> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ravenna.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Client secret setup

> Connect Okta to Ravenna using the OIN marketplace API Service Integration with client secret authentication for fast setup in most workspaces.

<Info>Easy setup through Okta OIN API Integration Service marketplace</Info>

The Client Secret integration method allows you to quickly connect to your Okta organization through the OIN (Okta Integration Network) marketplace. This is the easiest way to set up the integration, though it's less secure than the Private Key method.

## Prerequisites

Before you begin, ensure you have:

* Okta Super Admin or Application Administrator access
* Your Okta organization domain
* Permissions to create API Service Integrations

## Setup guide

### Install integration from Okta API Integration Store

<Steps>
  <Step title="Access Okta API Service Catalog">
    Log in to your Okta Admin Console and navigate to the API Service Catalog
    <Frame>![Custom](https://d1kzozfjh72w00.cloudfront.net/docs/images/okta/client-secret/okta-api-service-catalog.png)</Frame>
  </Step>

  <Step title="Find integration">
    Search for "Ravenna" in the API Service Catalog and select it
  </Step>

  <Step title="Configure domain and Client ID">
    Configure your Okta domain and note the Client ID that will be generated
    <Frame>![Custom](https://d1kzozfjh72w00.cloudfront.net/docs/images/okta/client-secret/okta-integration-client-domain-and-client-id.png)</Frame>
  </Step>

  <Step title="Get Client Secret">
    Copy the Client Secret that is generated for your integration
    <Frame>![Custom](https://d1kzozfjh72w00.cloudfront.net/docs/images/okta/client-secret/okta-integration-client-secret.png)</Frame>
  </Step>

  <Step title="Grant required scopes">
    Ensure the integration has the following Okta API scopes:

    * `okta.users.read`
    * `okta.users.manage`
    * `okta.groups.read`
    * `okta.groups.manage`
    * `okta.apps.read`
    * `okta.apps.manage`
    * `okta.factors.read`
    * `okta.factors.manage`
  </Step>

  <Step title="Assign admin roles">
    Grant the following admin roles to the integration:

    * `Application Administrator`
    * `Group Administrator`
    * `Help Desk Administrator` or `Super Administrator` (required for password and MFA reset)
  </Step>
</Steps>

### Add integration

<Steps>
  <Step title="Navigate to integrations">
    Go to **Settings > Integrations**
    <Frame>![Custom](https://d1kzozfjh72w00.cloudfront.net/docs/images/okta/ravenna-organization-integrations.png)</Frame>
  </Step>

  <Step title="Select Okta integration">
    Select **Okta** from the available integrations
    <Frame>![Custom](https://d1kzozfjh72w00.cloudfront.net/docs/images/okta/select-okta-integration-type.png)</Frame>
  </Step>

  <Step title="Select Client Secret method">
    Select **Client Secret** as your authentication method
  </Step>

  <Step title="Enter integration details">
    Provide the following information:

    1. **Okta Domain**: Your Okta domain (e.g., `https://your-org.okta.com`)
    2. **Client ID**: The Client ID from your Okta integration
    3. **Client Secret**: The Client Secret from your Okta integration
       <Frame>![Custom](https://d1kzozfjh72w00.cloudfront.net/docs/images/okta/client-secret/add-okta-client-secret-information.png)</Frame>
  </Step>

  <Step title="Complete setup">
    Click **Add Okta** to complete the integration setup
  </Step>
</Steps>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Invalid credentials error">
    **Cause**: Client ID or Client Secret is incorrect

    **Solution**:

    * Verify the Client ID and Client Secret are copied correctly
    * Ensure there are no extra spaces or characters
    * Check that the integration still exists in Okta
    * Try creating a new integration if credentials are lost
  </Accordion>

  <Accordion title="Missing scopes or partial sync">
    **Cause**: The integration was created with a subset of the required Okta API scopes.

    **Behavior**: Ravenna no longer blocks integration setup when some scopes are missing. The integration is created with the scopes you granted, and any resource Ravenna can't read (users, groups, or applications) syncs as empty until the missing scope is added.

    **Solution**:

    * Verify all required scopes are granted in Okta
    * Check that the integration has Application Administrator role
    * Ensure Group Administrator role is assigned
    * For password and MFA reset, assign `Help Desk Administrator` or `Super Administrator`
    * After granting the missing scopes, trigger a resync from the integration page (no need to disconnect and reconnect)
  </Accordion>

  <Accordion title="Password or MFA reset fails with a permission error (403)">
    **Cause**: Okta enforces credential reset through admin roles, separately from API scopes, so the integration can have every scope and still be blocked. `Application Administrator` and `Group Administrator` cannot reset credentials.

    **Solution**:

    * Assign `Help Desk Administrator` or `Super Administrator` to the integration
    * Retry the action; no resync or reconnect is needed
  </Accordion>

  <Accordion title="Domain not found error">
    **Cause**: Incorrect Okta domain

    **Solution**:

    * Verify the domain matches your Okta organization (e.g., `https://your-org.okta.com`)
    * Ensure the domain is active and accessible
    * Check for typos in the domain name
  </Accordion>
</AccordionGroup>

## Features

Once connected, you can use Okta actions in workflows:

<Card title="Okta Actions" icon="okta" href="/documentation/automate/workflows/workflow-builder#okta-actions">
  Manage user group memberships, assign applications, and check group membership for access management
</Card>
