Okta

What is Okta MCP Server?

Okta MCP Server is a tool that integrates with Claude to manage Okta users and groups. It allows for automation of user onboarding and provides a programmatic interface to Okta's identity management functionalities.

How to use Okta MCP Server?

To use Okta MCP Server, you need Node.js (v16 or higher), Claude Desktop App, and an Okta Developer Account with an Admin API Token. The setup involves creating an Okta Developer Account, generating an API Token, installing project dependencies (npm install), and configuring Claude Desktop to point to the server's index.js file with the necessary OKTA_ORG_URL and OKTA_API_TOKEN environment variables.

Key Features of Okta MCP Server

User Management

• get_user: Retrieve detailed user information (ID, Status, Account Dates, Personal Info, Employment, Contact, Address, Preferences).
• list_users: List users with filtering (SCIM expressions), free-form text search, sorting, and pagination.
• activate_user: Activate a user with an option to send an activation email.
• suspend_user: Suspend a user.
• unsuspend_user: Unsuspend a user.
• delete_user: Delete a user (requires prior deactivation).
• get_user_last_location: Retrieve last known location and login info from Okta system logs.

Group Management

• list_groups: List user groups with filtering, free-form text search, sorting, and pagination.
• create_group: Create a new group with name and optional description.
• get_group: Retrieve detailed information about a specific group.
• delete_group: Delete a group.
• assign_user_to_group: Assign a user to a group.
• remove_user_from_group: Remove a user from a group.
• list_group_users: List all users in a specific group with pagination.

Onboarding Automation (Experimental)

• bulk_user_import: Import multiple users from a CSV string with optional activation, email notifications, and default group assignment.
• assign_users_to_groups: Assign multiple users to groups based on attribute mappings.
• provision_applications: Provision application access for multiple users.
• run_onboarding_workflow: Run a complete onboarding workflow from CSV data, including user import, activation, group assignment, application provisioning, and welcome email configuration.

Use Cases of Okta MCP Server

• Automated User Provisioning: Automatically create and configure user accounts in Okta based on external data sources.
• Bulk User Management: Perform mass operations like activating, suspending, or deleting users.
• Streamlined Group Management: Efficiently manage user groups, including creation, deletion, and user assignments.
• Onboarding Workflows: Implement comprehensive onboarding processes for new hires, including user creation, group assignments, and application provisioning.
• Reporting and Auditing: Retrieve user and group information for reporting or auditing purposes.

FAQ about Okta MCP Server

Q: Tools not appearing in Claude? A: Check Claude Desktop logs (~/Library/Logs/Claude/mcp*.log), verify environment variables, and ensure the path to index.js is absolute and correct.

Q: Authentication Errors? A: Verify your API token is valid, ensure OKTA_ORG_URL includes https://, and confirm your Okta domain is correct.

Q: Server Connection Issues? A: Check if the server built successfully, verify file permissions on build/index.js (should be 755), and try running the server directly (node /path/to/build/index.js).

Q: How to view server logs? A: For MacOS/Linux, use tail -n 20 -f ~/Library/Logs/Claude/mcp*.log. For Windows, use Get-Content -Path "$env:AppData\Claude\Logs\mcp*.log" -Wait -Tail 20.

Q: What environment variables are required? A: OKTA_ORG_URL (e.g., "https://dev-123456.okta.com") and OKTA_API_TOKEN (a valid API token).

Q: What is the CSV format for onboarding? A: The CSV should include firstName (required), lastName (required), email (required), and optional fields like department, title, and mobilePhone.

Q: What are the security considerations? A: Keep your API token secure, do not commit credentials to version control, use environment variables for sensitive data, regularly rotate API tokens, monitor API usage, implement rate limiting, and use minimum required permissions for API token.

Okta MCP Server

This MCP server enables Claude to interact with Okta's user management system, providing comprehensive user and group management capabilities along with onboarding automation.

Prerequisites

• Node.js (v16 or higher)
• Claude Desktop App
• Okta Developer Account
• Admin API Token from Okta

Setup Instructions

1. Create an Okta Developer Account

• Go to the Okta Developer Console
• Create a new account or sign in to an existing one
• Note your Okta domain (e.g., dev-123456.okta.com)

2. Create an API Token

• In the Okta Developer Console, go to Security > API > Tokens
• Click "Create Token"
• Give your token a meaningful name (e.g., "MCP Server Token")
• Copy the token value (you won't be able to see it again)

3. Initial Project Setup

Install dependencies:

npm install

4. Configure Claude Desktop

Open your Claude Desktop configuration file:

For MacOS:

code ~/Library/Application\ Support/Claude/claude_desktop_config.json

For Windows:

code %AppData%\Claude\claude_desktop_config.json

Add or update the configuration:

{
    "mcpServers": {
        "okta": {
            "command": "node",
            "args": [
                "PATH_TO_PROJECT_DIRECTORY/dist/index.js"
            ],
            "env": {
                "OKTA_ORG_URL": "https://your-domain.okta.com",
                "OKTA_API_TOKEN": "your-api-token"
            }
        }
    }
}

Save the file and restart Claude Desktop.

Available Tools

The server provides the following tools:

User Management

get_user

Retrieves detailed user information from Okta, including:

• User Details (ID, Status)
• Account Dates (Created, Activated, Last Login, etc.)
• Personal Information (Name, Email)
• Employment Details
• Contact Information
• Address
• Preferences

list_users

Lists users from Okta with optional filtering and pagination:

• Supports SCIM filter expressions (e.g., 'profile.firstName eq "John"')
• Free-form text search across multiple fields
• Sorting options (by status, creation date, etc.)
• Pagination support with customizable limits

activate_user

Activates a user in Okta:

• Option to send activation email
• Updates user status to active

suspend_user

Suspends a user in Okta

unsuspend_user

Unsuspends a previously suspended user in Okta

delete_user

Deletes a user from Okta (note: user must be deactivated first)

get_user_last_location

Retrieves the last known location and login information for a user from Okta system logs

Group Management

list_groups

Lists user groups from Okta with optional filtering and pagination:

• Filter expressions for groups (e.g., 'type eq "OKTA_GROUP"')
• Free-form text search across group fields
• Sorting options (by name, type, etc.)
• Pagination support with customizable limits

create_group

Creates a new group in Okta with a name and optional description

get_group

Retrieves detailed information about a specific group

delete_group

Deletes a group from Okta

assign_user_to_group

Assigns a user to a group in Okta

remove_user_from_group

Removes a user from a group in Okta

list_group_users

Lists all users in a specific group with pagination support

Onboarding Automation (Experimental)

Note: The onboarding automation tools are experimental and may be subject to changes or limitations based on Okta's API constraints. Use with caution in production environments.

bulk_user_import

Imports multiple users from a CSV string:

• Creates user accounts based on CSV data
• Optional activation of users
• Optional email notifications
• Assignment to default groups

assign_users_to_groups

Assigns multiple users to groups based on attribute mappings:

• Maps user attributes (department, title, etc.) to specific groups
• Bulk assignment of users based on attributes

provision_applications

Provisions application access for multiple users:

• Assigns users to applications
• Supports bulk provisioning

run_onboarding_workflow

Runs a complete onboarding workflow for multiple users from CSV data:

• User import from CSV
• Automatic activation
• Group assignment based on attributes
• Application provisioning
• Welcome email configuration

Example Usage in Claude

After setup, you can use commands like:

User Management

• "Show me details for user with userId XXXX"
• "What's the status of user john.doe@company.com"
• "When was the last login for user jane.smith@organization.com"
• "List all users in the marketing department"
• "Find users created in the last month"
• "Activate user with ID XXXX"
• "Suspend user with ID XXXX"
• "Delete deactivated user with ID XXXX"
• "Where did user XXXX last log in from?"

Group Management

• "Show me all groups in my Okta organization"
• "List groups containing the word 'admin'"
• "Create a new group called 'Marketing Team'"
• "Get details for group with ID XXXX"
• "Delete group with ID XXXX"
• "Add user XXXX to group YYYY"
• "Remove user XXXX from group YYYY"
• "List all users in the 'Finance' group"

Onboarding Automation

• "Import these users from CSV data: [CSV content]"
• "Assign users to groups based on their department attribute"
• "Provision application access for these 5 users"
• "Run a complete onboarding workflow for these new hires: [CSV content]"

Error Handling

The server includes robust error handling for:

• User or group not found (404 errors)
• API authentication issues
• Missing or invalid user profiles
• General API errors
• CSV parsing issues
• User attribute mapping failures
• Application provisioning errors

Troubleshooting

Common Issues

Tools not appearing in Claude:

• Check Claude Desktop logs: tail -f ~/Library/Logs/Claude/mcp*.log
• Verify all environment variables are set correctly
• Ensure the path to index.js is absolute and correct

Authentication Errors:

• Verify your API token is valid
• Check if OKTA_ORG_URL includes the full URL with https://
• Ensure your Okta domain is correct

Server Connection Issues:

• Check if the server built successfully
• Verify file permissions on build/index.js (should be 755)
• Try running the server directly: node /path/to/build/index.js

Viewing Logs

To view server logs:

For MacOS/Linux:

tail -n 20 -f ~/Library/Logs/Claude/mcp*.log

For Windows:

Get-Content -Path "$env:AppData\Claude\Logs\mcp*.log" -Wait -Tail 20

Environment Variables

If you're getting environment variable errors, verify:

• OKTA_ORG_URL: Should be complete URL (e.g., "https://dev-123456.okta.com")
• OKTA_API_TOKEN: Should be a valid API token

Security Considerations

• Keep your API token secure
• Don't commit credentials to version control
• Use environment variables for sensitive data
• Regularly rotate API tokens
• Monitor API usage in Okta Admin Console
• Implement rate limiting for API calls
• Use minimum required permissions for API token

Types

The server includes TypeScript interfaces for Okta user and group data:

interface OktaUserProfile {
  login: string;
  email: string;
  secondEmail?: string;
  firstName: string;
  lastName: string;
  displayName: string;
  nickName?: string;
  organization: string;
  title: string;
  division: string;
  department: string;
  employeeNumber: string;
  userType: string;
  costCenter: string;
  mobilePhone?: string;
  primaryPhone?: string;
  streetAddress: string;
  city: string;
  state: string;
  zipCode: string;
  countryCode: string;
  preferredLanguage: string;
  profileUrl?: string;
}

interface OktaUser {
  id: string;
  status: string;
  created: string;
  activated: string;
  lastLogin: string;
  lastUpdated: string;
  statusChanged: string;
  passwordChanged: string;
  profile: OktaUserProfile;
}

interface OktaGroup {
  id: string;
  created: string;
  lastUpdated: string;
  lastMembershipUpdated: string;
  type: string;
  objectClass: string[];
  profile: {
    name: string;
    description: string;
  };
}

CSV Format for Onboarding

When using the bulk import or onboarding workflow tools, your CSV should include these headers:

• firstName (required)
• lastName (required)
• email (required)
• department (optional)
• title (optional)
• mobilePhone (optional)

Example:

firstName,lastName,email,department,title,mobilePhone
John,Doe,john.doe@example.com,Engineering,Senior Developer,+1-555-123-4567
Jane,Smith,jane.smith@example.com,Marketing,Director,+1-555-987-6543

License

MIT License - See LICENSE file for details.

Support

If you encounter any issues:

• Check the troubleshooting section above
• Review Claude Desktop logs
• Examine the server's error output
• Check Okta's developer documentation

Note: PRs welcome!