okta-mcp-em-python
Provides tools for managing Okta Identity Governance (IGA) including importing access data from CSV, discovering entitlement patterns, creating entitlement bundles, enforcing separation of duties rules, and generating governance scorecards.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@okta-mcp-em-pythonImport the HR access CSV into Okta"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π Okta MCP Server for Entitlement Management
Talk to Okta IGA like you talk to a coworker. Import access data, discover patterns, and create entitlement bundlesβall through natural conversation.
β οΈ Disclaimer: Vibe Coded
This project was "vibe coded"βbuilt rapidly through AI-assisted development with Claude/Copilot. While functional and tested against real Okta tenants, it:
May contain unconventional patterns or edge cases not fully handled
Has not undergone formal security review
Is provided as-is for experimentation and learning
Should be tested thoroughly in a sandbox environment before any production use
Use at your own risk. Always validate operations in a non-production Okta tenant first.
Related MCP server: TAKO MCP Server for Okta
π€ The Opportunity
Okta Identity Governance (IGA) gives you powerful tools to manage entitlements, grants, and access bundles. This MCP server helps you get value from those features faster by automating the setup work:
Instead of... | You can say... |
Manually creating entitlements from a CSV export | "Import the HR system access from that CSV" |
Analyzing access patterns to define bundles | "Find patterns and suggest bundles" |
Granting access to users one by one | "Grant these permissions to all 500 users" |
The goal: Spend less time on data entry, more time on governance strategy.
π‘ How It Works
This MCP server lets you describe what you want in plain English, and the AI handles the Okta API calls:
You: "Import the HR system access from that CSV into Okta"
AI: β
Analyzed CSV: 3 entitlement types, 847 users
β
Created entitlements in app 0oa123abc
β
Granted access to 847 users (23 already had access)You: "Find patterns in who has what access and suggest bundles"
AI: Found 12 patterns:
π’ Engineering dept β always gets Developer role (94% match)
π’ Managers β always get Approval permission (89% match)
Want me to create these as bundles?π― What This Does
Capability | Description |
CSV β Okta Import | Parse access reports, create entitlement structures, grant to users in bulk |
Governance Scorecard | Score applications 0-100 on governance posture with compliance mapping |
SoD Enforcement | Detect toxic combinations and create separation of duties risk rules |
Pattern Mining | Analyze existing grants to discover who-gets-what patterns |
SoD-Safe Bundles | Turn patterns into IGA bundles with automatic conflict checking |
Bulk Operations | Parallel API calls with automatic rate limiting |
Natural Language | No API knowledge neededβjust describe what you want |
π Four Guided Workflows
Workflow 1: Migrate Legacy Access (CSV β Okta)
Use case: You have a CSV export from a legacy system and need to get it into Okta IGA
list_csv_files β analyze_csv_for_entitlements β prepare_entitlement_structure β execute_user_grants
β β β β
βΌ βΌ βΌ βΌ
See available Parse & validate Create entitlements Assign users &
CSV files the data in Okta app grant accessWorkflow 2: Governance Scorecard
Use case: Assess an application's governance posture with a compliance report
generate_governance_summary(appId)
β
βΌ
Score 0-100 + letter grade
Compliance checks (NIST AC-5, SOX 404, SOC2)
Prioritized recommendationsWorkflow 3: Enforce Compliance (SoD Rules)
Use case: Find toxic access combinations and create separation of duties rules
analyze_sod_context β create_sod_risk_rule β test_sod_risk_rule
β β β
βΌ βΌ βΌ
Map entitlements to Create enforcement Validate rules
ISACA duty categories rules in Okta against usersWorkflow 4: Discover & Create Roles (Pattern Mining β Bundles)
Use case: You have existing access in Okta and want to create SoD-safe bundles
analyze_entitlement_patterns β preview_bundle_creation β create_bundle_from_pattern
β β β
βΌ βΌ βΌ
Discover correlations See what would be SoD conflict check
between profiles & created (dry run) + create bundle
entitlementsπ Project Structure
okta-mcp-em-python/
βββ server.py # MCP server entry point
βββ client.py # Okta API client with rate limiting
βββ batch.py # Parallel execution engine
βββ s3_client.py # AWS S3 integration (optional)
βββ tools/
β βββ __init__.py
β βββ api.py # Okta API tools
β βββ basic.py # CSV & connection tools
β βββ batch.py # Batch operation tools
β βββ workflow.py # CSV import workflow tools
β βββ bundle.py # Pattern mining & bundle creation (SoD-safe)
β βββ sod.py # Separation of duties analysis & risk rules
β βββ governance.py # Governance scorecard & posture reporting
β βββ app_knowledge.py # Application-specific SoD knowledge base
β βββ menu.py # Guided workflow navigation
βββ csv/ # CSV files for processing
β βββ test_data/ # Sample CSV files
β βββ processed/ # Completed files
β βββ processed_and_assigned/
β βββ analysis_cache/ # Cached pattern analysis results
βββ .env # Environment variables (create this)
βββ requirements.txt
βββ pyproject.tomlπ Prerequisites
Requirement | Details |
Python | 3.10 or higher |
Okta Tenant | Workforce Identity Cloud with IGA enabled |
API Token | Okta API token with appropriate permissions |
MCP Client | Claude Desktop, VS Code with Copilot, or any MCP-compatible client |
π Quick Start
Step 1: Clone & Setup
# Clone the repository
git clone https://github.com/ashwinramn/okta-mcp-em-python.git
cd okta-mcp-em-python
# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
# Install dependencies
pip install -r requirements.txtStep 2: Configure Environment
Create a .env file in the project root:
# Required: Okta Configuration
OKTA_DOMAIN=your-domain.okta.com
OKTA_API_TOKEN=your-api-token
# Optional: S3 for remote CSV storage
S3_ENABLED=false
S3_BUCKET_NAME=your-bucket-name
S3_PREFIX=csv-files/
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=your-access-key
AWS_SECRET_ACCESS_KEY=your-secret-keyStep 3: Configure Your MCP Client
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"okta-entitlements": {
"command": "python3",
"args": ["/full/path/to/okta-mcp-em-python/server.py"]
}
}
}Add to your VS Code MCP settings or settings.json:
{
"mcp.servers": {
"okta-entitlements": {
"command": "python3",
"args": ["/full/path/to/okta-mcp-em-python/server.py"]
}
}
}Step 4: Test the Connection
Restart your MCP client, then ask:
"Check my Okta connection"
You should see a success message with your Okta org details.
π οΈ Available Tools
π§ Navigation
Tool | Description |
| Verify Okta API connectivity |
| Display guided workflow menu |
π₯ CSV Import Workflow
Tool | Description |
| List available CSV files (local + S3) |
| Analyze CSV structure and identify entitlements |
| Create/update entitlements in Okta app |
| Grant entitlements to users in bulk |
π Governance & Compliance
Tool | Description |
| Full governance posture report with score and compliance checks |
| Gather SoD analysis context for an application |
| Create separation of duties risk rules |
| List existing SoD risk rules |
| Run risk assessment for a user |
π¦ Bundle Mining Workflow
Tool | Description |
| Discover patterns between user profiles and entitlements |
| Preview bundle before creation (dry run) |
| Create entitlement bundle from a pattern (SoD-safe) |
| Create bundle directly from entitlement value names |
βοΈ Utility Tools
Tool | Description |
| Search users by various criteria |
| Search multiple users in parallel |
| Create multiple grants in parallel |
| Check Okta API rate limits |
| Resolve entitlement value names to IDs |
π¬ Example Conversations
Example 1: CSV Import Workflow
You: "Check my Okta connection"
AI: β
Connected to your-domain.okta.com
Call show_workflow_menu to see available workflows.
You: "Show me the workflow menu"
AI: βββββββββββββββββββββββββββββββββββββββββββ
β 1. Import CSV β Okta β
β 2. Mine Patterns β Bundles β
βββββββββββββββββββββββββββββββββββββββββββ
You: "1"
AI: π Available CSV files:
1. hr_platform_access_report.csv
2. finance_core_access_report.csv
3. dev_platform_access_report.csv
You: "Analyze hr_platform_access_report.csv"
AI: π Analysis Complete
βββ Rows: 847
βββ User column: Email
βββ Entitlements detected:
β’ Role (15 unique values)
β’ Permission (8 unique values)
β’ Support_Group (4 unique values)
Ready to import? Provide the Okta App ID.
You: "Yes, app ID is 0oa123abc"
AI: β
Created entitlement structure in app 0oa123abc
βββ Role: 15 values created
βββ Permission: 8 values created
βββ Support_Group: 4 values created
You: "Now grant the permissions to users"
AI: π Processing 847 users...
β
Complete!
βββ Users processed: 847
βββ New assignments: 824
βββ Already assigned: 23
βββ Grants created: 2,541Example 2: Bundle Mining Workflow
You: "2"
AI: Enter the Okta App ID to analyze for patterns.
You: "0oa123abc"
AI: π Analyzing entitlement patterns...
Found 24 patterns across 3 entitlement types:
π’ STRONG (>85% correlation)
1. department=Engineering β Role: Developer (94%)
2. department=Finance β Role: Analyst (91%)
3. title contains "Manager" β Permission: Approve (89%)
π‘ MODERATE (70-85% correlation)
4. department=Support β Support_Group: Tier1 (78%)
5. location=HQ β Permission: Building_Access (72%)
You: "Preview pattern 1"
AI: π¦ Bundle Preview (Dry Run)
βββ Name: Engineering Access Bundle
βββ Description: Standard access for Engineering department
β members including developer tools and deployment
β permissions.
βββ Entitlements:
β’ Role = Developer
β’ Permission = Deploy
β’ Permission = Code_Review
You: "Create it"
AI: β
Bundle created successfully!
βββ Bundle ID: enb789xyzβ¨ Key Features
Feature | Description |
Guided Workflows | Step-by-step navigationβjust follow the prompts |
Governance Scorecard | Score 0-100 with compliance checks (NIST AC-5, SOX 404, SOC2) |
SoD Enforcement | Detect toxic access combinations and create risk rules (ISACA-based) |
SoD-Safe Bundles | Bundle creation with automatic separation of duties conflict checks |
Pattern Mining | ML-free pattern discovery using correlation analysis |
Natural Language Bundles | Auto-generated descriptions for business users |
Smart Rate Limiting | Automatic throttling to respect Okta API limits |
Concurrent Processing | Parallel batch operations (up to 10x faster) |
Flexible CSV Parsing | Handles messy data, various formats, encoding issues |
S3 Integration | Optionally pull CSV files from AWS S3 (using boto3) |
Analysis Caching | Pattern results cached for quick bundle creation |
π CSV Format
The server handles various CSV formats flexibly. Minimum requirements:
Required | Description |
User identifier column | Email, username, login, employee ID, etc. |
Entitlement columns | Role, Permission, Group, Access Level, etc. |
Example CSV
Email,Department,Title,Role,Permission,Support_Group
john.doe@company.com,Engineering,Developer,Admin,Deploy,Tier2
jane.smith@company.com,Finance,Analyst,Viewer,Read,Tier1
bob.wilson@company.com,Engineering,Manager,Admin,Approve,Tier2The AI will automatically:
Detect which column contains user identifiers
Identify which columns represent entitlements vs. profile attributes
Handle missing values, duplicates, and encoding issues
π Troubleshooting
Test the server manually
python3 server.pyCommon Issues
Issue | Solution |
Connection failed | Verify |
Rate limited | Wait a few minutes, or check |
Users not found | Ensure CSV user identifiers match Okta login format |
No patterns found | App needs existing grants with entitlements to analyze |
Module not found | Run |
Debug Mode
For verbose logging, set in your environment:
export LOG_LEVEL=DEBUGπ Related Resources
π License
MIT License - See LICENSE for details.
π€ Contributing
Contributions welcome! This is a vibe-coded project, so:
Issues - Report bugs or suggest features
PRs - Improvements to error handling, edge cases, and documentation are especially welcome
Testing - More real-world testing against different Okta configurations
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ashwinramn/okta-mcp-em-python'
If you have feedback or need assistance with the MCP directory API, please join our Discord server