Interested in using Okta auto check-in? Contact your customer success manager or email our support team at [email protected].
Overview
The Okta platform secures your employees, contractors, and partners — wherever they are. It covers every part of the Identity lifecycle, from governance to access to privileged controls.
How does this integration work?
The Envoy + Okta integration allows employees to check into the workplace automatically. Envoy leverages identity-based access control and maps the IP of your office to identify the physical location of the employee logging into Okta. If the employee uses Okta in your workplace, they are automatically checked in for that day!
Prerequisites
You must be an administrator for your Okta instance to complete this installation. Either become an administrator or ask your admin for help before completing these steps.
For use with a VPN, please ensure that the VPN is detected by Okta, or the exit node of the VPN is unique and can be distinguished from your workplace network IPs.
Enabling the Envoy + Okta integration
Step 1: Okta app creation
After logging in to your Okta Admin account, go to Applications -> Create app integration.
Under OIDC, select Open ID Connect. For Application type, select Web Application.
Name your web app integration “Envoy - Auto Check-in” and select Core Grants -> Authorization Code and refresh token.
For the sign-in redirect URIs, add "https://workflows.envoy.com/redirect” and delete any Sign-out redirect URIs, if applicable.
Click Save to complete the creation of the app.
Step 2: Okta App configuration
Navigate to the Assignments tab on the Applications page. Assign the admin account using the Assign dropdown.
Navigate to the Okta API scopes tab. Locate "okta.eventHooks.manage” and "okta.eventHooks.read” and select Grant.
Navigate back to the General tab. Here, Okta will give you a
clientIdandclientSecret. We will use these in the configuration within Envoy.
Step 3: Installing the App within Envoy
Navigate to the Envoy Dashboard, then Integrations > All integrations.
Search for “Okta Auto Sign-in” and click install.
API access: This step allows Envoy to set up the user’s Okta Webhook for logins, notifying Envoy about login events.
Click Connect Account.
Enter your Okta organization and click Save.
You’ll be prompted to sign in to your Okta Account using the Client ID and Client Secret, shown in step 2.3.
Workplace configuration
This step defines the CIDR block that Envoy uses to recognize employees as "onsite." You can add multiple CIDR blocks per location, and edit existing CIDR blocks if needed.
Use the Envoy Location dropdown to select the Envoy location you want to enable.
Under the cidrList column, add the corresponding CIDR block. It must be in a valid format.
Click Next Step to save the configuration.
The "next step" button will be greyed out if the formatting is not valid.
Event filter
If your company uses a device management tool (like Jamf or Kandji) that triggers background authentication events, you can ignore those events using the rawUserAgent field in your Okta logs. You can add keywords (e.g., jamf) to the Excluded Words filter. This ensures only explicit, user-driven sign-ins are counted, skipping system-generated sessions and preventing false check-ins.
Under Excluded Words, add any words you need to filter out. Each word needs to be on its own line.
Leave this box blank if you do not need to exclude any authentication events.
Click Complete Setup to save.
Viewing auto check-in results
Once your integration installation is complete, navigate to Workplace > Access log. For any check-ins completed by this integration, "Okta" will be listed in the Integration name column.
Note: The Entrance name column will be blank, since this access event is not dependent on a physical entrance.