Skip to content

Okta: Add disableAssignDefaultRoles to plugin sync settings #54878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kopiczko merged 2 commits into from
May 23, 2025
Merged

Okta: Add disableAssignDefaultRoles to plugin sync settings #54878

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
15309d2
Okta: Add disableAssignDefaultRoles to plugin syncSettings
kopiczko May 23, 2025
33cf218
Okta: Fix enabling Access Requests when only App and Group sync is en…
kopiczko May 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 27 additions & 7 deletions api/gen/proto/go/teleport/okta/v1/okta_service.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions api/proto/teleport/legacy/types/types.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7081,6 +7081,11 @@ message PluginOktaSyncSettings {

// EnableSystemLogExport enables the Teleport Identity Security SIEM integration for Okta.
bool enable_system_log_export = 12;

// DisableAssignDefaultRoles prevents the builtin okta-requester role from being assigned to all
// synchronized users. This is allows for a more advanced RBAC setup where not all
// Okta-originated users are allowed request all Okta-originated resources.
bool disable_assign_default_roles = 13;
}

// Defines a set of discord channel IDs
Expand Down
4 changes: 4 additions & 0 deletions api/proto/teleport/okta/v1/okta_service.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,8 @@ message CreateIntegrationRequest {
bool enable_bidirectional_sync = 10;
// Enable Okta system log export.
bool enable_system_log_export = 11;
// Whether to assign the builtin okta-requester role to all Okta synced users.
bool disable_assign_default_roles = 12;
}

// UpdateIntegrationRequest is the request message for updating an existing Okta integration.
Expand All @@ -162,6 +164,8 @@ message UpdateIntegrationRequest {
bool enable_bidirectional_sync = 10;
// Enable Okta system log export.
bool enable_system_log_export = 11;
// Whether to assign the builtin okta-requester role to all Okta synced users.
bool disable_assign_default_roles = 12;
}

// AccessListSettings contains the settings for access list synchronization.
Expand Down
11 changes: 9 additions & 2 deletions api/types/okta.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -530,14 +530,14 @@ func (o *PluginOktaSyncSettings) GetEnableAppGroupSync() bool {
}

func (o *PluginOktaSyncSettings) GetEnableAccessListSync() bool {
if o == nil {
if !o.GetEnableAppGroupSync() {
return false
}
return o.SyncAccessLists
}

func (o *PluginOktaSyncSettings) GetEnableBidirectionalSync() bool {
if !o.GetEnableAccessListSync() {
if !o.GetEnableAppGroupSync() {
return false
}
return !o.DisableBidirectionalSync
Expand All @@ -550,6 +550,13 @@ func (o *PluginOktaSyncSettings) GetEnableSystemLogExport() bool {
return o.EnableSystemLogExport
}

func (o *PluginOktaSyncSettings) GetAssignDefaultRoles() bool {
if o == nil {
return false
}
return !o.DisableAssignDefaultRoles
}

type OktaUserSyncSource string

// IsUnknown returns true if user sync source is empty or explicitly set to "unknown".
Expand Down
23 changes: 16 additions & 7 deletions api/types/okta_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,7 @@ func Test_PluginOktaSyncSettings_SyncEnabledGetters(t *testing.T) {
require.False(t, syncSettings.GetEnableAccessListSync())
require.False(t, syncSettings.GetEnableBidirectionalSync())
require.False(t, syncSettings.GetEnableSystemLogExport())
require.False(t, syncSettings.GetAssignDefaultRoles())
})

t.Run("on empty settings", func(t *testing.T) {
Expand All @@ -324,6 +325,7 @@ func Test_PluginOktaSyncSettings_SyncEnabledGetters(t *testing.T) {
require.False(t, syncSettings.GetEnableAccessListSync())
require.False(t, syncSettings.GetEnableBidirectionalSync())
require.False(t, syncSettings.GetEnableSystemLogExport())
require.True(t, syncSettings.GetAssignDefaultRoles())
})

t.Run("on user sync enabled", func(t *testing.T) {
Expand All @@ -334,45 +336,52 @@ func Test_PluginOktaSyncSettings_SyncEnabledGetters(t *testing.T) {
require.True(t, syncSettings.GetEnableUserSync())
require.True(t, syncSettings.GetEnableAppGroupSync()) // true by default
require.False(t, syncSettings.GetEnableAccessListSync())
require.False(t, syncSettings.GetEnableBidirectionalSync())
require.True(t, syncSettings.GetEnableBidirectionalSync())
require.False(t, syncSettings.GetEnableSystemLogExport())
require.True(t, syncSettings.GetAssignDefaultRoles())
})

t.Run("on user sync enabled with disabled app and group sync", func(t *testing.T) {
syncSettings := &PluginOktaSyncSettings{
SyncUsers: true,
DisableSyncAppGroups: true,
SyncUsers: true,
DisableAssignDefaultRoles: true,
DisableSyncAppGroups: true,
}

require.True(t, syncSettings.GetEnableUserSync())
require.False(t, syncSettings.GetEnableAppGroupSync())
require.False(t, syncSettings.GetEnableAccessListSync())
require.False(t, syncSettings.GetEnableBidirectionalSync())
require.False(t, syncSettings.GetAssignDefaultRoles())
})

t.Run("on access list sync enabled", func(t *testing.T) {
syncSettings := &PluginOktaSyncSettings{
SyncUsers: true,
SyncAccessLists: true,
}

require.False(t, syncSettings.GetEnableUserSync())
require.False(t, syncSettings.GetEnableAppGroupSync())
require.True(t, syncSettings.GetEnableUserSync())
require.True(t, syncSettings.GetEnableAppGroupSync())
require.True(t, syncSettings.GetEnableAccessListSync())
require.True(t, syncSettings.GetEnableBidirectionalSync()) // true by default
require.False(t, syncSettings.GetEnableSystemLogExport())
require.True(t, syncSettings.GetAssignDefaultRoles())
})

t.Run("on access list sync enabled with bidirectional sync disabled", func(t *testing.T) {
syncSettings := &PluginOktaSyncSettings{
SyncUsers: true,
SyncAccessLists: true,
DisableBidirectionalSync: true,
EnableSystemLogExport: true,
}

require.False(t, syncSettings.GetEnableUserSync())
require.False(t, syncSettings.GetEnableAppGroupSync())
require.True(t, syncSettings.GetEnableUserSync())
require.True(t, syncSettings.GetEnableAppGroupSync())
require.True(t, syncSettings.GetEnableAccessListSync())
require.False(t, syncSettings.GetEnableBidirectionalSync())
require.True(t, syncSettings.GetEnableSystemLogExport())
require.True(t, syncSettings.GetAssignDefaultRoles())
})
}
Loading
Loading