Sync with Okta
This article will help you get starting using Directory Connector to sync users and groups from your Okta directory to your Bitwarden organization.
Directory Connector requires knowledge of an Okta-generated token to connect to your directory. Complete the following steps to create and obtain an Okta API token for use by Directory Connector:
From your Okta Developer Console (
https://yourdomain-admin.okta.com) navigate to Security → API → Tokens.Select the Create token button and give your token a Bitwarden-specific name (for example,
bitwarden-dc).Copy the generated Token value to the clipboard.
warning
Your token value will not be shown again. Paste it somewhere safe to prevent it from being lost.
Complete the following steps to configure Directory Connector to use your Okta Directory:
Open the Directory Connector desktop app.
Navigate to the Settings tab.
From the Type dropdown, select Okta.
The available fields in this section will change according to your selected type.
Enter your Okta Organization URL in the Organization URL field (for example,
https://yourdomain.okta.com).Paste the API Token Value in the Token field.
tip
When you're finished configuring, navigate to the More tab and select the Clear Sync Cache button to prevent potential conflicts with prior sync operations. For more information, see Clear Sync Cache.
Complete the following steps to configure the settings used when syncing using Directory Connector:
Open the Directory Connector desktop app.
Navigate to the Settings tab.
In the Sync section, configure the following options as desired:
Option | Description |
|---|---|
Interval | Time between automatic sync checks (in minutes). |
Remove disabled users during sync | Check this box to remove users from the Bitwarden organization that have been disabled in your directory. |
Overwrite existing organization users based on current sync settings | Check this box to always perform a full sync and remove any users from the Bitwarden organization if they are not in the synced user set. |
More than 2000 users or groups are expected to sync | Check this box if you expect to sync 2000+ users or groups. If you don't check this box, Directory Connector will limit a sync at 2000 users or groups. |
Sync users | Check this box to sync users to your organization. |
User Filter | See Specify sync filters. |
Sync groups | Check this box to sync groups to your organization. |
Group Filter | See Specify sync filters. |
Use comma-separated lists to include or exclude based on user email or group name. Additionally, Okta APIs provide limited filtering capabilities for users and groups that may be used in Directory Connector filter fields.
Consult Okta documentation for more information about using the filter parameter for users and groups.
User filters
Include/Exclude users by email
To include or exclude specific users based on email address:
Bashinclude:joe@example.com,bill@example.com,tom@example.com
Bashexclude:joe@example.com,bill@example.com,tom@example.com
Concatenate with filter
To concatenate a user filter with the filter parameter, use a pipe (|):
Bashinclude:john@example.com,bill@example.com|profile.firstName eq "John"Bashexclude:john@example.com,bill@example.com|profile.firstName eq "John"Use only filter
To use only the filter parameter, prefix the query with a pipe (|):
Bash|profile.lastName eq "Smith"Group filters
note
Syncing nested groups is not supported by Okta.
Include/Exclude groups
To include or exclude groups by name:
Bashinclude:Group A,Group B
Bashexclude:Group A,Group B
Concatenate with filter
To concatenate a group filter with the filter parameter, use a pipe (|):
Bashinclude:Group A|type eq "APP_GROUP"Bashexclude:Group A|type eq "APP_GROUP"Use only filter
To use only the filter parameter, prefix the query with a pipe (|):
Bash|type eq "BUILT_IN"tip
Before testing or executing a sync, check that Directory Connector is connected to the right cloud server (e.g. US or EU) or self-hosted server. Learn how to do so with the desktop app or CLI.
To test whether Directory Connector will successfully connect to your directory and return the desired users and groups, navigate to the Dashboard tab and select the Test Now button. If successful, users and groups will be printed to the Directory Connector window according to specified sync options and filters:
Once sync options and filters are configured as desired, you can begin syncing. Complete the following steps to start automatic sync with Directory Connector:
Open the Directory Connector desktop app.
Navigate to the Dashboard tab.
In the Sync section, select the Start Sync button.
You may alternatively select the Sync Now button to execute a one-time manual sync.
Directory Connector will begin polling your directory based on the configured sync options and filters.
If you exit or close the application, automatic sync will stop. To keep Directory Connector running in the background, minimize the application or hide it to the system tray.
note
If you're on the Teams Starter plan, you are limited to 10 members. Directory Connector will display an error and stop syncing if you try to sync more than 10 members.
This plan is no longer available for purchase. This error does not apply to Teams plans.
Suggest changes to this page
How can we improve this page for you?
For technical, billing, and product questions, please contact support