Supported AI provider via Google Vertex AI, allowing use of Google's Gemini models through the Vertex AI platform.
Mentioned as an example integration that could be used alongside the Okta MCP Server for operations like creating spreadsheets with Okta user data.
Enables AI models to interact directly with Okta environments, providing tools for user management (listing, retrieving user details), group operations (listing groups and members), application management (listing applications and assigned users), policy and network management (listing policy rules and network zones), and system log event retrieval.
Mentioned as a potential OpenAI API-compatible endpoint that can be used with the MCP server through the openai_compatible provider setting.
Supported AI provider for the MCP server, allowing connection to OpenAI API with models like GPT-4o.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Okta-mcp-serverCan user john@company.com access Salesforce?"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π What's New in v0.1.1-BETA - Enterprise-Grade Special Tools!
This release introduces powerful special tools that revolutionize daily Okta administration tasks:
π₯ NEW: Special Tools - Game Changers for Okta Admins
π― Comprehensive Access Analysis: Helps answer the most frequent question okta admns face. Can user X access app Y?
π‘οΈ Advanced Login Risk Assessment: Behavioral analysis with VPN/Tor detection and geographic impossibility checks which can help with suspicious reporting emails.
π‘ Real-World Example - Access Analysis:
π‘ Real-World Example - Login Risk Assessment:
ποΈ Core Architecture
π FastMCP 2.0: Migrated from legacy MCP package to FastMCP 2.0 for cutting-edge protocol features
π§Ή Cleaner Code: Removed
tool_registry.pydependency for simpler, more maintainable codebaseβ‘ Better Performance: Modern async patterns and optimized request handling
π οΈ Enhanced Tools
π Complete Rewrite: All tools rewritten with better annotations and descriptions for AI understanding
π‘οΈ Improved Validation: Enhanced error handling and input validation across all operations
π Unified Client
π― Single CLI: New unified command-line client supporting multiple transports (STDIO, HTTP)
βοΈ Simplified Setup: Streamlined configuration with intelligent defaults
π Advanced Security
π« Bearer Tokens: Full JWT bearer token support with
jwks_urivalidationπ’ Enterprise Auth: Support for enterprise authentication flows and scope-based access
π Future-Ready
π― Sampling Support: Foundation for advanced request sampling capabilities
π Middleware Ready: Extensible middleware system for custom processing
π‘ Protocol Evolution: Access to latest MCP features as they're developed and standardized
Related MCP server: OData MCP Server by CData
π Table of Contents
Β
π What is the Model Context Protocol?
β οΈ IMPORTANT: Security & Limitations
Please read this section carefully before using Okta MCP Server.
π Data Flow & Privacy
When you make a request, the interaction happens directly between the LLM and the Okta MCP tools - the client application is no longer in the middle. All data returned by these tools (including complete user profiles, group memberships, etc.) is sent to and stored in the LLM's context during the entire transaction for that conversation.
Key Privacy Considerations:
The LLM (Claude, GPT, etc.) receives and processes all Okta data retrieved by the tools
This data remains in the LLM's context for the duration of the conversation
You must be comfortable with your Okta user data being processed by the LLM provider's systems
Before using these tools, ensure you're comfortable with Okta data being sent to the AI model's servers
π Context Window Limitations
MCP is designed for lightweight workflows similar to Zapier, not bulk data operations.
Recommendation: Limit requests to fewer than 100 entities per transaction. Avoid operations that require fetching large datasets or multiple API calls.
Examples:
β Avoid these types of requests:
"Fetch all 10,000 users from our Okta tenant and analyze their login patterns"
"Find users who do not have Okta Verify enrolled as a factor"
β Better approaches:
"Get the most recently created 20 users"
"Find users who haven't logged in for 90+ days, limit to first 50 results"
π‘ For larger data sets and complex queries: Consider using the Okta AI Agent for larger queries and data sets, The agent is being enhanced with similar "actionable" features to handle larger datasets and more complex scenarios in the very near future.
π¨ HTTP Transport Security Warning
The HTTP transport modes (both Streamable HTTP and SSE) have significant security risks:
They open unauthenticated HTTP servers with full access to your Okta tenant
No authentication or authorization is provided
Anyone who can reach the network port can issue commands to your Okta environment
EXTREMELY DANGEROUS when using remote HTTP access via
mcp-remote
Best Practice: Only use the STDIO transport method (default mode) unless you have specific security controls in place and understand the risks.
π οΈ Available Tools
The Okta MCP Server currently provides the following tools:
π₯ Special Tools - Enterprise Admin Accelerators
Access Analysis & Troubleshooting
analyze_user_app_access- Complete user application access evaluation with policy analysis (replaces 10-15 minutes of manual Okta Admin Console navigation)
Security & Risk Assessment
analyze_login_risk- Comprehensive login behavior analysis with VPN/Tor detection and geographic impossibility checks (answers "Is this user compromised?" instantly)
β‘ Why These Matter: The two most common questions Okta admins face daily are "Why can't user X access application Y?" and "Is this login activity suspicious?". These special tools instantly provide comprehensive answers that would otherwise require extensive manual investigation across multiple Okta admin screens, policy reviews, and log analysis - transforming 15+ minute investigations into 30-second AI-powered insights.
π Standard Tools
User Management
list_okta_users- Retrieve users with filtering, search, and pagination optionsget_okta_user- Get detailed information about a specific user by ID or loginlist_okta_user_groups- List all groups that a specific user belongs tolist_okta_user_applications- List all application links (assigned applications) for a specific userlist_okta_user_factors- List all authentication factors enrolled for a specific user
Group Operations
list_okta_groups- Retrieve groups with filtering, search, and pagination optionsget_okta_group- Get detailed information about a specific grouplist_okta_group_members- List all members of a specific grouplist_okta_assigned_applications_for_group- List all applications assigned to a specific group
Application Management
list_okta_applications- Retrieve applications with filtering, search, and pagination optionslist_okta_application_users- List all users assigned to a specific applicationlist_okta_application_group_assignments- List all groups assigned to a specific application
Policy & Network Management
list_okta_policy_rules- List all rules for a specific policy with detailed conditions and actionsget_okta_policy_rule- Get detailed information about a specific policy rulelist_okta_network_zones- List all network zones with IP ranges and configuration details
System Log Events
get_okta_event_logs- Retrieve Okta system log events with time-based filtering and search options
Date & Time Utilities
get_current_time- Get current UTC time in ISO 8601 formatparse_relative_time- Convert natural language time expressions to ISO 8601 format
Additional tools for applications, factors, policies, and more advanced operations are on the roadmap and will be added in future releases.
π Quick Start
Prerequisites
β
Python 3.8+ installed on your machine
β
Okta tenant with appropriate API access
β
An MCP-compatible AI client (Claude Desktop, Microsoft Copilot Studio, etc.)
β οΈ Important Model Compatibility Note:
Not all AI models work with this MCP server. Testing has only been performed with:
GPT-4.0
Claude 3.7 Sonnet
Google-2.5-pro
You must use latest model versions that explicitly support tool calling/function calling capabilities. Older models or models without tool calling support will not be able to interact with the Okta MCP Server.
π§ Supported AI Providers
The Okta MCP Server supports multiple AI providers through its flexible configuration system. This allows you to connect to various large language models based on your specific needs and existing access.
Currently Supported Providers:
Provider | Environment Variable | Description |
OpenAI |
| Connect to OpenAI API with models like GPT-4o. Requires an OpenAI API key. |
Azure OpenAI |
| Use Azure-hosted OpenAI models with enhanced security and compliance features. |
Anthropic |
| Connect to Anthropic's Claude models (primarily tested with Claude 3.7 Sonnet). |
Google Vertex AI |
| Use Google's Gemini models via Vertex AI. Requires Google Cloud service account. |
OpenAI Compatible |
| Connect to any OpenAI API-compatible endpoint, such as Fireworks.ai, Ollama, or other providers that implement the OpenAI API specification. |
Installation
β οΈ NOTICE: If you clone this repository anew or pull updates, always make sure to re-run
pip install -r requirements.txtto ensure all dependencies are up-to-date.
Configuration & Usage
Create a config file with your Okta settings:
To use the command line client (no memory), use the instructions below
To use MCP hosts like Claude Code, vsCode ...etc find the json config below
Supported Transports and Launching
The Okta MCP Server supports multiple transport protocols:
1. Standard I/O (STDIO) - Recommended
Security: β Direct communication through standard input/output streams
Use case: Ideal for desktop AI assistants like Claude Desktop
Performance: β Lightweight and efficient
Configuration: For Claude Desktop, add to
claude_desktop_config.json:{ "mcpServers": { "okta-mcp-server": { "command": "DIR/okta-mcp-server/venv/Scripts/python", "args": [ "DIR/okta-mcp-server/main.py" ], "env": { "OKTA_CLIENT_ORGURL": "https://dev-1606.okta.com", "OKTA_API_TOKEN": "OKTA_API_TOKEN" } } } }Replace
2. Streamable HTTP Transport - Modern & Current Standard
Current Standard - Modern HTTP-based transport with advanced features:
Features: β Real-time event streaming, session management, resumability support
Performance: β Better scalability and connection handling
Use case: Modern web applications and clients supporting HTTP streaming
Security: β οΈ Local HTTP server - secure in controlled environments
Starting the Streamable HTTP Server:
Features:
β Real-time streaming - Live progress updates during operations
β Session management - Maintains connection state
β Event streaming - Server-Sent Events for real-time notifications
β Better error handling - Detailed error responses
β Modern protocol - Based on latest MCP specifications
For Streamable HTTP Client Testing:
3. Remote HTTP Access - High Risk Advanced Use Only
β οΈ EXTREMELY DANGEROUS - READ CAREFULLY
For MCP clients that don't natively support remote connections, you can use mcp-remote via NPX:
Prerequisites:
Node.js and NPM installed
Okta MCP Server running in HTTP mode
Setup:
Claude Desktop Configuration:
π¨ CRITICAL SECURITY WARNINGS:
NEVER use in production environments
NEVER expose the HTTP port (3000) to public networks
ANYONE with network access can control your Okta tenant
No authentication or authorization protection
All Okta operations are exposed without restrictions
Use only in isolated, secure development environments
Consider this approach only if STDIO transport is absolutely not feasible
When might you need this approach:
Testing MCP integrations that require HTTP transport
Specific client applications that can't use STDIO
Development scenarios requiring HTTP debugging
NEVER for production or shared environments
4. Server-Sent Events (SSE) - Deprecated
β οΈ DEPRECATED: SSE transport is deprecated and not recommended for new implementations.
Use case: Legacy MCP clients that specifically require SSE (not recommended)
Security: β οΈ Same HTTP security risks as Streamable HTTP
Recommendation: Use Streamable HTTP transport instead for all new implementations
5. Docker Deployment
The Okta MCP Server provides Docker images for all transport types, offering containerized deployment options.
Running Docker Containers
STDIO Transport (Recommended): For Claude Desktop or other MCP clients, configure to use the Docker container:
Streamable HTTP Transport (Current Standard):
SSE Transport (Deprecated - Not Recommended):
Building Images Locally:
β οΈ Good to Know
Beta Release π§ͺ
Completely rewritten architecture with FastMCP 2.0
Enhanced stability and performance compared to previous alpha releases
Comprehensive tool system with improved AI integration
More suitable for development and testing environments
Production readiness being evaluated with enhanced security features
Security First π‘οΈ
Designed for least-privilege operation
Default read-only access to Okta resources
Future write operations will require explicit approval flows
Current Limitations π
Starting with a limited set of read-only tools for users and groups
Planning to expand API coverage rapidly in upcoming releases
Some complex Okta relationships not yet exposed
Performance with very large Okta instances not yet optimized
Requires direct network access to Okta API endpoints
πΊοΈ Roadmap
v0.1.0-BETA - Current (MAJOR ARCHITECTURAL OVERHAUL!)
Complete migration to FastMCP 2.0 architecture
Comprehensive rewrite of all tools with enhanced annotations
New unified CLI client supporting multiple transports
Eliminated tool_registry.py dependency for cleaner codebase
Advanced bearer token support with jwks_uri validation
Significantly enhanced error handling and validation
Performance optimizations and modern async patterns
v0.3.0 - Previous
Streamable HTTP transport support
Real-time event streaming
Session management and resumability
Enhanced client applications
Future plans include:
Complete user lifecycle operations
Application assignment management
Group membership operations
Factor enrollment and verification
Policy and rule management
Approval workflows for sensitive operations
Multi-channel approval options (web, email, Slack)
Audit logging and compliance reporting
System log integration
Security insights generation
Multi-tenant support
Role-based access control
π Need Help?
Before raising an issue, check:
π Server configuration
π Okta API permissions
π MCP client compatibility
π Server logs
Still having problems? Open an issue on GitHub or email support@fctr.io (response times may vary)
π‘ Feature Requests & Ideas
Have an idea or suggestion? Open a feature request on GitHub!
π₯ Contributors
Interested in contributing? We'd love to have you! Contact info@fctr.io for collaboration opportunities.
βοΈ Legal Stuff
Check out License.md for the fine print.
π Β© 2025 Fctr Identity. All rights reserved. Made with β€οΈ for the Okta and AI communities.