module · Identity & SSO

Okta

Comprehensive Okta identity control plane — users, groups, apps, policies (sign-on / password / MFA / IdP-discovery / access), network zones, identity providers, trusted origins, authorization servers, behaviors, authenticators, brands, and domains. Full snapshot/diff/apply round-trip for the resources most worth versioning.

Namespace: weave okta Env: OKTA_DOMAIN

Commands

State kinds

Identity & SSO

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Management API

Variable	Description	Status
OKTA_DOMAIN	Required for authentication.	required
OKTA_TOKEN	Required for authentication.	required
OKTA_ORG_URL	Alternative to OKTA_DOMAIN — accepts full URLs (https://x.okta.com)	optional
OKTA_API_TOKEN	Alternative spelling of OKTA_TOKEN (matches Okta SDK env vars)	optional

Sanity-check the wiring:

weave secrets check
weave okta --help
weave doctor   # reports OKTA_DOMAIN status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
admin-role	·	·	·	✓	·	·	·
app	✓	✓	✓	✓	✓	✓	·
app-assignments	·	·	·	·	✓	✓	✓
app-groups	·	·	✓	·	·	·	·
app-users	·	·	✓	·	·	·	·
auth-server	✓	✓	✓	·	✓	✓	·
auth-server-claims	·	·	✓	·	·	·	·
auth-server-policies	·	·	✓	·	·	·	·
auth-server-scopes	·	·	✓	·	·	·	·
authenticator	·	✓	·	·	✓	✓	·
behavior	·	✓	✓	·	✓	✓	·
brand	·	✓	✓	·	·	·	·
domain	·	✓	·	·	·	·	·
email-templates	·	·	✓	·	·	·	·
group	✓	✓	✓	✓	✓	✓	✓
group-apps	·	·	✓	·	·	·	·
group-members	·	·	✓	·	·	·	·
group-rule	·	✓	·	·	✓	✓	✓
group-schema	·	✓	·	·	✓	✓	·
identity-providers	·	·	·	·	✓	✓	·
idp	·	✓	✓	·	·	·	·
log	·	✓	·	·	·	·	·
network-zone	·	✓	·	·	✓	✓	✓
policies	·	·	·	·	✓	✓	·
policy	✓	✓	✓	✓	·	·	·
policy-rules	·	·	✓	·	·	·	·
session	·	·	·	✓	·	·	·
trusted-origin	·	✓	✓	·	✓	✓	✓
user	✓	✓	✓	✓	✓	✓	✓
user-apps	·	·	✓	·	·	·	·
user-events	·	·	·	·	·	·	·
user-factors	·	·	✓	·	·	·	·
user-groups	·	·	✓	·	·	·	·
user-roles	·	·	✓	·	·	·	·
user-schema	·	✓	·	·	✓	✓	·
zone	✓	·	✓	·	·	·	·

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (6)

find app

read

Find an app by id or exact label.

weave okta find app <identifier>

find auth-server

read

Find an authorization server by id or exact name.

weave okta find auth-server <identifier>

find group

read

Find a group by id or exact name.

weave okta find group <identifier>

find policy

read

Find a policy by id (Okta requires id; name search not supported).

weave okta find policy <identifier>

find user

read

Find a user by email, login, or Okta id.

weave okta find user <identifier>

find zone

read

Find a network zone by id or exact name.

weave okta find zone <identifier>

list (16)

list apps

read

List applications (paginated).

weave okta list apps <arg>

list auth-servers

read

List authorization servers (OAuth/OIDC issuers).

weave okta list auth-servers <arg>

list authenticators

read

List authenticators (factor types) enabled in the tenant.

weave okta list authenticators <arg>

list behaviors

read

List behavior detection rules.

weave okta list behaviors <arg>

list brands

read

List brands (Okta-hosted sign-in pages).

weave okta list brands <arg>

list domains

read

List custom domains.

weave okta list domains <arg>

list group-rules

read

List automatic group-membership rules.

weave okta list group-rules <arg>

list group-schema

read

List the group-profile schema attributes.

weave okta list group-schema <arg>

list groups

read

List groups (alphabetical; paginated).

weave okta list groups <arg>

list idps

read

List identity providers.

weave okta list idps <arg>

list logs

read

Tail the System Log (--since/--until + free-text --q).

weave okta list logs <arg>

list network-zones

read

List network zones (IP / dynamic).

weave okta list network-zones <arg>

list policies

read

List policies (Okta requires --type).

weave okta list policies <arg>

list trusted-origins

read

List trusted origins (CORS / redirect allowlists).

weave okta list trusted-origins <arg>

list user-schema

read

List the user-profile schema attributes (base + custom).

weave okta list user-schema <arg>

list users

read

List users (newest first; paginated).

weave okta list users <arg>

show (23)

show app

read

Show one app in detail.

weave okta show app <identifier>

show app-groups

read

Show all groups assigned to an app.

weave okta show app-groups <identifier>

show app-users

read

Show all users assigned to an app.

weave okta show app-users <identifier>

show auth-server

read

Show one authorization server.

weave okta show auth-server <identifier>

show auth-server-claims

read

Show claims defined on one authorization server.

weave okta show auth-server-claims <identifier>

show auth-server-policies

read

Show access policies on one authorization server.

weave okta show auth-server-policies <identifier>

show auth-server-scopes

read

Show scopes defined on one authorization server.

weave okta show auth-server-scopes <identifier>

show behavior

read

Show one behavior detection rule.

weave okta show behavior <identifier>

show brand

read

Show one brand (sign-in page) configuration.

weave okta show brand <identifier>

show email-templates

read

List email templates for a brand (text-heavy; read-only).

weave okta show email-templates <brand>

show group

read

Show a group's profile and member count.

weave okta show group <identifier>

show group-apps

read

Show apps assigned to a group.

weave okta show group-apps <identifier>

show group-members

read

Show all members of a group.

weave okta show group-members <identifier>

show idp

read

Show one identity provider.

weave okta show idp <identifier>

show policy

read

Show one policy in detail (no rules).

weave okta show policy <identifier>

show policy-rules

read

Show the rules attached to one policy.

weave okta show policy-rules <identifier>

show trusted-origin

read

Show one trusted origin.

weave okta show trusted-origin <identifier>

show user

read

Show a single user's full profile + credentials.

weave okta show user <identifier>

show user-apps

read

Show apps assigned to a user (their AppLinks list).

weave okta show user-apps <identifier>

show user-factors

read

Show MFA factors enrolled for a user.

weave okta show user-factors <identifier>

show user-groups

read

Show all groups a user belongs to.

weave okta show user-groups <identifier>

show user-roles

read

Show admin roles assigned to a user.

weave okta show user-roles <identifier>

show zone

read

Show one network zone in detail.

weave okta show zone <identifier>

do (20)

do activate

write

Activate a STAGED/DEPROVISIONED user.

weave okta do activate <identifier>

do activate-policy

write

Activate a policy (lifecycle/activate).

weave okta do activate-policy <policy-id>

do activate-policy-rule

write

Activate one rule on a policy.

weave okta do activate-policy-rule <policy-id> <rule-id>

do add-user-to-group

write

Add a user to a group.

weave okta do add-user-to-group <user> <group>

do assign-admin-role

write

Grant an admin role to a user.

weave okta do assign-admin-role <user> <role>

do assign-user-to-app

write

Assign a user to an application.

weave okta do assign-user-to-app <user> <app>

do clear-sessions

write

Kill every active SSO session for a user.

weave okta do clear-sessions <identifier>

do deactivate

write

Deactivate a user (irreversible-ish — be careful).

weave okta do deactivate <identifier>

do deactivate-policy

write

Deactivate a policy.

weave okta do deactivate-policy <policy-id>

do deactivate-policy-rule

write

Deactivate one rule on a policy.

weave okta do deactivate-policy-rule <policy-id> <rule-id>

do expire-password

write

Mark password as expired (forces change at next login).

weave okta do expire-password <identifier>

do impersonation-end

write

Kill an admin impersonation session by session id.

weave okta do impersonation-end <session-id>

do remove-user-from-group

write

Remove a user from a group.

weave okta do remove-user-from-group <user> <group>

do reset-mfa

write

Reset all MFA factors for a user.

weave okta do reset-mfa <identifier>

do reset-password

write

Trigger a password reset (sends email by default; --no-email returns a temp password).

weave okta do reset-password <identifier>

do suspend

write

Suspend a user (preserves data; SSO blocked).

weave okta do suspend <identifier>

do unassign-admin-role

write

Revoke an admin role from a user.

weave okta do unassign-admin-role <user> <role-id>

do unassign-user-from-app

write

Unassign a user from an application.

weave okta do unassign-user-from-app <user> <app>

do unlock

write

Unlock a LOCKED_OUT user.

weave okta do unlock <identifier>

do unsuspend

write

Unsuspend a previously suspended user.

weave okta do unsuspend <identifier>

watch (1)

watch user-events

write

Print recent system-log events for a single user.

weave okta watch user-events <identifier>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/okta/.

users

snapshot diff apply

All Okta users with their core profile (apply: profile updates only — use lifecycle verbs for create/delete).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: okta
kind: users
items:
  - # <fields specific to this kind — see snapshot output>

groups

snapshot diff apply

Okta groups with their member logins, keyed by group name (full apply for OKTA_GROUP type).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: okta
kind: groups
items:
  - # <fields specific to this kind — see snapshot output>

group-rules

snapshot diff apply

Automatic group-membership rules (full apply: create/update/delete with lifecycle).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: okta
kind: group-rules
items:
  - # <fields specific to this kind — see snapshot output>

network-zones

snapshot diff apply

IP / dynamic / location network zones (full apply).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: okta
kind: network-zones
items:
  - # <fields specific to this kind — see snapshot output>

trusted-origins

snapshot diff apply

CORS / redirect trusted origin allowlist (full apply).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: okta
kind: trusted-origins
items:
  - # <fields specific to this kind — see snapshot output>

app-assignments

snapshot diff apply

User + group assignments for one application (full apply: add/remove only).

Scope: app
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: okta
kind: app-assignments
app: <value>
items:
  - # <fields specific to this kind — see snapshot output>

apps

snapshot diff apply

Application catalog metadata — label/status/signOnMode (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: apps
items:
  - # <fields specific to this kind — see snapshot output>

policies

snapshot diff apply

All policies (sign-on / password / MFA / discovery / access) with rule names (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: policies
items:
  - # <fields specific to this kind — see snapshot output>

identity-providers

snapshot diff apply

External IdPs (OIDC / SAML / Google / Microsoft / ...) (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: identity-providers
items:
  - # <fields specific to this kind — see snapshot output>

auth-servers

snapshot diff apply

Authorization servers with their nested scope / claim / policy names (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: auth-servers
items:
  - # <fields specific to this kind — see snapshot output>

behaviors

snapshot diff apply

Behavior detection rules (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: behaviors
items:
  - # <fields specific to this kind — see snapshot output>

authenticators

snapshot diff apply

Tenant authenticator catalog — MFA factor types (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: authenticators
items:
  - # <fields specific to this kind — see snapshot output>

user-schema

snapshot diff apply

User-profile schema attributes (base + custom; snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: user-schema
items:
  - # <fields specific to this kind — see snapshot output>

group-schema

snapshot diff apply

Group-profile schema attributes (base + custom; snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: okta
kind: group-schema
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Onboard a new hire end-to-end

Activate the user, drop them in the right groups, and assign the SSO app.

weave okta find user new.hire@example.com
weave okta do activate new.hire@example.com --yes
weave okta do add-user-to-group new.hire@example.com 00g1abcdEFG --yes
weave okta do assign-user-to-app new.hire@example.com 0oa1abcdEFG --yes
weave okta show user-apps new.hire@example.com   # sanity

Bulk-reset MFA after a phishing incident

List the impacted users from the system log, then reset every factor.

weave okta list logs --filter 'eventType eq "user.account.report_suspicious_activity_by_enduser"' --json > incident.json
jq -r '.[].actor.alternateId' incident.json | sort -u > affected.txt
Get-Content affected.txt | foreach { weave okta do reset-mfa $_ --yes }
weave okta watch user-events alice@example.com   # confirm next-login factor re-enrolment

Quarterly access review

Snapshot groups + per-app assignments, commit, and diff next quarter.

weave okta snapshot groups
foreach ($app in @('0oa1abcdEFG','0oa2xyz')) { weave okta snapshot app-assignments --app $app }
git add .weave-state/okta && git commit -m 'okta access review Q1'
# … next quarter …
weave okta diff groups
weave okta diff app-assignments --app 0oa1abcdEFG

Quarantine a compromised account

One-shot containment: suspend, expire password, drop sessions.

weave okta find user alice@example.com
weave okta do suspend alice@example.com --yes
weave okta do clear-sessions alice@example.com --yes
weave okta do expire-password alice@example.com --yes
weave okta watch user-events alice@example.com --limit 100

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
okta_user	weave okta find/list/show user / snapshot users + do activate/deactivate/suspend/unsuspend/unlock/reset-password/expire-password/reset-mfa/clear-sessions
okta_user_admin_roles	weave okta show user-roles + do assign-admin-role / unassign-admin-role
okta_user_password_change / okta_user_factor_question	weave okta do reset-password / expire-password / reset-mfa
okta_group	weave okta find/list/show group / snapshot groups (full apply)
okta_group_memberships	Embedded in `snapshot groups` member list + do add-user-to-group / remove-user-from-group
okta_group_owner	Not yet surfaced — falls under group_memberships in the meantime Planned
okta_group_roles	Use `show user-roles` per-member; explicit group_role state kind is planned Planned
okta_group_rule	weave okta list group-rules / snapshot group-rules (full apply with activate/deactivate)
okta_app_oauth / okta_app_saml / okta_app_basic_auth / okta_app_swa / okta_app_three_field / okta_app_bookmark / okta_app_secure_password_store	weave okta find/list/show app / snapshot apps (snapshot+diff only — per-type settings blocks aren't safe to round-trip)
okta_app_user	weave okta show app-users + do assign-user-to-app / unassign-user-from-app
okta_app_group_assignments	weave okta show app-groups / snapshot app-assignments --app=<id>
okta_app_signon_policy / okta_app_signon_policy_rule	weave okta list policies --type=ACCESS_POLICY / show policy-rules
okta_policy_signon / okta_policy_password / okta_policy_mfa	weave okta list policies --type=OKTA_SIGN_ON\|PASSWORD\|MFA_ENROLL / snapshot policies
okta_policy_rule_signon / okta_policy_rule_password / okta_policy_rule_mfa / okta_policy_rule_idp_discovery	weave okta show policy-rules <policy-id> + do activate-policy-rule / deactivate-policy-rule
okta_policy_device_assurance_*	Not exposed yet — device-assurance is a separate top-level API Future work
okta_network_zone	weave okta find/list/show zone / snapshot network-zones (full apply)
okta_idp_oidc / okta_idp_saml / okta_idp_google / okta_idp_microsoft / okta_idp_social	weave okta list/show idp / snapshot identity-providers (snapshot+diff only — protocol blobs are opaque)
okta_trusted_origin	weave okta list/show trusted-origin / snapshot trusted-origins (full apply)
okta_auth_server	weave okta find/list/show auth-server / snapshot auth-servers (snapshot+diff only)
okta_auth_server_scope / okta_auth_server_claim / okta_auth_server_policy / okta_auth_server_policy_rule	weave okta show auth-server-scopes / auth-server-claims / auth-server-policies — included in `snapshot auth-servers` as nested name lists
okta_behavior	weave okta list/show behavior / snapshot behaviors (snapshot+diff only)
okta_domain / okta_domain_verification	weave okta list domains No state kind — domains rarely churn
okta_brand	weave okta list/show brand No apply — brand customizations are text-heavy templates
okta_email_customization / okta_email_sender / okta_email_template_settings	weave okta show email-templates <brand> Read-only — templates are markup-heavy
okta_user_schema_property	weave okta list user-schema / snapshot user-schema (snapshot+diff only)
okta_group_schema_property	weave okta list group-schema / snapshot group-schema (snapshot+diff only)
okta_authenticator	weave okta list authenticators / snapshot authenticators (snapshot+diff only)
(system log tail / impersonation kill)	weave okta list logs / watch user-events / do impersonation-end Operational verbs unique to weave — no Terraform equivalent

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including OKTA_DOMAIN) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave okta diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/okta. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.