Okta MCP Server

Secure Okta identity and access management via Model Context Protocol (MCP). Access Okta users, groups, applications, logs, and policies through AI assistants with enterprise-grade security.

469

18 Tools

Signed

Built by Docker

Requires Configuration

Requires Secrets

Add to Docker Desktop

Version 4.43 or later needs to be installed to add the server automatically

Overview Tools (18)Config Manual installation

Docker Hub⁠Github repository⁠

Tools

Name	Description
`get_current_time`	Get the current date and time in UTC, formatted for Okta API usage. Returns current UTC timestamp in ISO 8601 format with microseconds and Z suffix, suitable for Okta API date parameters and filtering. Buffer Hours: Use buffer_hours to get times in the past (negative) or future (positive): • buffer_hours=0: Current time • buffer_hours=-24: 24 hours ago • buffer_hours=-168: 1 week ago (7*24 hours) • buffer_hours=24: 24 hours from now Output Format: Returns timestamp in format: YYYY-MM-DDTHH:MM:SS.ffffffZ Example: 2024-06-23T14:30:15.123456Z Use Cases: • Log event filtering: since="2024-06-22T00:00:00.000Z" • User creation filters: lastUpdated gt "timestamp" • Application audit queries with time ranges • Policy rule time-based conditions Perfect for constructing Okta API queries that require precise timestamps.
`get_okta_application`	Get detailed information about a specific Okta application. Returns comprehensive application details including: • Basic information: name, label, status, description • Sign-on configuration: mode, credentials, authentication settings • User assignment settings and policies • Group assignment configuration • Application-specific settings and features • Provisioning configuration (if applicable) • Application URLs and endpoints • Custom attributes and profile mappings Application Status Values: • ACTIVE - Application is active and available to users • INACTIVE - Application is disabled and not available Sign-On Modes: • SAML_2_0 - SAML 2.0 federation • OPENID_CONNECT - OpenID Connect/OAuth 2.0 • SECURE_PASSWORD_STORE - Password-based with secure storage • AUTO_LOGIN - Automatic login with stored credentials • BOOKMARK - Simple bookmark/link application • BASIC_AUTH - HTTP Basic Authentication • BROWSER_PLUGIN - Browser plugin required • WS_FEDERATION - WS-Federation protocol Use this tool to get complete application configuration details for troubleshooting, auditing, or configuration review purposes.
`get_okta_event_logs`	Get Okta system log events with comprehensive filtering and full pagination for complete audit trails. Returns detailed log events from Okta system logs including authentication, user management, application access, policy changes, and administrative actions with complete audit information. Time Parameters: • since - Start time in ISO 8601 format: "2024-06-01T00:00:00.000Z" • until - End time in ISO 8601 format: "2024-06-23T23:59:59.999Z" • Use datetime tools to generate proper timestamps: parse_relative_time("24 hours ago") Filter Parameter: Uses Okta expression language for precise event filtering: • eventType eq "user.authentication.auth" - Authentication events • eventType eq "user.lifecycle.create" - User creation events • eventType eq "user.lifecycle.activate" - User activation events • eventType eq "user.lifecycle.suspend" - User suspension events • eventType eq "application.lifecycle.create" - App creation events • outcome.result eq "SUCCESS" - Successful events only • outcome.result eq "FAILURE" - Failed events only • actor.id eq "user_id" - Events by specific user • target.id eq "target_id" - Events targeting specific resource Common Event Types: • user.authentication.auth - User login attempts • user.authentication.sso - SSO authentication • user.session.start - Session initiation • user.session.end - Session termination • user.lifecycle.create - User creation • user.lifecycle.activate - User activation • user.lifecycle.suspend - User suspension • user.lifecycle.unsuspend - User reactivation • user.lifecycle.deactivate - User deactivation • application.user_membership.add - App assignment • application.user_membership.remove - App removal • group.user_membership.add - Group membership addition • group.user_membership.remove - Group membership removal • policy.lifecycle.create - Policy creation • policy.lifecycle.update - Policy modification Search Parameter: Free-text search across event data: • Search for usernames, email addresses, application names • Search for IP addresses, client information • Search for error messages or specific text in events Sort Order: • DESCENDING - Most recent events first (default) • ASCENDING - Oldest events first Example Filters: • Authentication failures: 'eventType eq "user.authentication.auth" and outcome.result eq "FAILURE"' • User lifecycle changes: 'eventType sw "user.lifecycle"' • Application events: 'eventType sw "application"' • Admin actions: 'actor.type eq "User" and eventType sw "policy"' • Specific user activity: 'actor.alternateId eq "user@company.com"' This tool uses full pagination to return complete audit trails for compliance, security analysis, and forensic investigation purposes. Use for security monitoring, compliance auditing, troubleshooting authentication issues, and comprehensive log analysis.
`get_okta_group`	Get detailed information about a specific Okta group. Returns comprehensive group information including: • Group profile (name, description, custom attributes) • Group type and classification • Membership statistics • Creation and modification timestamps • Group settings and configuration Group Information Includes: • Basic details (ID, name, description) • Group type (OKTA_GROUP, BUILT_IN, APP_GROUP) • Profile attributes and custom fields • Administrative metadata • Object class and schema information Group Types: • OKTA_GROUP - Standard organizational groups • BUILT_IN - System groups like "Everyone" • APP_GROUP - Application-specific groups Common Use Cases: • Verify group configuration • Audit group settings and metadata • Get group details for membership operations • Compliance and access reviews • Troubleshoot group-related issues
`get_okta_policy_rule`	Get detailed information about a specific Okta policy rule. Returns comprehensive rule configuration including: • Authentication methods and requirements • Network zone constraints and IP restrictions • User and group targeting conditions • Device and platform requirements • Session management behaviors • Risk assessment criteria Rule Details Include: • Rule identification (ID, name, description) • Activation status and priority • Condition expressions and logic • Action specifications and behaviors • Administrative metadata Authentication Rule Information: • Required MFA factors and methods • Factor sequencing and fallbacks • Enrollment requirements • Verification policies Network Zone Constraints: • Allowed/blocked IP ranges • Geographic restrictions • Proxy and VPN handling • Dynamic zone evaluation Access Control Actions: • Grant/deny decisions • Step-up authentication triggers • Session duration and management • Redirect behaviors Risk and Context Factors: • Device trust requirements • Location-based rules • Behavioral analysis integration • Threat intelligence inputs Common Use Cases: • Detailed rule configuration review • Security policy troubleshooting • Compliance audit requirements • Rule modification planning • Access control verification
`get_okta_user`	Get detailed information about a specific Okta user.
`list_okta_application_groups`	List all groups assigned to a specific Okta application with full pagination. Returns complete list of all groups assigned to the application including: • Group information (ID, name, description, type) • Assignment details and configuration • Group assignment scope and permissions • Application-specific group attributes • Assignment timestamps and metadata Group Assignment Types: • Direct assignment - Group explicitly assigned to application • Inherited assignment - Group assigned via policy or rule Group Types: • OKTA_GROUP - Standard Okta group • APP_GROUP - Application-imported group • BUILT_IN - Built-in Okta group (Everyone, etc.) Assignment Scope: • USER - Group assignment applies to user access • GROUP - Group assignment for group-level permissions This tool uses full pagination to return ALL assigned groups, ensuring complete visibility into group-based application access for security reviews and auditing. Use for application access governance, group assignment reviews, and troubleshooting group-based access issues.
`list_okta_application_users`	List all users assigned to a specific Okta application with full pagination. Returns complete list of all users assigned to the application including: • User profile information (ID, email, name, status) • Assignment details (scope, credentials, profile) • Assignment timestamps and metadata • Application-specific user attributes • User status within the application context Assignment Types: • Direct assignment - User assigned directly to application • Group assignment - User assigned via group membership • Rule-based assignment - User assigned via assignment rules User Assignment Status: • PROVISIONED - User is provisioned and active in application • STAGED_FOR_PROVISIONING - User staged for provisioning • DEPROVISIONED - User removed from application • SUSPENDED - User temporarily suspended in application This tool uses full pagination to return ALL assigned users, which may take longer for applications with many users but ensures complete data for compliance and auditing. Use for application access reviews, user assignment audits, and troubleshooting user access issues.
`list_okta_applications`	List Okta applications with filtering - limited to 50 apps by default for context efficiency. IMPORTANT LIMITATION: Returns only first 50 applications by default (max 100) to stay within LLM context limits. Use specific search filters to find the applications you need. Search Parameter: Uses Okta expression language to filter applications with operators: • eq (equals), ne (not equals), co (contains), sw (starts with), ew (ends with) • pr (present), gt (greater than), lt (less than), ge (>=), le (<=) Common Application Filters: • profile.name co "Slack" - Applications containing "Slack" in name • status eq "ACTIVE" - Only active applications • status eq "INACTIVE" - Only inactive applications • signOnMode eq "SAML_2_0" - SAML applications only • signOnMode eq "OPENID_CONNECT" - OIDC applications only • profile.label sw "Test" - Applications with labels starting with "Test" • lastUpdated gt "2024-01-01T00:00:00.000Z" - Recently updated applications Application Sign-On Modes: • BOOKMARK, BASIC_AUTH, BROWSER_PLUGIN, SECURE_PASSWORD_STORE • SAML_2_0, WS_FEDERATION, OPENID_CONNECT, AUTO_LOGIN Examples: • 'profile.name co "Office"' - Find Office 365 or similar apps • 'status eq "ACTIVE" and signOnMode eq "SAML_2_0"' - Active SAML apps • 'profile.label sw "Prod"' - Production environment apps Use search filters to find specific applications rather than browsing all apps. Returns application details including ID, name, label, status, and sign-on configuration.
`list_okta_group_users`	List all users in a specific Okta group with full pagination for complete results. Returns complete group membership including: • All users currently in the group • User profile information • Membership timestamps and details • User status and account information Pagination Handling: This tool automatically handles pagination to return ALL users in the group, not just the first page. For large groups, this ensures complete membership visibility. User Information Includes: • Basic user profile (name, email, username) • User status (ACTIVE, SUSPENDED, etc.) • User ID for further operations • Profile attributes relevant to group membership Group Membership Details: • Current active memberships only • No historical membership data • Real-time membership status • Direct group membership (not inherited) Performance Considerations: • Large groups may take longer to process • Automatic rate limiting to prevent API throttling • Progress reporting for long-running operations • Graceful handling of pagination errors Common Use Cases: • Complete group membership audit • User access reviews and compliance • Group cleanup and optimization • Security group verification • Bulk user operations on group members
`list_okta_groups`	List Okta groups with filtering - limited to 50 groups by default for context efficiency. IMPORTANT LIMITATIONS: Limited to 50 groups by default (max 100) to stay within LLM context limits. Use search filters to find specific groups rather than browsing all groups. Search Parameters (priority order): 1. search - SCIM filter syntax (recommended for precise filtering) 2. query - Simple text search against group name 3. filter_type - Basic type/status filtering SCIM Filter Syntax (search parameter): Uses SCIM filter expressions for precise group filtering. Supported Operators: • eq (equals), ne (not equals), gt (greater than), lt (less than) • ge (greater than or equal), le (less than or equal) • sw (starts with), co (contains), pr (present) • and (logical AND), or (logical OR) Common Group Profile Fields: • profile.name - Group name • profile.description - Group description • type - Group type (OKTA_GROUP, BUILT_IN, etc.) • created, lastUpdated, lastMembershipUpdated • Custom profile attributes Example SCIM Filters: • Engineering groups: 'profile.name co "Engineering"' • Groups starting with Admin: 'profile.name sw "Admin"' • Multiple departments: 'profile.name co "Engineering" or profile.name co "Sales"' • Built-in groups: 'type eq "BUILT_IN"' • Groups with descriptions: 'profile.description pr' • Recent groups: 'created gt "2024-01-01T00:00:00.000Z"' Query Parameter: Simple text search that matches against group name. Use when you want broad matching without specific SCIM syntax. Filter Type Parameter: Basic filtering for type or status. Examples: 'type eq "OKTA_GROUP"' Group Types: • OKTA_GROUP - Standard Okta groups • BUILT_IN - System built-in groups (Everyone, etc.) • APP_GROUP - Application-specific groups Common Use Cases: • Find department or team groups • Audit security and admin groups • Locate application-specific groups • Review group membership structures • Compliance and access reviews
`list_okta_network_zones`	List all network zones defined in the Okta organization. Returns comprehensive network zone information including: • IP ranges and CIDR blocks • Dynamic zone definitions and criteria • Proxy configurations and settings • Zone status and activation state • Administrative metadata Network Zone Types: • IP - Static IP address ranges and CIDR blocks • DYNAMIC - Dynamic zones based on location or other criteria • BLOCKLIST - IP ranges to block or restrict • POLICY - Policy-specific network constraints Zone Information Includes: • Zone identification (ID, name, type) • IP address ranges and gateway lists • Proxy and ASN configurations • Geographic location data • Usage and application assignments IP Zone Details: • Static IP ranges (CIDR notation) • Gateway IP addresses • Proxy IP configurations • ASN (Autonomous System Number) lists Dynamic Zone Criteria: • Geographic locations and countries • ISP and carrier information • Risk assessment factors • Behavioral analysis inputs Zone Status Information: • ACTIVE - Currently enforced zones • INACTIVE - Disabled or suspended zones • Usage statistics and policy assignments • Last modification timestamps Filtering Options: • By zone type (IP, DYNAMIC, etc.) • By status (ACTIVE, INACTIVE) • By administrative properties Common Use Cases: • Network security policy review • IP allowlist and blocklist management • Geographic access control audit • Compliance and regulatory reporting • Network zone optimization
`list_okta_policy_rules`	List all rules for a specific Okta policy. Returns complete rule information including: • Rule conditions and criteria • Authentication requirements and methods • Network zone constraints and locations • User and group assignments • Actions and behaviors • Priority and status settings Policy Rule Information: • Rule names and descriptions • Activation status (ACTIVE, INACTIVE) • Priority ordering within policy • Condition logic and expressions • Actions taken when rule matches Common Rule Types: • Authentication policies (MFA requirements) • Authorization policies (access controls) • Password policies (complexity rules) • Sign-on policies (SSO behaviors) Rule Conditions Include: • Network zones and IP ranges • User and group memberships • Application context • Device and platform requirements • Risk and context factors Actions and Behaviors: • MFA factor requirements • Session management • Access grants/denials • Redirections and workflows Common Use Cases: • Policy rule audit and review • Security compliance assessment • Troubleshoot access issues • Rule optimization and cleanup • Access control verification
`list_okta_user_applications`	List all application links (assigned applications) for a specific Okta user.
`list_okta_user_factors`	List all authentication factors enrolled for a specific Okta user.
`list_okta_user_groups`	List all groups that a specific Okta user belongs to.
`list_okta_users`	List Okta users with filtering - returns first 50 users by default due to LLM context limitations. IMPORTANT: This tool returns only the first 50 users by default (max 100) to stay within LLM context limits. Use specific search filters to find the users you need rather than browsing all users. search (Recommended, Powerful): Uses flexible SCIM filter syntax for precise filtering. Supports operators: eq, ne, gt, lt, ge, le, sw (starts with), co (contains), pr (present), and, or. Filters on most user properties, including custom attributes, id, status, dates, arrays. Supports sorting (sortBy, sortOrder) - NOTE: Sorting parameters ONLY work with 'search' parameter, not with 'query'. Examples: - Active engineering users: search='profile.department eq "Engineering" and status eq "ACTIVE"' - Users with first name starting with A: search='profile.firstName sw "A"' - Users in SF or London: search='profile.city eq "San Francisco" or profile.city eq "London"' - Sorted results: search='status eq "ACTIVE"', sort_by='profile.lastName', sort_order='asc' - Custom attribute search: search='profile.employeeNumber eq "12345"'
`parse_relative_time`	Parse natural language time expressions into Okta API-compatible timestamps. Converts human-readable time expressions into ISO 8601 formatted timestamps with microseconds, suitable for Okta API queries and filtering. Supported Expressions: • Relative times: "2 days ago", "1 week ago", "3 months ago" • Named times: "yesterday", "last week", "last month" • Precise times: "1 hour ago", "30 minutes ago" • Period boundaries: "beginning of today", "end of yesterday" • Week/month boundaries: "start of this week", "end of last month" Output Format: Returns timestamp in format: YYYY-MM-DDTHH:MM:SS.ffffffZ Example: 2024-06-21T00:00:00.000000Z Common Use Cases: • Log queries: 'since=parse_relative_time("24 hours ago")' • User filters: 'lastUpdated gt parse_relative_time("1 week ago")' • Application activity: 'created after parse_relative_time("yesterday")' • Policy rule conditions with time-based criteria Perfect for constructing Okta audit queries and date-based filters: Example: filter='eventType eq "user.authentication.auth" and published gt "parsed_timestamp"'

Manual installation

You can install the MCP server using:

Installation for

Okta MCP Server

Related servers

Elevenlabs MCP

Memory (Reference)

Novita

omi-mcp