (credential:Okta_JWK OR credential:Okta_ClientSecret) AND credential.status = "ACTIVE" AND datetime(credential.created) <= datetime() - duration("P365D") -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-app-unrotated-access-keys.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-app-unrotated-access-keys.json) file. - -## Applications with Role Assignments - -Applications that have roles assigned. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-apps.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-apps.json) file. - -## Synced Principals with Privileged Access (Direct) - Hybrid Edges - -Users, groups, and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments in Okta. - -```cypher -MATCH path = ()-[:Okta_UserSync|Okta_MembershipSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE principal:Okta_User OR principal:Okta_Group OR principal:Okta_Application -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-hybrid-inbound-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-hybrid-inbound-direct.json) file. - -## Synced Principals with Privileged Access (Indirect) - Hybrid Edges - -Users and applications with inbound hybrid relationships (sync, SSO, or AD agent) that hold privileged role assignments through group membership in Okta. - -```cypher -MATCH path = ()-[:Okta_UserSync|Okta_InboundSSO|Okta_HostsAgent]->(principal)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE principal:Okta_User OR principal:Okta_Application -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-hybrid-inbound-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-hybrid-inbound-indirect.json) file. - -## Synced Principals with Privileged Access (Direct) - Okta Edges - -Users and groups synchronized from external sources that have privileged role assignments. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_GroupPull|Okta_IdentityProviderFor|Okta_IdpGroupAssignment]->(:Okta)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE provider:Okta_Application OR provider:Okta_IdentityProvider -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-principals-hybrid-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-principals-hybrid-direct.json) file. - -## Synced Principals with Privileged Access (Indirect) - Okta Edges - -Users synchronized from external sources that hold privileged role assignments through group membership in Okta. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(provider)-[:Okta_UserPull|Okta_IdentityProviderFor]->(:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE provider:Okta_Application OR provider:Okta_IdentityProvider -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-principals-hybrid-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-principals-hybrid-indirect.json) file. - -## Privileged Users without MFA (Direct) - -Users who do not have multi-factor authentication enabled and directly hold privileged role assignments. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.authenticationFactors = 0 -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-users-no-mfa-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-no-mfa-direct.json) file. - -## Privileged Users without MFA (Indirect) - -Users who do not have multi-factor authentication enabled and hold privileged role assignments through group membership. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.authenticationFactors = 0 -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-users-no-mfa-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-no-mfa-indirect.json) file. - -## Privileged Users with Old Passwords (Direct) - -Finds users whose last password change was more than a year ago and directly hold privileged role assignments. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D") -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-users-old-passwords-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-old-passwords-direct.json) file. - -## Privileged Users with Old Passwords (Indirect) - -Finds users whose last password change was more than a year ago and hold privileged role assignments through group membership. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.passwordChanged IS NOT NULL AND datetime(user.passwordChanged) <= datetime() - duration("P365D") -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-users-old-passwords-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-old-passwords-indirect.json) file. - -## Privileged Users with Non-Active Status (Direct) - -Finds users whose status is not ACTIVE and directly hold privileged role assignments, including deactivated, suspended, or provisioning-incomplete accounts. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.status <> "ACTIVE" -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-users-unexpected-status-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-unexpected-status-direct.json) file. - -## Privileged Users with Non-Active Status (Indirect) - -Finds users whose status is not ACTIVE and hold privileged role assignments through group membership, including deactivated, suspended, or provisioning-incomplete accounts. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.status <> "ACTIVE" -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [privileged-users-unexpected-status-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/privileged-users-unexpected-status-indirect.json) file. - -## Read Client Secrets of Privileged Applications - -Searches for client secrets associated with privileged applications that are readable to non-Super Admins. - -```cypher -MATCH path = (:Okta)-[:Okta_ReadClientSecret|Okta_MemberOf*1..2]->(:Okta_ClientSecret)-[:Okta_SecretOf]->(:Okta_Application)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [read-client-secrets.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/read-client-secrets.json) file. - -## Realm Membership - -Lists all Okta realms and the users assigned to them. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Realm)-[:Okta_RealmContains]->(:Okta_User) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [realm-membership.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/realm-membership.json) file. - -## Resource Set Membership - -Lists all resource sets and their associated members. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_ResourceSet)-[:Okta_ResourceSetContains]->(:Okta) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [resource-set-membership.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/resource-set-membership.json) file. - -## Application Administrators and Managers - -List all Application Administrators and Managers. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_AppAdmin|Okta_ManageApp]->(app) -WHERE (admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application) AND (app:Okta_Application OR app:Okta_ApiServiceIntegration) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [role-app-admins.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-app-admins.json) file. - -## Role Assignments - Role Assignments and Scope - -Lists all role assignments and scope, including transitive group membership. - -```cypher -MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf*1..2]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [role-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-assignments.json) file. - -## Role Assignments - All Custom Roles - -Lists all role assignments, linking principals to their assigned custom roles. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_CustomRole) -WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [role-custom-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-custom-assignments.json) file. - -## Role Assignments - All Built-in Roles - -Lists all role assignments, linking principals to their assigned built-in roles. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(assignee)-[:Okta_HasRole]->(:Okta_Role) -WHERE assignee:Okta_User OR assignee:Okta_Group OR assignee:Okta_Application -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [role-direct-assignments.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-direct-assignments.json) file. - -## Role Assignments - Group Administrators - -List all Group Administrators and Group Membership Administrators. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(admin)-[:Okta_GroupAdmin|Okta_GroupMembershipAdmin|Okta_OrgAdmin]->(:Okta_Group) -WHERE admin:Okta_User OR admin:Okta_Group OR admin:Okta_Application -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [role-group-admins.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/role-group-admins.json) file. - -## SCIM Apps Receiving Password Updates - -Lists application-to-user assignments where the app receives password updates. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta_Application)-[:Okta_ReadPasswordUpdates]->(:Okta_User) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [scim-read-passwords.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/scim-read-passwords.json) file. - -## API Service Integration Creators - -Lists all API service integrations and their creators. - -```cypher -MATCH path = (:Okta_Organization)-[:Okta_Contains]->(:Okta)-[:Okta_CreatorOf]->(:Okta_ApiServiceIntegration) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [service-integration-creators.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/service-integration-creators.json) file. - -## Stale Privileged Users (Direct) - -Finds user accounts that have not logged in for at least 180 days and directly hold privileged role assignments. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D") -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [stale-privileged-accounts-direct.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/stale-privileged-accounts-direct.json) file. - -## Stale Privileged Users (Indirect) - -Finds user accounts that have not logged in for at least 180 days and hold privileged role assignments through group membership. - -```cypher -MATCH path = (user:Okta_User)-[:Okta_MemberOf]->(:Okta_Group)-[:Okta_HasRoleAssignment]->(:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta) -WHERE user.lastLogin IS NULL OR datetime(user.lastLogin) <= datetime() - duration("P180D") -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [stale-privileged-accounts-indirect.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/stale-privileged-accounts-indirect.json) file. - -## Secure Web Authentication Applications - -Secure Web Authentication (SWA) relationships between Okta users and their linked accounts in external applications. - -```cypher -MATCH path = (:Okta_User)-[:Okta_SWA]->(target) -WHERE NOT target:Okta -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [swa-applications.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/swa-applications.json) file. - -## Inbound User and Group Synchronization - -Lists all inbound user and group synchronization relationships to Okta, including password synchronization across Org2Org setups. - -```cypher -MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target) -WHERE target:Okta_User OR target:Okta_Group -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [sync-relationships-inbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/sync-relationships-inbound.json) file. - -## Outbound User and Group Synchronization - -Lists all outbound user and group synchronization relationships from Okta, including password synchronization across Org2Org setups. - -```cypher -MATCH path = (source)-[:Okta_UserSync|Okta_MembershipSync|Okta_PasswordSync]->(target) -WHERE source:Okta_User OR source:Okta_Group -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [sync-relationships-outbound.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/sync-relationships-outbound.json) file. - -## Tier Zero Principals and Devices - -Principals with SUPER_ADMIN or ORG_ADMIN role assignments and their associated devices. - -```cypher -MATCH path = (:Okta)-[:Okta_HasRoleAssignment|Okta_MemberOf|Okta_DeviceOf*1..3]->(role:Okta_RoleAssignment)-[:Okta_ScopedTo]->(:Okta_Organization) -WHERE role.type = "SUPER_ADMIN" -OR role.type = "ORG_ADMIN" -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [tier0.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/tier0.json) file. - -## Users with API Tokens - -Retrieves all (privileged) users who have been assigned API tokens. - -```cypher -MATCH path = (:Okta_ApiToken)-[:Okta_ApiTokenFor]->(:Okta_User)<-[:Okta_Contains]-(:Okta_Organization) -RETURN path -LIMIT 1000 -``` - -This query can be imported into BloodHound from the [users-api-tokens.json](https://github.com/SpecterOps/openhound-okta/tree/main/extension/saved_searches/users-api-tokens.json) file. - diff --git a/docs/official-docs/opengraph/extensions/okta/schema.mdx b/docs/official-docs/opengraph/extensions/okta/schema.mdx deleted file mode 100644 index d48cfc0..0000000 --- a/docs/official-docs/opengraph/extensions/okta/schema.mdx +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: Schema -description: Okta extension schema definition -icon: circle-nodes ---- - -Applies to BloodHound Enterprise and CE -## Metadata - -**Name:** SOOkta
-**Display Name:** Okta Extension (by SpecterOps)
-**Version:** v2.8.1
-**Namespace:** Okta
-**Environment Kind:** Okta_Organization
-**Source Kind:** Okta - - -This file is automatically generated from the [extension schema definition file](https://github.com/SpecterOps/openhound-okta/blob/main/extension/schema.json). - - -## Nodes - -| Icon | Node Kind | Display Name | -|------|-----------|--------------| -| ![Okta_Agent](/images/extensions/okta/okta_agent.png) | [Okta_Agent](/opengraph/extensions/okta/nodes/okta_agent) | Okta Agent | -| ![Okta_AgentPool](/images/extensions/okta/okta_agentpool.png) | [Okta_AgentPool](/opengraph/extensions/okta/nodes/okta_agentpool) | Okta Agent Pool | -| ![Okta_ApiServiceIntegration](/images/extensions/okta/okta_apiserviceintegration.png) | [Okta_ApiServiceIntegration](/opengraph/extensions/okta/nodes/okta_apiserviceintegration) | Okta API Service Integration | -| ![Okta_ApiToken](/images/extensions/okta/okta_apitoken.png) | [Okta_ApiToken](/opengraph/extensions/okta/nodes/okta_apitoken) | Okta API Token | -| ![Okta_Application](/images/extensions/okta/okta_application.png) | [Okta_Application](/opengraph/extensions/okta/nodes/okta_application) | Okta Application | -| ![Okta_AuthorizationServer](/images/extensions/okta/okta_authorizationserver.png) | [Okta_AuthorizationServer](/opengraph/extensions/okta/nodes/okta_authorizationserver) | Okta Authorization Server | -| ![Okta_ClientSecret](/images/extensions/okta/okta_clientsecret.png) | [Okta_ClientSecret](/opengraph/extensions/okta/nodes/okta_clientsecret) | Okta Client Secret | -| ![Okta_CustomRole](/images/extensions/okta/okta_customrole.png) | [Okta_CustomRole](/opengraph/extensions/okta/nodes/okta_customrole) | Okta Custom Role | -| ![Okta_Device](/images/extensions/okta/okta_device.png) | [Okta_Device](/opengraph/extensions/okta/nodes/okta_device) | Okta Device | -| ![Okta_Group](/images/extensions/okta/okta_group.png) | [Okta_Group](/opengraph/extensions/okta/nodes/okta_group) | Okta Group | -| ![Okta_IdentityProvider](/images/extensions/okta/okta_identityprovider.png) | [Okta_IdentityProvider](/opengraph/extensions/okta/nodes/okta_identityprovider) | Okta Identity Provider | -| ![Okta_JWK](/images/extensions/okta/okta_jwk.png) | [Okta_JWK](/opengraph/extensions/okta/nodes/okta_jwk) | Okta JWK | -| ![Okta_Organization](/images/extensions/okta/okta_organization.png) | [Okta_Organization](/opengraph/extensions/okta/nodes/okta_organization) | Okta Organization | -| ![Okta_Policy](/images/extensions/okta/okta_policy.png) | [Okta_Policy](/opengraph/extensions/okta/nodes/okta_policy) | Okta Policy | -| ![Okta_Realm](/images/extensions/okta/okta_realm.png) | [Okta_Realm](/opengraph/extensions/okta/nodes/okta_realm) | Okta Realm | -| ![Okta_ResourceSet](/images/extensions/okta/okta_resourceset.png) | [Okta_ResourceSet](/opengraph/extensions/okta/nodes/okta_resourceset) | Okta Resource Set | -| ![Okta_Role](/images/extensions/okta/okta_role.png) | [Okta_Role](/opengraph/extensions/okta/nodes/okta_role) | Okta Role | -| ![Okta_RoleAssignment](/images/extensions/okta/okta_roleassignment.png) | [Okta_RoleAssignment](/opengraph/extensions/okta/nodes/okta_roleassignment) | Okta Role Assignment | -| ![Okta_User](/images/extensions/okta/okta_user.png) | [Okta_User](/opengraph/extensions/okta/nodes/okta_user) | Okta User | - -## Edges - -| Relationship Kind | Traversable | Description | -|-------------------|:-----------:|-------------| -| [Okta_AddMember](/opengraph/extensions/okta/edges/okta_addmember) | ✅ | Ability to add or remove members in scoped Okta groups | -| [Okta_AgentMemberOf](/opengraph/extensions/okta/edges/okta_agentmemberof) | ✅ | Membership of an Okta agent in an agent pool | -| [Okta_AgentPoolFor](/opengraph/extensions/okta/edges/okta_agentpoolfor) | ✅ | Relationship between an AD agent pool and its backing AD application | -| [Okta_ApiTokenFor](/opengraph/extensions/okta/edges/okta_apitokenfor) | ✅ | User ownership of an Okta API token | -| [Okta_AppAdmin](/opengraph/extensions/okta/edges/okta_appadmin) | ✅ | Application administrator role assignment | -| [Okta_AppAssignment](/opengraph/extensions/okta/edges/okta_appassignment) | ❌ | Assignment of users or groups to an Okta application | -| [Okta_Contains](/opengraph/extensions/okta/edges/okta_contains) | ✅ | Contains relationship between the Okta organization and its objects | -| [Okta_CreatorOf](/opengraph/extensions/okta/edges/okta_creatorof) | ❌ | Creator relationship for API service integrations | -| [Okta_DeviceOf](/opengraph/extensions/okta/edges/okta_deviceof) | ❌ | Ownership relationship between a device and its assigned user | -| [Okta_GroupAdmin](/opengraph/extensions/okta/edges/okta_groupadmin) | ✅ | Group administrator role assignment | -| [Okta_GroupMembershipAdmin](/opengraph/extensions/okta/edges/okta_groupmembershipadmin) | ✅ | Group membership administrator role assignment | -| [Okta_GroupPull](/opengraph/extensions/okta/edges/okta_grouppull) | ✅ | Import of group memberships from an external application | -| [Okta_GroupPush](/opengraph/extensions/okta/edges/okta_grouppush) | ❌ | Provisioning of group memberships to an external application | -| [Okta_HasRole](/opengraph/extensions/okta/edges/okta_hasrole) | ❌ | Assignment of a built-in or custom role to a principal | -| [Okta_HasRoleAssignment](/opengraph/extensions/okta/edges/okta_hasroleassignment) | ❌ | Relationship between a principal and a role assignment | -| [Okta_HelpDeskAdmin](/opengraph/extensions/okta/edges/okta_helpdeskadmin) | ✅ | Help desk administrator role assignment | -| [Okta_HostsAgent](/opengraph/extensions/okta/edges/okta_hostsagent) | ✅ | Relationship between an AD server and the Okta agent running on that host | -| [Okta_IdentityProviderFor](/opengraph/extensions/okta/edges/okta_identityproviderfor) | ✅ | Trust relationship between an identity provider and Okta users | -| [Okta_IdpGroupAssignment](/opengraph/extensions/okta/edges/okta_idpgroupassignment) | ❌ | Identity provider group assignment to an Okta group | -| [Okta_InboundOrgSSO](/opengraph/extensions/okta/edges/okta_inboundorgsso) | ✅ | Single sign-on from an external organization into Okta | -| [Okta_InboundSSO](/opengraph/extensions/okta/edges/okta_inboundsso) | ✅ | Single sign-on from an external identity provider into Okta | -| [Okta_KerberosSSO](/opengraph/extensions/okta/edges/okta_kerberossso) | ✅ | Agentless desktop SSO relationship from on-prem AD user account to Okta AD application | -| [Okta_KeyOf](/opengraph/extensions/okta/edges/okta_keyof) | ✅ | JSON Web Key associated with an Okta application | -| [Okta_ManageApp](/opengraph/extensions/okta/edges/okta_manageapp) | ✅ | Ability to manage scoped Okta applications | -| [Okta_ManagerOf](/opengraph/extensions/okta/edges/okta_managerof) | ❌ | Manager relationship between Okta users | -| [Okta_MemberOf](/opengraph/extensions/okta/edges/okta_memberof) | ✅ | Membership of a user in an Okta group | -| [Okta_MembershipSync](/opengraph/extensions/okta/edges/okta_membershipsync) | ✅ | Bidirectional synchronization between Okta groups and external groups | -| [Okta_MobileAdmin](/opengraph/extensions/okta/edges/okta_mobileadmin) | ✅ | Mobile administrator role assignment | -| [Okta_OrgAdmin](/opengraph/extensions/okta/edges/okta_orgadmin) | ✅ | Organization administrator role assignment | -| [Okta_OrgSWA](/opengraph/extensions/okta/edges/okta_orgswa) | ❌ | Secure Web Authentication from an Okta application to an external organization | -| [Okta_OutboundOrgSSO](/opengraph/extensions/okta/edges/okta_outboundorgsso) | ✅ | Single sign-on from an Okta application to an external organization | -| [Okta_OutboundSSO](/opengraph/extensions/okta/edges/okta_outboundsso) | ✅ | Single sign-on from Okta to an external identity provider | -| [Okta_PasswordSync](/opengraph/extensions/okta/edges/okta_passwordsync) | ✅ | Password synchronization between user accounts via AD integration, Org2Org, or SCIM | -| [Okta_PolicyMapping](/opengraph/extensions/okta/edges/okta_policymapping) | ❌ | Association of a policy with an Okta application | -| [Okta_ReadClientSecret](/opengraph/extensions/okta/edges/okta_readclientsecret) | ✅ | Ability to read client secrets for scoped Okta applications | -| [Okta_ReadPasswordUpdates](/opengraph/extensions/okta/edges/okta_readpasswordupdates) | ✅ | Application can read password updates over the SCIM protocol | -| [Okta_RealmContains](/opengraph/extensions/okta/edges/okta_realmcontains) | ✅ | Contains relationship between an Okta realm and its users | -| [Okta_ResetFactors](/opengraph/extensions/okta/edges/okta_resetfactors) | ✅ | Ability to reset MFA factors for scoped Okta users | -| [Okta_ResetPassword](/opengraph/extensions/okta/edges/okta_resetpassword) | ✅ | Ability to reset passwords or temporary credentials for scoped Okta users | -| [Okta_ResourceSetContains](/opengraph/extensions/okta/edges/okta_resourcesetcontains) | ✅ | Membership of objects within an Okta resource set | -| [Okta_ScopedTo](/opengraph/extensions/okta/edges/okta_scopedto) | ❌ | Scope relationship between a role assignment and its target | -| [Okta_SecretOf](/opengraph/extensions/okta/edges/okta_secretof) | ✅ | Client secret associated with an application or service integration | -| [Okta_SuperAdmin](/opengraph/extensions/okta/edges/okta_superadmin) | ✅ | Super administrator role assignment | -| [Okta_SWA](/opengraph/extensions/okta/edges/okta_swa) | ❌ | Secure Web Authentication from Okta to an external application | -| [Okta_UserPull](/opengraph/extensions/okta/edges/okta_userpull) | ❌ | Import of users from an external application | -| [Okta_UserPush](/opengraph/extensions/okta/edges/okta_userpush) | ❌ | Provisioning of users to an external application | -| [Okta_UserSync](/opengraph/extensions/okta/edges/okta_usersync) | ❌ | Bidirectional synchronization between Okta users and external identities |