When configuring the On-Premise Provisioning (OPP) Agent v1.x or v2.x, it is necessary to use an account with Super Administrator permissions to connect to Okta. The OPP Agent install flow will create an API Token in order to complete the setup.

NOTE: This article only applies to Okta Provisioning Agent (OPP) v1.x and v2.x. It DOES NOT apply to newer OPP agent v3.x (and onwards), which registers through the OAuth 2.0 device registration flow that requires Register Agent permission granted. For full details, please read: 

• Okta On-Premise Provisioning (OPP) Agent Registration Using OAuth 2.0
• Okta Provisioning agent and SDK version history

• OPP Agent v1.x and v2.x installation with API Token agent registration only
• User Lifecycle Management
• Okta Super Administrator Role requirement

If the Super Admin role is demoted to a standard user for the service account that was used to configure the OPP Agent, the OPP flow will fail. However, the API token will remain in Okta, and if the impacted Admin user is granted the Super Admin role back to the service account, Okta will be able to reconnect with the OPP Agent.

 

If the Okta Admin user is deactivated in Okta, the token cannot be reinstated, and the agent must be reinstalled to use a different Okta Service account. The token is linked to the Super Admin account used when installing the OPP agent, and there is no way to assign an API token to a different user.

The following options are recommended:

• Keep the admin account in Okta and use it as a service account.
• Reinstall the OPP agent and use another admin account during the installation process.