Okta MCP Server
Secure Okta identity and access management via Model Context Protocol (MCP). Access Okta users, groups, applications, logs, and policies through AI assistants with enterprise-grade security.
547
18 Tools
Version 4.43 or later needs to be installed to add the server automatically
Use cases
About
Okta MCP Server MCP Server
Secure Okta identity and access management via Model Context Protocol (MCP). Access Okta users, groups, applications, logs, and policies through AI assistants with enterprise-grade security.
Characteristics
| Attribute | Details |
|---|---|
| Docker Image | mcp/okta-mcp-fctr |
| Author | fctr-id |
| Repository | https://github.com/fctr-id/okta-mcp-server |
| Dockerfile | https://github.com/fctr-id/okta-mcp-server/blob/main/Dockerfile |
| Docker Image built by | Docker Inc. |
| Docker Scout Health Score | |
| Verify Signature | COSIGN_REPOSITORY=mcp/signatures cosign verify mcp/okta-mcp-fctr --key https://raw.githubusercontent.com/docker/keyring/refs/heads/main/public/mcp/latest.pub |
| Licence | Apache License 2.0 |
Available Tools (18)
| Tools provided by this Server | Short Description |
|---|---|
get_current_time | Get the current date and time in UTC, formatted for Okta API usage. |
get_okta_application | Get detailed information about a specific Okta application. |
get_okta_event_logs | Get Okta system log events with comprehensive filtering and full pagination for complete audit trails. |
get_okta_group | Get detailed information about a specific Okta group. |
get_okta_policy_rule | Get detailed information about a specific Okta policy rule. |
get_okta_user | Get detailed information about a specific Okta user. |
list_okta_application_groups | List all groups assigned to a specific Okta application with full pagination. |
list_okta_application_users | List all users assigned to a specific Okta application with full pagination. |
list_okta_applications | List Okta applications with filtering - limited to 50 apps by default for context efficiency. |
list_okta_group_users | List all users in a specific Okta group with full pagination for complete results. |
list_okta_groups | List Okta groups with filtering - limited to 50 groups by default for context efficiency. |
list_okta_network_zones | List all network zones defined in the Okta organization. |
list_okta_policy_rules | List all rules for a specific Okta policy. |
list_okta_user_applications | List all application links (assigned applications) for a specific Okta user. |
list_okta_user_factors | List all authentication factors enrolled for a specific Okta user. |
list_okta_user_groups | List all groups that a specific Okta user belongs to. |
list_okta_users | List Okta users with filtering - returns first 50 users by default due to LLM context limitations. |
parse_relative_time | Parse natural language time expressions into Okta API-compatible timestamps. |
Tools Details
Tool: get_current_time
Get the current date and time in UTC, formatted for Okta API usage.
Returns current UTC timestamp in ISO 8601 format with microseconds and Z suffix, suitable for Okta API date parameters and filtering.
Buffer Hours:
Use buffer_hours to get times in the past (negative) or future (positive):
• buffer_hours=0: Current time
• buffer_hours=-24: 24 hours ago
• buffer_hours=-168: 1 week ago (7*24 hours)
• buffer_hours=24: 24 hours from now
Output Format: Returns timestamp in format: YYYY-MM-DDTHH:MM:SS.ffffffZ Example: 2024-06-23T14:30:15.123456Z
Use Cases: • Log event filtering: since="2024-06-22T00:00:00.000Z" • User creation filters: lastUpdated gt "timestamp" • Application audit queries with time ranges • Policy rule time-based conditions
Perfect for constructing Okta API queries that require precise timestamps.
| Parameters | Type | Description |
|---|---|---|
buffer_hours | integeroptional | Optional number of hours to add/subtract from current time |
Tool: get_okta_application
Get detailed information about a specific Okta application.
Returns comprehensive application details including: • Basic information: name, label, status, description • Sign-on configuration: mode, credentials, authentication settings • User assignment settings and policies • Group assignment configuration • Application-specific settings and features • Provisioning configuration (if applicable) • Application URLs and endpoints • Custom attributes and profile mappings
Application Status Values: • ACTIVE - Application is active and available to users • INACTIVE - Application is disabled and not available
Sign-On Modes: • SAML_2_0 - SAML 2.0 federation • OPENID_CONNECT - OpenID Connect/OAuth 2.0 • SECURE_PASSWORD_STORE - Password-based with secure storage • AUTO_LOGIN - Automatic login with stored credentials • BOOKMARK - Simple bookmark/link application • BASIC_AUTH - HTTP Basic Authentication • BROWSER_PLUGIN - Browser plugin required • WS_FEDERATION - WS-Federation protocol
Use this tool to get complete application configuration details for troubleshooting, auditing, or configuration review purposes.
| Parameters | Type | Description |
|---|---|---|
app_id | string | The ID of the application to retrieve |
Tool: get_okta_event_logs
Get Okta system log events with comprehensive filtering and full pagination for complete audit trails.
Returns detailed log events from Okta system logs including authentication, user management, application access, policy changes, and administrative actions with complete audit information.
Time Parameters: • since - Start time in ISO 8601 format: "2024-06-01T00:00:00.000Z" • until - End time in ISO 8601 format: "2024-06-23T23:59:59.999Z" • Use datetime tools to generate proper timestamps: parse_relative_time("24 hours ago")
Filter Parameter: Uses Okta expression language for precise event filtering: • eventType eq "user.authentication.auth" - Authentication events • eventType eq "user.lifecycle.create" - User creation events • eventType eq "user.lifecycle.activate" - User activation events • eventType eq "user.lifecycle.suspend" - User suspension events • eventType eq "application.lifecycle.create" - App creation events • outcome.result eq "SUCCESS" - Successful events only • outcome.result eq "FAILURE" - Failed events only • actor.id eq "user_id" - Events by specific user • target.id eq "target_id" - Events targeting specific resource
Common Event Types: • user.authentication.auth - User login attempts • user.authentication.sso - SSO authentication • user.session.start - Session initiation • user.session.end - Session termination • user.lifecycle.create - User creation • user.lifecycle.activate - User activation • user.lifecycle.suspend - User suspension • user.lifecycle.unsuspend - User reactivation • user.lifecycle.deactivate - User deactivation • application.user_membership.add - App assignment • application.user_membership.remove - App removal • group.user_membership.add - Group membership addition • group.user_membership.remove - Group membership removal • policy.lifecycle.create - Policy creation • policy.lifecycle.update - Policy modification
Search Parameter: Free-text search across event data: • Search for usernames, email addresses, application names • Search for IP addresses, client information • Search for error messages or specific text in events
Sort Order: • DESCENDING - Most recent events first (default) • ASCENDING - Oldest events first
Example Filters: • Authentication failures: 'eventType eq "user.authentication.auth" and outcome.result eq "FAILURE"' • User lifecycle changes: 'eventType sw "user.lifecycle"' • Application events: 'eventType sw "application"' • Admin actions: 'actor.type eq "User" and eventType sw "policy"' • Specific user activity: 'actor.alternateId eq "user@company.com"'
This tool uses full pagination to return complete audit trails for compliance, security analysis, and forensic investigation purposes.
Use for security monitoring, compliance auditing, troubleshooting authentication issues, and comprehensive log analysis.
| Parameters | Type | Description |
|---|---|---|
filter_string | stringoptional | Filter expression for log events |
q | stringoptional | Search term for log events |
since | stringoptional | Starting time for log events (ISO 8601 format) |
sort_order | stringoptional | Order of results (ASCENDING or DESCENDING) |
until | stringoptional | Ending time for log events (ISO 8601 format) |
Tool: get_okta_group
Get detailed information about a specific Okta group.
Returns comprehensive group information including: • Group profile (name, description, custom attributes) • Group type and classification • Membership statistics • Creation and modification timestamps • Group settings and configuration
Group Information Includes: • Basic details (ID, name, description) • Group type (OKTA_GROUP, BUILT_IN, APP_GROUP) • Profile attributes and custom fields • Administrative metadata • Object class and schema information
Group Types: • OKTA_GROUP - Standard organizational groups • BUILT_IN - System groups like "Everyone" • APP_GROUP - Application-specific groups
Common Use Cases: • Verify group configuration • Audit group settings and metadata • Get group details for membership operations • Compliance and access reviews • Troubleshoot group-related issues
| Parameters | Type | Description |
|---|---|---|
group_id | string | The ID of the group to retrieve |
Tool: get_okta_policy_rule
Get detailed information about a specific Okta policy rule.
Returns comprehensive rule configuration including: • Authentication methods and requirements • Network zone constraints and IP restrictions • User and group targeting conditions • Device and platform requirements • Session management behaviors • Risk assessment criteria
Rule Details Include: • Rule identification (ID, name, description) • Activation status and priority • Condition expressions and logic • Action specifications and behaviors • Administrative metadata
Authentication Rule Information: • Required MFA factors and methods • Factor sequencing and fallbacks • Enrollment requirements • Verification policies
Network Zone Constraints: • Allowed/blocked IP ranges • Geographic restrictions • Proxy and VPN handling • Dynamic zone evaluation
Access Control Actions: • Grant/deny decisions • Step-up authentication triggers • Session duration and management • Redirect behaviors
Risk and Context Factors: • Device trust requirements • Location-based rules • Behavioral analysis integration • Threat intelligence inputs
Common Use Cases: • Detailed rule configuration review • Security policy troubleshooting • Compliance audit requirements • Rule modification planning • Access control verification
| Parameters | Type | Description |
|---|---|---|
policy_id | string | The ID of the policy that contains the rule |
rule_id | string | The ID of the specific rule to retrieve |
Tool: get_okta_user
Get detailed information about a specific Okta user.
| Parameters | Type | Description |
|---|---|---|
user_id | string | Enter the login of the user to retrieve details for |
Tool: list_okta_application_groups
List all groups assigned to a specific Okta application with full pagination.
Returns complete list of all groups assigned to the application including: • Group information (ID, name, description, type) • Assignment details and configuration • Group assignment scope and permissions • Application-specific group attributes • Assignment timestamps and metadata
Group Assignment Types: • Direct assignment - Group explicitly assigned to application • Inherited assignment - Group assigned via policy or rule
Group Types: • OKTA_GROUP - Standard Okta group • APP_GROUP - Application-imported group • BUILT_IN - Built-in Okta group (Everyone, etc.)
Assignment Scope: • USER - Group assignment applies to user access • GROUP - Group assignment for group-level permissions
This tool uses full pagination to return ALL assigned groups, ensuring complete visibility into group-based application access for security reviews and auditing.
Use for application access governance, group assignment reviews, and troubleshooting group-based access issues.
| Parameters | Type | Description |
|---|---|---|
app_id | string | The ID of the application |
Tool: list_okta_application_users
List all users assigned to a specific Okta application with full pagination.
Returns complete list of all users assigned to the application including: • User profile information (ID, email, name, status) • Assignment details (scope, credentials, profile) • Assignment timestamps and metadata • Application-specific user attributes • User status within the application context
Assignment Types: • Direct assignment - User assigned directly to application • Group assignment - User assigned via group membership • Rule-based assignment - User assigned via assignment rules
User Assignment Status: • PROVISIONED - User is provisioned and active in application • STAGED_FOR_PROVISIONING - User staged for provisioning • DEPROVISIONED - User removed from application • SUSPENDED - User temporarily suspended in application
This tool uses full pagination to return ALL assigned users, which may take longer for applications with many users but ensures complete data for compliance and auditing.
Use for application access reviews, user assignment audits, and troubleshooting user access issues.
| Parameters | Type | Description |
|---|---|---|
app_id | string | The ID of the application |
Tool: list_okta_applications
List Okta applications with filtering - limited to 50 apps by default for context efficiency.
IMPORTANT LIMITATION: Returns only first 50 applications by default (max 100) to stay within LLM context limits. Use specific search filters to find the applications you need.
Search Parameter: Uses Okta expression language to filter applications with operators: • eq (equals), ne (not equals), co (contains), sw (starts with), ew (ends with) • pr (present), gt (greater than), lt (less than), ge (>=), le (<=)
Common Application Filters: • profile.name co "Slack" - Applications containing "Slack" in name • status eq "ACTIVE" - Only active applications • status eq "INACTIVE" - Only inactive applications • signOnMode eq "SAML_2_0" - SAML applications only • signOnMode eq "OPENID_CONNECT" - OIDC applications only • profile.label sw "Test" - Applications with labels starting with "Test" • lastUpdated gt "2024-01-01T00:00:00.000Z" - Recently updated applications
Application Sign-On Modes: • BOOKMARK, BASIC_AUTH, BROWSER_PLUGIN, SECURE_PASSWORD_STORE • SAML_2_0, WS_FEDERATION, OPENID_CONNECT, AUTO_LOGIN
Examples: • 'profile.name co "Office"' - Find Office 365 or similar apps • 'status eq "ACTIVE" and signOnMode eq "SAML_2_0"' - Active SAML apps • 'profile.label sw "Prod"' - Production environment apps
Use search filters to find specific applications rather than browsing all apps. Returns application details including ID, name, label, status, and sign-on configuration.
| Parameters | Type | Description |
|---|---|---|
max_results | integeroptional | Maximum applications to return (1-100) |
search | stringoptional | Okta expression to filter applications |
Tool: list_okta_group_users
List all users in a specific Okta group with full pagination for complete results.
Returns complete group membership including: • All users currently in the group • User profile information • Membership timestamps and details • User status and account information
Pagination Handling: This tool automatically handles pagination to return ALL users in the group, not just the first page. For large groups, this ensures complete membership visibility.
User Information Includes: • Basic user profile (name, email, username) • User status (ACTIVE, SUSPENDED, etc.) • User ID for further operations • Profile attributes relevant to group membership
Group Membership Details: • Current active memberships only • No historical membership data • Real-time membership status • Direct group membership (not inherited)
Performance Considerations: • Large groups may take longer to process • Automatic rate limiting to prevent API throttling • Progress reporting for long-running operations • Graceful handling of pagination errors
Common Use Cases: • Complete group membership audit • User access reviews and compliance • Group cleanup and optimization • Security group verification • Bulk user operations on group members
| Parameters | Type | Description |
|---|---|---|
group_id | string | The ID of the group to list users for |
Tool: list_okta_groups
List Okta groups with filtering - limited to 50 groups by default for context efficiency.
IMPORTANT LIMITATIONS: Limited to 50 groups by default (max 100) to stay within LLM context limits. Use search filters to find specific groups rather than browsing all groups.
Search Parameters (priority order):
- search - SCIM filter syntax (recommended for precise filtering)
- query - Simple text search against group name
- filter_type - Basic type/status filtering
SCIM Filter Syntax (search parameter): Uses SCIM filter expressions for precise group filtering.
Supported Operators: • eq (equals), ne (not equals), gt (greater than), lt (less than) • ge (greater than or equal), le (less than or equal) • sw (starts with), co (contains), pr (present) • and (logical AND), or (logical OR)
Common Group Profile Fields: • profile.name - Group name • profile.description - Group description • type - Group type (OKTA_GROUP, BUILT_IN, etc.) • created, lastUpdated, lastMembershipUpdated • Custom profile attributes
Example SCIM Filters: • Engineering groups: 'profile.name co "Engineering"' • Groups starting with Admin: 'profile.name sw "Admin"' • Multiple departments: 'profile.name co "Engineering" or profile.name co "Sales"' • Built-in groups: 'type eq "BUILT_IN"' • Groups with descriptions: 'profile.description pr' • Recent groups: 'created gt "2024-01-01T00:00:00.000Z"'
Query Parameter: Simple text search that matches against group name. Use when you want broad matching without specific SCIM syntax.
Filter Type Parameter: Basic filtering for type or status. Examples: 'type eq "OKTA_GROUP"'
Group Types: • OKTA_GROUP - Standard Okta groups • BUILT_IN - System built-in groups (Everyone, etc.) • APP_GROUP - Application-specific groups
Common Use Cases: • Find department or team groups • Audit security and admin groups • Locate application-specific groups • Review group membership structures • Compliance and access reviews
| Parameters | Type | Description |
|---|---|---|
filter_type | stringoptional | Filter type (type, status, etc.) |
max_results | integeroptional | Maximum groups to return (1-100). Limited for LLM context window. |
query | stringoptional | Simple text search matched against group name |
search | stringoptional | SCIM filter syntax - see docstring for complete syntax |
Tool: list_okta_network_zones
List all network zones defined in the Okta organization.
Returns comprehensive network zone information including: • IP ranges and CIDR blocks • Dynamic zone definitions and criteria • Proxy configurations and settings • Zone status and activation state • Administrative metadata
Network Zone Types: • IP - Static IP address ranges and CIDR blocks • DYNAMIC - Dynamic zones based on location or other criteria • BLOCKLIST - IP ranges to block or restrict • POLICY - Policy-specific network constraints
Zone Information Includes: • Zone identification (ID, name, type) • IP address ranges and gateway lists • Proxy and ASN configurations • Geographic location data • Usage and application assignments
IP Zone Details: • Static IP ranges (CIDR notation) • Gateway IP addresses • Proxy IP configurations • ASN (Autonomous System Number) lists
Dynamic Zone Criteria: • Geographic locations and countries • ISP and carrier information • Risk assessment factors • Behavioral analysis inputs
Zone Status Information: • ACTIVE - Currently enforced zones • INACTIVE - Disabled or suspended zones • Usage statistics and policy assignments • Last modification timestamps
Filtering Options: • By zone type (IP, DYNAMIC, etc.) • By status (ACTIVE, INACTIVE) • By administrative properties
Common Use Cases: • Network security policy review • IP allowlist and blocklist management • Geographic access control audit • Compliance and regulatory reporting • Network zone optimization
| Parameters | Type | Description |
|---|---|---|
filter_type | stringoptional | Filter zones by type (IP, DYNAMIC) or status (ACTIVE, INACTIVE) |
Tool: list_okta_policy_rules
List all rules for a specific Okta policy.
Returns complete rule information including: • Rule conditions and criteria • Authentication requirements and methods • Network zone constraints and locations • User and group assignments • Actions and behaviors • Priority and status settings
Policy Rule Information: • Rule names and descriptions • Activation status (ACTIVE, INACTIVE) • Priority ordering within policy • Condition logic and expressions • Actions taken when rule matches
Common Rule Types: • Authentication policies (MFA requirements) • Authorization policies (access controls) • Password policies (complexity rules) • Sign-on policies (SSO behaviors)
Rule Conditions Include: • Network zones and IP ranges • User and group memberships • Application context • Device and platform requirements • Risk and context factors
Actions and Behaviors: • MFA factor requirements • Session management • Access grants/denials • Redirections and workflows
Common Use Cases: • Policy rule audit and review • Security compliance assessment • Troubleshoot access issues • Rule optimization and cleanup • Access control verification
| Parameters | Type | Description |
|---|---|---|
policy_id | string | The ID of the policy to list rules for |
Tool: list_okta_user_applications
List all application links (assigned applications) for a specific Okta user.
| Parameters | Type | Description |
|---|---|---|
user_id | string | The ID or login of the user to retrieve applications for |
show_all | booleanoptional | If True, shows all app links; if False, only shows app links assigned directly to the user |
Tool: list_okta_user_factors
List all authentication factors enrolled for a specific Okta user.
| Parameters | Type | Description |
|---|---|---|
user_id | string | The ID or login of the user to retrieve authentication factors for |
Tool: list_okta_user_groups
List all groups that a specific Okta user belongs to.
| Parameters | Type | Description |
|---|---|---|
user_id | string | The ID or login of the user to retrieve groups for |
Tool: list_okta_users
List Okta users with filtering - returns first 50 users by default due to LLM context limitations.
IMPORTANT: This tool returns only the first 50 users by default (max 100) to stay within LLM context limits. Use specific search filters to find the users you need rather than browsing all users.
search (Recommended, Powerful): Uses flexible SCIM filter syntax for precise filtering. Supports operators: eq, ne, gt, lt, ge, le, sw (starts with), co (contains), pr (present), and, or. Filters on most user properties, including custom attributes, id, status, dates, arrays. Supports sorting (sortBy, sortOrder) - NOTE: Sorting parameters ONLY work with 'search' parameter, not with 'query'.
Examples:
- Active engineering users: search='profile.department eq "Engineering" and status eq "ACTIVE"'
- Users with first name starting with A: search='profile.firstName sw "A"'
- Users in SF or London: search='profile.city eq "San Francisco" or profile.city eq "London"'
- Sorted results: search='status eq "ACTIVE"', sort_by='profile.lastName', sort_order='asc'
- Custom attribute search: search='profile.employeeNumber eq "12345"'
Parameters|Type|Description
-|-|-
filter_type|stringoptional|Filter type (status, type, etc.)max_results|integeroptional|Maximum users to return (1-100). Limited for LLM context window.query|stringoptional|Simple text search matched against firstName, lastName, or emailsearch|stringoptional|SCIM filter syntax like - profile.firstName eq "Dan"sort_by|stringoptional|Field to sort by (only works with 'search' parameter)sort_order|stringoptional|Sort direction (asc or desc) (only works with 'search' parameter)
Tool: parse_relative_time
Parse natural language time expressions into Okta API-compatible timestamps.
Converts human-readable time expressions into ISO 8601 formatted timestamps with microseconds, suitable for Okta API queries and filtering.
Supported Expressions:
• Relative times: "2 days ago", "1 week ago", "3 months ago"
• Named times: "yesterday", "last week", "last month"
• Precise times: "1 hour ago", "30 minutes ago"
• Period boundaries: "beginning of today", "end of yesterday"
• Week/month boundaries: "start of this week", "end of last month"
Output Format: Returns timestamp in format: YYYY-MM-DDTHH:MM:SS.ffffffZ Example: 2024-06-21T00:00:00.000000Z
Common Use Cases: • Log queries: 'since=parse_relative_time("24 hours ago")' • User filters: 'lastUpdated gt parse_relative_time("1 week ago")' • Application activity: 'created after parse_relative_time("yesterday")' • Policy rule conditions with time-based criteria
Perfect for constructing Okta audit queries and date-based filters: Example: filter='eventType eq "user.authentication.auth" and published gt "parsed_timestamp"'
| Parameters | Type | Description |
|---|---|---|
time_expression | string | Natural language time expression |
Use this MCP Server
{
"mcpServers": {
"okta-mcp-fctr": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"OKTA_CLIENT_ORGURL",
"-e",
"LOG_LEVEL",
"-e",
"OKTA_CONCURRENT_LIMIT",
"-e",
"OKTA_API_TOKEN",
"mcp/okta-mcp-fctr"
],
"env": {
"OKTA_CLIENT_ORGURL": "https://dev-123456.okta.com",
"LOG_LEVEL": "INFO",
"OKTA_CONCURRENT_LIMIT": "15",
"OKTA_API_TOKEN": "00aBcDeFGhIjkLmNoPqRsTuVwxYz"
}
}
}
}
Manual installation
You can install the MCP server using:
Installation for