# Okta connector for Amazon AppFlow Okta Okta is an identity and access management solution. If you you're an Okta user, your account contains data about your Okta objects, such as your users, groups, devices and applications. You can use Amazon AppFlow to transfer data from Okta to certain AWS services or other supported applications. ## Amazon AppFlow support for Okta Amazon AppFlow supports Okta as follows. **Supported as a data source?** Yes. You can use Amazon AppFlow to transfer data from Okta. **Supported as a data destination?** No. You can't use Amazon AppFlow to transfer data to Okta. ## Before you begin To use Amazon AppFlow to transfer data from Okta to supported destinations, you must meet these requirements: + You have an account with Okta that contains the data that you want to transfer. For more information about the Okta data objects that Amazon AppFlow supports, see [Supported objects](#okta-objects). + In your account , you've created either of the following resources for Amazon AppFlow. These resources provide credentials that Amazon AppFlow uses to access your data securely when it makes authenticated calls to your account. + An OIDC app integration to support OAuth 2.0 authentication. For the steps to create an app integration, see [Create OIDC app integrations](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm) in the Okta Help Center. + An API token. For the steps to create one, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/main/) in the Okta Help Center. + If you created an OIDC app integration, you've configured it with the following settings: + The application type is *Web Application*. + The activated grant types include *Authorization Code* and *Refresh Token*. + The sign-in redirect URIs include one or more URLs for Amazon AppFlow. Redirect URLs have the following format: ``` https://region.console.aws.amazon.com/appflow/oauth ``` In this URL, *region* is the code for the AWS Region where you use Amazon AppFlow to transfer data from Okta. For example, the code for the US East (N. Virginia) Region is `us-east-1`. For that Region, the URL is the following: ``` https://us-east-1.console.aws.amazon.com/appflow/oauth ``` For the AWS Regions that Amazon AppFlow supports, and their codes, see [Amazon AppFlow endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/appflow.html) in the *AWS General Reference.* + The following scopes are permitted: + `okta.apps.read` + `okta.devices.read` + `okta.groups.read` + `okta.users.read` + `okta.userTypes.read` If you created an OIDC app integration, note the client ID and client secret . If you created an API token, note the token value. You provide these values to Amazon AppFlow when you connect to your Okta account. ## Connecting Amazon AppFlow to your Okta account Connecting to Okta To connect Amazon AppFlow to your Okta account, provide the client credentials from your app integration, or provide an API token. If you haven't yet configured your Okta account for Amazon AppFlow integration, see [Before you begin](#okta-prereqs). **To connect to Okta** 1. Sign in to the AWS Management Console and open the Amazon AppFlow console at [https://console.aws.amazon.com/appflow/](https://console.aws.amazon.com/appflow/). 1. In the navigation pane on the left, choose **Connections**. 1. On the **Manage connections** page, for **Connectors**, choose **Okta**. 1. Choose **Create connection**. 1. In the **Connect to Okta** window, for **Select authentication type**, choose how to authenticate Amazon AppFlow with your Okta account when it requests to access your data: + Choose **OAuth2** to authenticate Amazon AppFlow with the client credentials from an OIDC app integration. Then, specify the following: + **Authorization tokens URL** and **Authorization code URL** – For each of these fields, do the following: 1. Choose the format of your Okta Org URL. For more information, see [Org URLs](https://developer.okta.com/docs/concepts/okta-organizations/#org-urls) in the Okta Developer documentation. 1. Enter your Okta subdomain. For the steps to look up your subdomain, see [Find your Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/) in the Okta Developer documentation.. + **Client ID** – The client ID from your app integration. + **Client secret** – The client secret from your app integration. + Choose **Okta\$1API\$1Token** to authenticate Amazon AppFlow with an API token. Then, enter the token value for **Okta API Token**. 1. For **Your Okta Domain URL**, enter your domain URL, such as ***my-domain*.okta.com**. For the steps to find your domain, see [Find your Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/) in the Okta Developer documentation. 1. Optionally, under **Data encryption**, choose **Customize encryption settings (advanced)** if you want to encrypt your data with a customer managed key in the AWS Key Management Service (AWS KMS). By default, Amazon AppFlow encrypts your data with a KMS key that AWS creates, uses, and manages for you. Choose this option if you want to encrypt your data with your own KMS key instead. Amazon AppFlow always encrypts your data during transit and at rest. For more information, see [Data protection in Amazon AppFlow](data-protection.md). If you want to use a KMS key from the current AWS account, select this key under **Choose an AWS KMS key**. If you want to use a KMS key from a different AWS account, enter the Amazon Resource Name (ARN) for that key. 1. For **Connection name**, enter a name for your connection. 1. Choose **Continue**. 1. In the window that appears, sign in to your Okta account, and grant access to Amazon AppFlow. On the **Manage connections** page, your new connection appears in the **Connections** table. When you create a flow that uses Okta as the data source, you can select this connection. ## Transferring data from Okta with a flow Transferring data from Okta To transfer data from Okta, create an Amazon AppFlow flow, and choose Okta as the data source. For the steps to create a flow, see [Creating flows in Amazon AppFlow](create-flow.md). When you configure the flow, choose the data object that you want to transfer. For the objects that Amazon AppFlow supports for Okta, see [Supported objects](#okta-objects). Also, choose the destination where you want to transfer the data object that you selected. For more information about how to configure your destination, see [Supported destinations](#okta-destinations). ## Supported destinations When you create a flow that uses Okta as the data source, you can set the destination to any of the following connectors: + [Amazon Lookout for Metrics](lookout.md) + [Amazon Redshift](redshift.md) + [Amazon RDS for PostgreSQL](connectors-amazon-rds-postgres-sql.md) + [Amazon S3](s3.md) + [HubSpot](connectors-hubspot.md) + [Marketo](marketo.md) + [Salesforce](salesforce.md) + [SAP OData](sapodata.md) + [Snowflake](snowflake.md) + [Upsolver](upsolver.md) + [Zendesk](zendesk.md) + [Zoho CRM](connectors-zoho-crm.md) ## Supported objects When you create a flow that uses Okta as the data source, you can transfer any of the following data objects to supported destinations: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appflow/latest/userguide/connectors-okta.html)