Question

Do you ever have any reason to login to your user's accounts? Due to the way some on my integra...


Badge

Do you ever have any reason to login to your user's accounts? Due to the way some on my integrations work I need to always have a personal copy of certain apps in okta for everyone's accounts when I need to make a change in the integration.

How do you guys handle logging into individual user's accounts if you set up the app so the user has to input their password? When the user is able to input their password to an app, the admin does not have any way to see this password. Instead of asking my user for their account password, I'd have to keep resetting their password and telling my user to update their okta credentials when I do that. I can just have all apps be set by the admin and block them from ever seeing passwords, but this takes away some individuality from my users and I'd have an influx of password request/password update tickets.

I like to be able to launch new SaaS apps to my users by creating their account for them and releasing it in Okta. Unfortunately, this also means I need to have constant access to their email so I can accept their confirmation email. I can have users make their own accounts but I choose to set up their new account and default environment for them so they can get started using the SaaS app immediately.

It's currently my biggest hurdle in handling SaaS apps since my method is definitely not scalable, especially when I need to make individual Zapier connections for a specific app in everyone's account. Like, one of my apps I need to link through email but the only way to link is if I log into their account. This limitation is definitely due to our selected software, but I'm wondering if there's a way in Okta to make it easier for admins to log into basically any app.

Anybody face a similar situation? How have you handled it in your infrastructure?



🗨 Link to Slack thread

13 replies

Badge

which apps? eg, G Suite offers impersonation

Userlevel 1
Badge +2

I was about to ask which apps — I’ve never had to face this situation.

Userlevel 3
Badge +3

For the confirmation email that you have to accept - who is that coming from? When I setup apps within Okta and assign people to those apps, they never get a confirmation of assignment

Badge

We use some lesser known apps that don't fully integrate with okta. From my experience I have to confirm emails for any app I need to add as a SWA into okta. Apps like Toodledo, Actionstep, and Ubity.

@marquesstewart To clarify, I was talking about the confirmation emails needed to create the account.

I should clarify that when I deploy apps for the users I go through the whole shebang of registering the account for them as well as adding it into Okta. Now that I think about it, the reason why I might have the problems is precisely because I have to set everyone up individually.

@mlynch Do you ever have to set up individual account integrations through Zapier? This is usually when I run into trouble. I'd have to request a login reset of the user's account and provide them with a new password.

Userlevel 3
Badge +3

That's very interesting, do the platforms you use have a tier where accounts can be created automatically?

Badge

Some of them, although we don't always opt into the teir with Okta

Userlevel 3
Badge +3

Ahh yes, the platforms that charge the sso/saml tax. If they have an API you could sometimes leverage BC to create accounts for you (if you get their API tier)

Badge

I've thought about APIs for account creation but many of my apps don't have that option unfortunately

Userlevel 3
Badge +3

yeah, that's unfortunate

Badge

I know of an unsanctioned (by Okta) method to log in as a another Okta user, by using a saml app and do inbound federartion into your own Okta and login as the needed username. Bt my biggest issue is, personal data security. If the user has saved FB or other personal apps, you can access that and therefor have access to apps that you shouldnt be able to access.

Userlevel 3
Badge +3

But @henkjanvries that's only a problem if you have your Okta setup to save personal apps, right?

Badge

true. but on the otherhand, if you allow for access to HR/mail, that should be signed off somewhere. As long as the bylaws state that IT is allowed to access their corporate accounts and its within reasonable boundaries, its possible by inbound. bigger issue is to make sure not everyone can do that (or at least the admins able to change the inbound app)

Badge

luckily Okta logs everything, but by then, its already to late if it happens with bad intentions

Reply