Administrators must configure the minimum required permissions to import Artificial Intelligence (AI) agents from cloud providers into the Okta AI Agent Registry. To achieve this, administrators create credentials in the respective cloud provider, grant read-only permissions to list agents, and configure the integration in the Okta Admin Console. Supported providers include Amazon Web Services (AWS) Bedrock, Microsoft Office 365, and Salesforce.

• Okta Identity Engine (OIE)

• Okta Classic Engine

• Okta AI Agent Registry

• AWS Bedrock

• Microsoft Office 365

• Salesforce

How does an administrator import Amazon Web Services Bedrock agents?

To import Amazon Web Services (AWS) Bedrock agents, create an Identity and Access Management (IAM) user, apply the required JSON policy, generate access keys, and configure the credentials in the Okta Admin Console.

1. Navigate to the AWS Console, go to IAM, select Users, and choose Add users.

2. Enter okta-ai-agent-import as the user name.

3. Select the user, navigate to Permissions, and choose Add inline policy.

4. Select the JSON tab and enter the appropriate policy for the environment.

For AWS Bedrock Agents and AgentCore:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "OktaAIAgentImport",

      "Effect": "Allow",

      "Action": [

        "sts:GetCallerIdentity",

        "bedrock:GetAgent",

        "bedrock:ListAgents",

        "bedrock-agentcore:ListAgentRuntimes",

        "bedrock-agentcore:GetAgentRuntime"

      ],

      "Resource": "*"

    }

  ]

}

For AWS Bedrock Agents only:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "OktaAIAgentImport",

      "Effect": "Allow",

      "Action": [

        "sts:GetCallerIdentity",

        "bedrock:GetAgent",

        "bedrock:ListAgents"

      ],

      "Resource": "*"

    }

  ]

}

For AWS Bedrock AgentCore only:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "OktaAIAgentImport",

      "Effect": "Allow",

      "Action": [

        "sts:GetCallerIdentity",

        "bedrock-agentcore:ListAgentRuntimes",

        "bedrock-agentcore:GetAgentRuntime"

      ],

      "Resource": "*"

    }

  ]

}

5. Review the policy, enter OktaAIAgentImportPolicy as the name, and select Create policy.

6. Navigate to Security credentials for the user and select Create access key.

7. Choose Third-party service as the use case and copy the Access Key ID and Secret Access Key.

NOTE: Store credentials in a secrets manager (AWS Secrets Manager, Vault, etc.). Never commit to version control.

8. Open the Okta Admin Console, navigate to Applications, select AWS IAM Identity Center, and choose AI agent import.

9. Navigate to Configuration, select AWS Bedrock as the provider, and enter the copied Access Key ID and Secret Access Key.

10. Select the regions where agents exist and choose the appropriate platforms.

11. Select Test Connection and choose Save.

Microsoft Office 365 Integration Steps

To integrate Microsoft Office 365 agents, register a new application in the Azure Portal, generate a client secret, grant Microsoft Graph API permissions, and add the source in the Okta Admin Console.

1. Open the Azure Portal, navigate to Azure Active Directory, select App Registrations, and choose New registration.

2. Enter Okta-AI-Agent-Import as the name, select Single tenant for supported account types, leave the Redirect URL blank, and choose Register.

3. Copy the Application (client) ID and Directory (tenant) ID from the Overview page.

4. Navigate to Certificates & secrets and select New client secret.

5. Enter Okta AI Agent Import as the description, set the expiration to 90 days, select Add, and copy the secret value.

6. Navigate to API permissions and select Add a permission.

7. Choose Microsoft Graph, select Application permissions, search for Agent, and add AgentInstance.Read.All.

8. Select **Grant admin consent for **. NOTE: The exact permission name might vary based on the Microsoft API. The implementation uses the `.default` scope, which grants all configured application-level permissions.

9. Open the Okta Admin Console, navigate to AI Agent Registry, select Import Sources, and choose Add Source.

10. Select Microsoft Office 365 as the provider.

11. Enter the copied Application ID as the Client ID, the secret value as the Client Secret, and the Directory ID as the Tenant ID.

12. Select Test Connection and choose Save.

How does an administrator configure the Salesforce integration?

To configure the Salesforce integration, create a Connected App, retrieve the OAuth 2.0 credentials, configure object permissions, grant access, and add the source in the Okta Admin Console.

1. Open the Salesforce Setup menu, navigate to App Manager, and select New Connected App.

2. Enter Okta AI Agent Import as the Connected App Name, Okta_AI_Agent_Import as the API Name, and enter a contact email.

3. Select Enable OAuth Settings, enter https://localhost as the Callback URL, select Enable Client Credentials Flow, and choose Save.

4. Navigate to App Manager, locate the Connected App, and select Manage Consumer Details.

5. Authenticate and copy the Consumer Key and Consumer Secret.

6. Navigate to Permission Sets and select New Permission Set.

7. Enter AI Agent Import Permissions as the Label and AI_Agent_Import_Permissions as the API Name.

8. Navigate to Object Settings, select GenAiPlannerDefinition, select Read under Object Permissions, and assign the permission set to the integration user.

9. Navigate to Connected Apps, select Manage Connected Apps, and choose the created app.

10. Select Edit Policies, set Permitted Users to Admin approved users are pre-authorized, navigate to Manage Profiles/Permission Sets, and add the appropriate profiles or permission sets.

11. Open the Okta Admin Console, navigate to AI Agent Registry, select Import Sources, and choose Add Source.

12. Select Salesforce as the provider.

13. Enter the copied Consumer Key, Consumer Secret, and the instance URL.

14. Select Test Connection and choose Save.