ArdSaor

AI Clearance Okta Connector Setup Guide

Configure AI Clearance to create, bind, test, and manage Okta group membership for approved AI tool access.

Overview

The Okta connector lets AI Clearance automate group membership after a Jira approval. AI Clearance controls membership in the configured entitlement groups. It does not assign Okta apps to those groups, create app integrations, or manage app-specific role settings.

Use this guide when you want approved AI Clearance requests to add users to Okta groups that your organization already uses for application access.

Before you begin

  • You must be a Jira admin for the site where AI Clearance is installed.
  • You must have Okta admin access sufficient to create or manage groups and create an API token.
  • Confirm which Okta group controls each AI tool or AI platform entitlement.
  • Decide whether AI Clearance should create new entitlement groups or bind to existing Okta groups.
  • Have a test Jira user and matching Okta user available before enabling the connector for production requests.

Required Okta information

Value Where to find it Notes
Okta org URL Your Okta admin domain, such as https://example.okta.com Use the full HTTPS URL. Do not use a local or staging URL.
API token Okta Admin Console, created by an admin account with the needed group-management rights Use a dedicated token for AI Clearance where possible.
Group-management permissions The Okta admin role assigned to the token owner The token must be able to read users, read groups, create groups if you use group creation, and add or remove users from groups.

Step-by-step setup

  1. Open the Okta Admin Console.
  2. Create or choose a dedicated admin account for AI Clearance connector operations.
  3. Assign the smallest Okta admin role that can read users and groups, create groups if needed, and manage membership for the target groups.
  4. Create an API token for that admin account. Save it in your approved secret-handling process.
  5. Identify the Okta org URL that AI Clearance should call.
  6. Create or confirm the Okta groups that will control access to each AI tool. Use clear names such as AI Clearance - Claude Enterprise - Users.
  7. Assign each Okta group to the real Okta app or resource outside AI Clearance.
  8. In Jira, open Jira admin - Apps - AI Clearance - Connectors.
  9. Select Set up on the Okta row or choose Add connector and set the type to Okta.
  10. Enter a connector ID, name, optional description, and the configuration JSON or approved secret reference.
  11. Save the connector, then use Test connection from the connector actions menu.
  12. Add identity mappings for Jira users whose Okta login, username, or email does not resolve automatically.
  13. When adding or editing catalog tools, choose the Okta connector and create or bind the entitlement group for that tool.

Configuration example

Use placeholders only. Never paste real API tokens into documentation, Jira issue comments, screenshots, or support tickets.

{
  "domain": "https://<your-okta-org>.okta.com",
  "apiToken": "<okta-api-token>"
}

If your ArdSaor deployment supports a backend secret reference, enter the approved reference instead of raw JSON. The connector test should still pass before you assign the connector to catalog tools.

Testing the connector

  1. Open AI Clearance - Connectors.
  2. Find the Okta row and open its actions menu.
  3. Select Test connection.
  4. Confirm the test succeeds before using the connector for live approvals.
  5. Create a low-risk test catalog tool, bind a test Okta group, submit a test request, approve it, and confirm the test user is added to the group.
  6. Remove the test access and confirm deprovisioning behavior before production rollout.

Troubleshooting

Connector test fails

  • Confirm the Okta org URL starts with https:// and does not include an admin-console path.
  • Confirm the API token is active and was copied completely.
  • Confirm the token owner still has the required Okta admin role.

Groups cannot be created or updated

  • Confirm the token owner can create groups if AI Clearance is expected to create groups.
  • Confirm the target groups are normal Okta groups that can have membership managed by API.
  • Confirm the group is assigned to the real app or resource in Okta. AI Clearance does not do app assignment.

User provisioning needs manual follow-up

  • Confirm the Jira user has an admin-managed identity mapping or an Okta profile value that can be matched exactly.
  • Check for duplicate Okta users with the same email, login, or username.
  • Add an explicit identity mapping in AI Clearance when automatic matching is ambiguous.

Security recommendations

  • Use least-privilege Okta administration where possible.
  • Use a dedicated token owner so connector activity is auditable.
  • Store secrets only in approved secret storage or in the AI Clearance connector configuration field.
  • Rotate Okta API tokens periodically and immediately after personnel or vendor-access changes.
  • Do not paste API tokens into Jira issue comments, support tickets, chat messages, or documentation.
  • Disable or delete stale connectors that are no longer used by catalog tools.