About this article
Vanta integrates with Okta to monitor and manage access to your tools. By syncing user access data, Vanta helps ensure that only active employees retain access and that access is promptly removed when personnel leave—supporting automated compliance needs, streamlined access reviews, and automated access requests.
Estimated setup time: Less than [15] minutes
How it works
Vanta connects to Okta to sync users, groups, and roles data on a regular basis. This data powers three key workflows in Vanta:
Automated compliance tests: Vanta automatically checks that accounts are linked to employees, MFA is enabled, and deprovisioned when personnel leave.
Access Reviews: Synced users are surfaced in Vanta's Access Reviews and approvers can validate whether access is still appropriate, confirm least-privilege access, and provide evidence for audits.
Access Requests - Entitlements from Okta are pulled into Vanta. Requesters can ask for specific access levels, approvers can review with context, and system admins can track provisioning.
Use Cases
Connecting Okta to Vanta will enable you to:
Monitor and manage personnel access to Okta in real time
Ensure only active employees retain access to company systems
Verify MFA enrollment across all user accounts
Track admin role assignments and privileged access
Simplify access reviews and support compliance requirements
Enable single sign-on (SSO) for Vanta users through Okta
Requirements
Vanta administrator account
Okta Super Administrator account (required to authorize API access and create app integrations)
Connect the integration
Step 1
Create Okta API Service App Integration
Log in to your Okta account as a Super Administrator
From the left-hand navigation panel, select Applications.
Select Create App Integration.
Select API services and choose Next
Title the App integration name
We recommend using a name that signifies its relation to Vanta
Select Save
Select Okta API Scopes and grant Vanta access to the following read-only items:-
okta.appGrants.read
okta.apps.read
okta.groups.read
okta.policies.read
okta.roles.read
okta.users.read
Note: Adding permissions outside of the required list above can cause issues.
Under "General Settings," you must uncheck the following box that says Require Demonstrating Proof of Possession (DPoP) header in token requests. Vanta does not currently provide Proof of Possession, so leaving this box checked will prevent you from being able to complete the integration.
Note: Reload the app page and confirm that the check box has not been checked. There is an issue where the box remains checked after being updated for the first time. Confirm before continuing the connection.
Note: If the API Service App supports Admin Roles, assign the Super Administrator role to the app. This is required for the Vanta integration.
Note: If you receive the below error when trying to Validate in Vanta, assign the Super Administrator role to the app. This is required for the Vanta integration.
Note: Assign the Super Administrator role to the application. This step is required for the Vanta integration to function correctly.
Step 2
Locate your Okta Client ID and Okta Domain
How to find your Okta Domain in the Okta Admin portal:
Login to Vanta and open the Integrations Page
Search for Okta in the Available Tab
Select Connect
Paste your Okta Domain and Client ID into the appropriate fields:
Select Next. A new pop-up modal will appear.
Copy the URL from Step 5 (paste it somewhere safe).
You will need the URL from step 5 in the Okta platform
Do not select Validate (This will happen during a later step)
Step 3
Return to Okta and find your App Integration.
From the General tab, select Edit and choose Public Key / Private Key for Client authentication.
Under the Public Keys section, select Use a URL to fetch keys dynamically.
Paste the URL obtained from the pop-up modal back into the open Okta field.
Select Save
Step 4
Return to Vanta
Select Validate from the pop-up Modal
Note: If you would also like to enable SSO for all or specific users, Wait to select 'connect app' on the connection modal - Follow the below steps first:
Step 1: Installing the Vanta SAML App in Okta
Under Applications, select Browse App Catalog:
Once you've located the Vanta SAML App, Select it and Add Integration:
Return to Vanta and copy your Domain ID, this will be needed in the next step.
Step 2: Configuring Sign-on settings:
Under Applications, click on the Vanta application.
In the following screen, click on the Sign On tab and then Edit.
Find Advanced Sign-on Settings and paste the Vanta domain ID into the Domain ID field.
Select Save
Step 3: Adding your User assignments
You can now add your User Assignments for SSO Login via the Assignments section of the Vanta SAML Okta App:
Select the Assignments tab and click Assign. From there, assign the Okta application to the proper users/groups using SSO to login to Vanta.
Step 4: Connecting the app on Vanta
Once you've configured the Vanta SAML App in Okta, You can click 'Connect App' in Vanta:
Return to Vanta and select Connect app
Once connected, you should see an alert indicating the Okta Login app has been successfully connected. You will then be returned to the Integrations Page.
Creating multiple Vanta Okta apps for Workspaces
If you use Vanta Workspaces, you can add multiple Vanta apps in Okta, one for each Workspace.
Follow the same steps under “Add Vanta to your Okta Account”.
When you select Add Integration and complete the prompts under General settings, ensure the app label contains Vanta (name must be exact).
You can choose to customize the text in the parentheses.
When you connect Okta on the Integrations page, we will recognize if you have multiple Vanta apps in Okta. After adding your API Token and Okta domain, you’ll see a prompt on the next step to select the Vanta app you want to connect.
If you have connected your Okta app before June 22, 2023, and then disconnected, the above process will need to be followed.
Synced Data
Connecting Okta to Vanta syncs the following user data, which is essential for access control, compliance testing, and reviews within Vanta:
Synced User Information:
User Profile: Includes name, email address, job title, employee number, and profile information.
Access & Security Status: Information on admin status, assigned roles, Multi-Factor Authentication (MFA) enrollment, and group memberships.
Account Status: Current account status and activation information.
Application Access: Data about applications users have access to through Okta.
This integrated data is critical for Vanta's functions, supporting features like Access Reviews, Access Requests, and automated compliance tests to help maintain strong access controls and meet required compliance standards.
Capabilities
Resource | Supported | Usage |
Users | ✅ | |
Groups | ✅ | |
Roles/Entitlements | ✅ | |
Applications | ✅ |
Permissions
Vanta accesses the following data from the Okta API using read-only OAuth grant types
Vanta will be able to read:
Data about your users
Needed to confirm that only active employees retain system access and that terminated employees are deprovisioned promptly. In Access Requests, this allows Vanta to display available users when tracking or assigning access.
Data about user groups
Needed to validate least-privilege access and confirm group-based access controls align with compliance requirements. In Access Requests, this enables approvers to see which groups grant access and map access levels to entitlements.
Data about admin roles and role assignments
Needed to ensure employees are assigned to correct roles, validate least-privilege access, and confirm that high-privilege roles (e.g., Super Administrator) are only granted to authorized personnel. In Access Requests, this allows requesters to choose from the correct set of roles and ensures approvers can review what level of access is being requested.
Data about applications and application grants
Needed to discover which applications users have access to through Okta, supporting access audits and ensuring proper access controls.
Data about policies
Needed to understand access policies and validate that access controls align with compliance requirements.
Vanta will be able to write:
Nothing (Vanta does not have write permission)
Related Articles
Troubleshooting FAQ
I don't see roles available when creating an access level in Vanta.
Likely cause: The required Okta API scopes may not have been granted during app integration setup. Verify that all required read-only scopes (okta.roles.read, okta.apps.read, etc.) are granted in your Okta API Service App Integration.
Only some of my users are appearing in Vanta.
Likely cause: You may have IDP scoping configured to limit which users are synced. Check your scoping configuration and ensure all desired users are included.
I'm getting an error when trying to Validate in Vanta.
Likely cause: The Super Administrator role may not have been assigned to the API Service App. Return to Okta and ensure the Super Administrator role is assigned to the app integration. This is required for the Vanta integration to function correctly.