Skip to main content

Set Up the Okta Integration

Updated

Overview

Tropic’s Okta integration allows you to sync employee app usage and associated data directly from Okta into Tropic. This data powers Spend Management, helping you gain insights into your organization’s overall SaaS usage and app utilization across suppliers.

For supplier visibility, Okta and ERP integrations enable Tropic to display a broader range of suppliers, including those without active contracts or requests, supporting shadow spend tracking and comprehensive supplier management.

Important: This integration does not set up SSO for Tropic. The integration does not provision or create Tropic users based on Okta data.

Prerequisites

To set up the integration, you must have:

For additional context and to familiarize yourself with the broader integration features within Tropic, refer to the Integration Overview.

Steps to Connect

Create an Okta API Token

To start, create an API token in Okta.

The integration uses this token to connect Tropic to Okta. Use an Okta service account with read-only admin permissions to create the token. This lets you limit the token’s permissions.

Connect to Okta

Requires the following role: Owner

  • In the Integration page in Tropic.
  • Select the Access & Usage checkbox under Data Categories and click View Details.
  • Alternatively, click the Setup Integration link in the email you received IF you have been assigned this step.
  • Click Connect.
  • Provide your Okta API Token andOkta Domain.
  • Click Connect

Note:

📌 To get your Okta domain, see Find your Okta domain in the Okta developer docs.

📌 The integration pulls in the last 90 days of Okta data for each app. 

Select User Types to Sync

Requires the following role: Owner

  • On the Integrations page, click Finish Setup under Okta SSO.
  • Select the Okta User Types to sync to Tropic. If your Okta instance only has the default user type, skip this section—Tropic will automatically sync data for the default user type.
    • We recommend selecting user types used for full-time employees.
  • Click View Summary.
  • Confirm the selected user types and click Save Preferences.

Wait for the Data to Sync

Allow 24-48 hours for your data to sync. The integration pulls in the last 90 days of Okta data for each app.

Note: Tropic syncs data nightly to ensure your records remain up to date.

Post-Setup Steps

Match Applications to Suppliers

Requires the following role: Owner

The integration pulls app data from Okta into Tropic. Tropic tries to automatically match these apps to your SaaS suppliers in Tropic. You can review, edit, or hide app matches as needed.

Manually Match Applications

To view and update unmatched apps from Okta:

  • In Tropic, navigate to Settings --> Product Matching
  • In the Unmatched tab, click Select Supplier 
  • Type and select a Tropic supplier’s name.
  • If the supplier doesn’t exist, click Add new Supplier and enter the Supplier Domain.
  • Click Confirm Match.

Edit Matched Applications

To edit a matched application:

  • In Settings > Product Matching.
  • Click the Matched tab.
  • Click Edit for the app row.
  • Click X beside the New Supplier value.
  • In New Supplier, type and select a Tropic supplier’s name.
  • Click Submit.

Note: If the supplier doesn’t exist, click Add new Supplier and enter the Supplier Domain. If the new supplier doesn’t have a domain, click Add Supplier without a domain.

Hide Applications

Hide any testing or staging environments used for your applications. This ensures your app usage data is more accurate.

To hide synced Okta apps in Tropic:

  • In Tropic, go to Settings --> SSO Preferences.
  • Click the Hide icon for the app row.

Viewing Okta Data in Tropic

Once synced, the Tropic platform surfaces your Okta data in the following areas:

  • Spend Management > Access & Usage
    The App Access & Usage page lets you view apps by provisioned user count. It also contains a snapshot of your app portfolio.
  • Spend Management > Employees
    The Employees page shows a list of employees, pulled from Okta users, and their app counts. You can click each employee to view login activity for each app.
  • Suppliers > Supplier page > Usage
    The Usage page shows a count of provisioned and active users for the SaaS app. It also lists employees provisioned for the app.

Required Permissions

The integration pulls Okta data using the following API endpoints:

System log events

The integration only uses the System Log endpoint to pull the following event types:

  • user.authentication.auth
  • user.authentication.auth_unconfigured_identifier
  • user.authentication.auth_via_AD_agent
  • user.authentication.auth_via_IDP
  • user.authentication.auth_via_LDAP_agent
  • user.authentication.auth_via_inbound_SAML
  • user.authentication.auth_via_inbound_delauth
  • user.authentication.auth_via_iwa
  • user.authentication.auth_via_mfa
  • user.authentication.auth_via_radius
  • user.authentication.auth_via_richclient
  • user.authentication.auth_via_social
  • user.authentication.authenticate
  • user.authentication.sso

The integration uses these events to determine active app usage.

Disconnect the Integration

Requires the following role: Owner

To disconnect the Okta integration:

  • In the Integrations, under Okta SSO, click Manage.
  • Click Disconnect.

Disconnecting the app removes all Okta data from Tropic.

Additional Resources

For more training guides or documentation, please visit our Help Center. Our resources provide detailed guidance to help you navigate Tropic effectively.

Contact our support team

Still need help? Our support team is available Monday-Friday.

Submit a ticket