Overview
An Okta Resource Name (ORN) is a way to identify Okta resources in your Okta tenant. Okta API REST URL is also supported. Let us dig into ways to derive or look up your respective ORN! This article will highlight some of the use cases surrounding Okta Identity Governance (OIG) APIs using resourceOrn.
Types of Okta Resource Names can be looked up in the Resources documentation.
orn:{partition}:{service}:{yourOrgId}:{objectType}:{objectId}:contained_resources
orn:{partition}:{service}:{yourOrgId}:{objectType}:{appName}:{objectId}
orn:{partition}:{service}:{yourOrgId}:contained_resources
Applies To
|
{partition} |
The specific Okta environment partition (oktapreview for Preview environments and okta for Production environments). |
|
{service} |
The service that the resource belongs to. |
|
{yourOrgId} |
The identifier for the tenant that is using the service. This is typically your org ID. |
|
{objectType} |
The resource object that belongs to the service category. |
|
{objectId} |
The specific object identifier for objectType. For example, if you want to define a specific group for your resource, use |
|
{appName} |
The key name that describes the app definition. For example, if you want to define all apps with a specific app definition for your resource, use |
|
contained_resource |
An optional literal that targets all resources within the container resource (only for supported resources). For example, |
|
{bundleId} |
The specific object identifier for entitlement value. For example, if you want to define a ORN for an entitlement value, use |
|
{entitlementValueId} |
The specific object identifier for entitlement value. For example, if you want to define a ORN for an entitlement value, use orn:{partition}:governance:{yourOrgId}:entitlement-values:{entitlementValueId} |
|
{collectionId} |
The specific object identifier for a collection. For example, if you want to define a ORN for a collection, use orn:{partition}:governance:{yourOrgId}:collections:{collectionId} |
Assumptions
-
Some APIs used by Okta Identity Governance may use or may require the use of the Okta Resource Name (ORN).
Supported Resources
The following article mentions some of the supported resources used in Okta Identity Governance. Please note that there are other supported resources, but they may not apply to OIG at the time of authoring this document.
|
Resource |
ORN |
|
All users |
orn:{partition}:directory:{yourOrgId}:users |
|
A specific user |
orn:{partition}:directory:{yourOrgId}:users:{user Id} |
|
All groups |
orn:{partition}:directory:{yourOrgId}:groups |
|
A specific group |
orn:{partition}:directory:{yourOrgId}:groups:{group id} |
|
All realms |
orn:{partition}:directory:{yourOrgId}:realms |
|
A specific realm |
orn:{partition}:directory:{yourOrgId}:realms:{realmId} |
|
All apps |
orn:{partition}:idp:{yourOrgId}:apps |
|
A specific app |
orn:{partition}:idp:{yourOrgId}:apps:{appType}:{appId} |
|
All access certifications |
orn:{partition}:governance:{yourOrgId}:certifications |
|
All access requests |
orn:{partition}:governance:{yourOrgId}:requests |
|
An entitlement bundle |
orn:{partition}:governance:{yourOrgId}:entitlement-bundles:{bundleId} |
|
An entitlement value |
orn:{partition}:governance:{yourOrgId}:entitlement-values:{entitlementValueId} |
|
A collection |
orn:{partition}:governance:{yourOrgId}:collections:{collectionId} |
The supported API endpoints:
|
Resource |
Okta API REST URL |
|
All users |
https://{yourOktaDomain}/api/v1/users |
|
A specific user |
https://{yourOktaDomain}/api/v1/users/{userId} |
|
All groups |
https://{yourOktaDomain}/api/v1/groups |
|
A specific group |
https://{yourOktaDomain}/api/v1/groups/{groupId} |
|
All realms |
https://{yourOktaDomain}/api/v1/realms |
|
A specific realm |
https://{yourOktaDomain}/api/v1/realms/{realmId} |
|
All apps |
https://{yourOktaDomain}/api/v1/apps |
|
A specific app |
https://{yourOktaDomain}/api/v1/apps/{appId} |
|
All access certifications |
https://{yourOktaDomain}/governance/api/v1/campaigns |
|
All access requests (V1) |
https://{yourOktaDomain}/governance/api/v1/requests |
|
All access requests (V2) |
https://{yourOktaDomain}/governance/api/v2/requests |
|
Get Entitlements |
https://{yourOktaDomain}/governance/api/v1/entitlements |
|
Get Entitlement Values |
https://{yourOktaDomain}/governance/api/v1/entitlements/values |
|
Get Collections |
https://{yourOktaDomain}/governance/api/v1/collections |
Methods to derive an ORN
Determining {partition}
The partition is nothing more than the environment visible in the Okta tenant name.
- https://{tenantName}.okta.com = partition of Okta
- https://{tenantName}.oktapreview.com = partition of Oktapreview
Determining {yourOrgId}
The Organization Id is not as easily visible as the partition. The easiest way to determine it is to call an API. Instructions on how to use the API to pull the Organization Id can be found in the How to Find the Okta OrgId article.
Determining {appType} and {appId}
- Log in to the Okta Admin Console.
- Navigate to Applications > Applications section.
- Find the desired group and click on it.
- The {appType} and {appId} will be part of the URL in the administrative panel. For example, it would follow a format like:
- https:domain-admin.oktapreview.com/admin/app/{appType}/instance/{appId}/#tab-assignments
https://your-okta-domain.com/admin/app/oidc_client/client/0oal5aedkkx4TNnPm1d7#tab-general (OIDC App)
https://your-okta-domain.com/admin/app/TestApp_s1/instance/0oakzkm8ozawSvRVL1d7/#tab-assignments (SAML App)
https://your-okta-domain.com/admin/app/salesforce/instance/0oa9d0l878boNXWzs1d7/#tab-assignments (OIN Catalog App)
Determining {groupId}
- Log in to the Okta Admin Console.
- Navigate to Directory > Groups section.
- Find the desired group and click on it.
- The group ID will be part of the URL in the administrative panel. For example, it might look like the following, where the bold value is the
groupId:
https://your-okta-domain.com/admin/group/00gga58j68YCcZ9Zh1d7
Determining {userId}
- Log in to the Okta Admin Console.
- Navigate to the Directory > People section.
- Find the desired user profile and click on it.
- The user ID will be part of the URL in the administrative panel. For example, it might look like the following, where the bold value is the
userId:
https://your-okta-domain.com/admin/user/profile/view/abcdefgh123454654875454
Determining {bundleId}
- Log in to the Okta Admin Console.
- Navigate to the Applications > Applications section.
- Find the application with governance enabled.
- Navigate to the Governance tab.
- Navigate to the Bundles tab.
- Click on Actions/Edit after selecting the target bundle.
- The bundle ID will be part of the URL in the administrative panel. For example, it might look like the following, where the bold value is the
bundleId:https://your-okta-domain.com/admin/app/em/instance/0oa9h0l878boNXWzs1d7/entitlements/bundles/enbxpt1ogCEmrRa2T1d6/edit
Determining {entitlementValueId}
-
The entitlement value ID is specific to an application in which it was created/imported. To pull that Id you need to run two API calls.
Pull a list of entitlements assigned to application with https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlements/#tag/Entitlements/operation/listEntitlements
Then pull the list of entitlement values listed under the entitlement pulled from the previous step. https://developer.okta.com/docs/api/iga/openapi/governance.api/tag/Entitlements/#tag/Entitlements/operation/listAllEntitlementValues
Determining {collectionId}
- Log in to the Okta Admin Console.
- Find the application with governance enabled.
- Navigate to the Okta Identity Governance section.
- Select Resource Collections menu.
- Find the collection and select the view button.
- The collection id will be part of the URL in the administrative panel. For example, it might look like the following, where the bold value is the
collectionId:https://your-okta-domain.com/admin/governance/collections/col1047tkvYH3ALCK1d7
