BeginnerIdentity Provider8 min read

Connect Okta to Gateco

Connect your Okta organization to Gateco in under 10 minutes. Covers API token creation, domain identification, and automated user and group sync.

Last updated: May 21, 2026

Prerequisites

  • An Okta organization (developer account at developer.okta.com or a paid org)
  • Okta administrator access to create API tokens

Overview — 4 steps

  1. 1Find your Okta domain
  2. 2Create an API token
  3. 3Add credentials to Gateco
  4. 4Trigger initial sync

Gateco connects to Okta using the Management API with SSWS token authentication. Once connected, Gateco runs Okta group sync every 60 minutes (configurable) and makes users and groups available as principals for identity-aware retrieval — enabling RAG access control policies based on your Okta workforce identity groups.

Okta integration requires the Growth plan or above.

Step 1 — Find your Okta domain

Your Okta domain is the hostname part of your Admin Console URL.

If your Admin Console URL is...Your Okta domain is...
https://dev-12345.okta.com/admindev-12345.okta.com
https://mycompany.okta.com/adminmycompany.okta.com
https://mycompany.oktapreview.com/adminmycompany.oktapreview.com

Pass only the hostname — no https:// prefix, no /admin suffix.

Step 2 — Create an API token

  1. In the Okta Admin Console, navigate to Security → API → Tokens.
  2. Click Create Token.
  3. Give it a name (e.g. gateco-sync).
  4. Copy the token value immediately — it is shown only once.

For least-privilege access, create the token using an account with the Read-only Administrator role. This restricts the token to read operations only.

Step 3 — Add credentials to Gateco

  1. In the Gateco dashboard, navigate to Identity Providers → Add provider → Okta.
  2. Enter your Okta domain and API token.
  3. Click Test connection. Gateco will display the number of users and groups found.
  4. Click Save.
FieldValue
Okta DomainYour org hostname (e.g. dev-12345.okta.com)
API TokenThe SSWS token from Step 2

Step 4 — Trigger initial sync

After saving the provider, click Sync now. Gateco will:

  1. Fetch all active users via GET /api/v1/users.
  2. Fetch all groups via GET /api/v1/groups.
  3. Fetch group memberships for each group.
  4. Create or update Principal records.

Once synced, principals appear in the Principals list and are available for policy conditions.

How Gateco uses your Okta data

Okta fieldGateco principal fieldUse in policy conditions
profile.emailemailprincipal.email
profile.displayNamedisplay_nameDisplay only
profile.departmentattributes.departmentprincipal.attributes.department
Group membershipgroups arrayprincipal.groups

Troubleshooting

ErrorCauseFix
Authentication failed (401)Invalid or expired API tokenRegenerate the API token in Okta and update it in Gateco
Zero users syncedOkta domain includes https:// prefixRemove the https:// prefix and pass only the hostname
Department attribute emptyOkta profile.department not setSet the Department attribute on users in Okta Directory → People → user profile

Frequently asked questions

Where do I find my Okta domain?

Your Okta domain is the subdomain in your Admin Console URL. If you access the Admin Console at https://dev-12345.okta.com/admin, your Okta domain is dev-12345.okta.com. Do not include https:// or /admin — pass only the hostname.

What permissions does the Okta API token need?

Gateco uses a standard SSWS API token, which inherits the permissions of the admin user who created it. For least-privilege access, create the token using an account with the Read-only Administrator role — sufficient for Okta group sync and identity-aware retrieval with no write permissions. This grants read access to Users, Groups, and Directories only.

What plan does the Okta integration require?

Connecting a real Okta organization requires the Growth plan or above. Free and Team plan users can use a stub IDP for development and testing. Developer Okta accounts are free at developer.okta.com.

Ready to add policy-aware retrieval?

Connect your Okta setup to Gateco in under 5 minutes.

Get started freeView docs