Skip to main content
Applies to BloodHound Enterprise and CE

Overview

Applications in Okta represent the various software applications and services that users can access through the Okta organization. Applications can be configured to use different authentication methods, such as SAML, OIDC, or SWA. These protocols can either be configured manually by administrators or automatically by adding an application from Okta’s App Integration Catalog, which provides a wide range of pre-configured cloud and on-premises application templates. With the exception of API Service applications, Okta users and groups can be assigned to applications. Users can also be synchronized TO and FROM applications in Okta, typically using the SCIM protocol. For example, when integrating with GitHub Enterprise Cloud, Okta can be configured to automatically create user accounts in GitHub when users are assigned to the GitHub application in Okta. Applications are represented as Okta_Application nodes in BloodHound.

Edges

The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions.

Inbound Edges

Outbound Edges

Properties

Common Application Properties

NameSourceTypeDescription
idapplication.idstringUnique application identifier.
nameapplication.namestringApp type identifier (for example office365, snowflake, githubcloud).
display_nameapplication.labelstringDisplay label used in BloodHound.
okta_domainCollector context (non-API)stringOkta organization domain where the application exists.
has_role_assignmentsCalculatedboolIndicates whether the application is assigned any administrative roles.
createdapplication.createddatetimeApplication creation timestamp.
last_updatedapplication.lastUpdateddatetimeLast update timestamp of the app definition.
statusapplication.statusstringCurrent lifecycle status of the application instance.
sign_on_modeapplication.signOnModestringSign-on protocol mode (for example OPENID_CONNECT, SAML_2_0, AUTO_LOGIN).
featuresapplication.featuresstring[]Enabled app capabilities such as SCIM provisioning and password push.
user_name_mappingapplication.credentials.userNameTemplate.templatestringUsername mapping template used for provisioning/federation.
Individual application types may have additional properties specific to the integration or protocol:

GitHub Cloud

NameSourceTypeDescription
github_orgapplication.settings.app.githubOrgstringGitHub organization mapped to the integration.

Google Workspace

NameSourceTypeDescription
domainapplication.settings.app.domainstringGoogle Workspace domain associated with the integration.
afw_onlyapplication.settings.app.afwOnlyboolApp-specific flag indicating constrained integration behavior.

Jamf Pro SAML

NameSourceTypeDescription
domainapplication.settings.app.domainstringJamf Pro tenant domain associated with the integration.

Active Directory Integration

NameSourceTypeDescription
naming_contextapplication.settings.app.namingContextstringNaming context configured for AD-backed app integration.
filter_groups_by_ouapplication.settings.app.filterGroupsByOUboolWhether group filtering by OU is enabled.
domain_sidDerived from synced AD user/group SID values (not directly in app object)stringDomain SID associated with AD-backed integration.
windows_transport_enabledapplication.settings.app.windowsTransportEnabledboolIndicates if Windows transport is enabled.

Generic SAML Application

NameSourceTypeDescription
urlapplication.settings.signOn.ssoAcsUrl (SAML 2.0) / application.settings.signOn.ssoAcsUrlOverride (SAML 1.1)stringPrimary sign-on URL exposed for SAML applications.
entity_idapplication.settings.signOn.destination / application.settings.signOn.audiencestringSAML Entity ID for SAML integrations.
acs_urlapplication.settings.signOn.ssoAcsUrlstringAssertion Consumer Service (ACS) URL for SAML integrations.
ws_fed_configure_typeapplication.settings.app.wsFedConfigureTypestringWS-Federation configuration mode.

Generic OIDC Service Application

NameSourceTypeDescription
client_typeapplication.settings.oauthClient.applicationTypestringOIDC client type (for example web, native, browser, service).
grant_typesapplication.settings.oauthClient.grantTypes[]string[]OAuth 2.0 grant types allowed for OIDC apps.
redirect_uriapplication.settings.oauthClient.redirectUris[]stringOIDC redirect URI configured for the integration.
initiate_login_uriapplication.settings.oauthClient.initiateLoginUristringOkta-initiated login URI for supported OIDC apps.
urlDerived from OIDC sign-in URL preference (initiate_login_uri first, otherwise first redirect_uri)stringPrimary sign-in URL for OIDC applications.
oauth_scopesDerived from app grants in PopulateOAuthScopes / grant collection logicstring[]OAuth scopes granted to the application in Okta.
domainapplication.settings.app.domainstringDirectory or service domain associated with the app integration.
domainsapplication.settings.app.domainsstring[]Domain list associated with the app integration when provided.
service_domainapplication.settings.app.serviceDomainstringService/API domain used by workflow or API-connected apps.
sub_domainapplication.settings.app.subDomainstringSubdomain value used by app-specific integrations.
region_typeapplication.settings.app.regionTypestringRegion suffix/type used by the app integration.

Microsoft Entra ID External Authentication

NameSourceTypeDescription
microsoft_discovery_endpointapplication.settings.app.microsoftDiscoveryEndpointstringOIDC discovery endpoint used by Microsoft integrations.
microsoft_app_idapplication.settings.app.microsoftAppIdstringMicrosoft application/client ID configured in the integration.
microsoft_tenant_idapplication.settings.app.microsoftTenantIdstringMicrosoft Entra tenant GUID associated with the app integration.
require_admin_consentapplication.settings.app.requireAdminConsentboolIndicates if Microsoft admin consent is required.

Microsoft Office 365

NameSourceTypeDescription
msft_tenantapplication.settings.app.msftTenantstringMicrosoft tenant short name/domain used by the Office 365 integration.
microsoft_tenant_idCalculated from msft_tenantstringMicrosoft Entra tenant GUID resolved from the Office 365 onmicrosoft tenant.

Generic SWA / Browser Plugin Application

NameSourceTypeDescription
login_urlapplication.settings.app.loginUrlstringApp login URL used by SWA/browser plugin configurations.
urlapplication.settings.signOn.loginUrl (AutoLogin) / application.settings.app.url (BrowserPlugin/BasicAuth/Bookmark/SPS)stringPrimary login URL exposed for SWA and related app types.
app_filterapplication.settings.app.appFilterstringApp-side filter expression value.
group_filterapplication.settings.app.groupFilterstringGroup filter pattern used for provisioning/mapping.
use_group_mappingapplication.settings.app.useGroupMappingboolWhether group mapping is enabled for integration.
join_all_rolesapplication.settings.app.joinAllRolesboolWhether all discovered roles are joined/collected.
role_value_patternapplication.settings.app.roleValuePatternstringRole mapping pattern template for AWS role federation.
aws_environment_typeapplication.settings.app.awsEnvironmentTypestringAWS environment identifier for AWS app integrations.
session_durationapplication.settings.app.sessionDurationintegerSession duration setting (seconds) for supported app integrations.

Sample Property Values

Github Cloud

id: 0oawyp12cjglrkfId697
name: githubcloud
display_name: Github Contoso
features: []
github_org: Contoso
has_role_assignments: false
okta_domain: contoso.okta.com
sign_on_mode: SAML_2_0
status: ACTIVE
user_name_mapping: ${source.login}
created: 2025-10-31T06:08:00+00:00
last_updated: 2025-10-31T06:08:01+00:00

Google Workspace

id: 0oax4r57x0V5NHL2W697
name: google
afw_only: false
display_name: Google Workspace
domain: contoso.com
features: []
has_role_assignments: false
okta_domain: contoso.okta.com
sign_on_mode: SAML_2_0
status: ACTIVE
user_name_mapping: ${source.login}
created: 2025-11-05T09:06:48+00:00
last_updated: 2025-11-05T09:07:21+00:00

Jamf Pro SAML

id: 0oax4r3ud0J2WjlNh697
name: jamfsoftwareserver
display_name: Jamf Pro SAML
domain: contoso.jamfcloud.com
features: []
has_role_assignments: false
name: Jamf Pro SAML
okta_domain: contoso.okta.com
sign_on_mode: SAML_2_0
status: ACTIVE
user_name_mapping: ${source.login}
created: 2025-11-05T09:10:52+00:00
last_updated: 2026-01-19T14:33:39+00:00

OktaHound

id: 0oaw0pujq5WtBiMYD697
name: oidc_client
client_type: service
display_name: OktaHound
features: []
grant_types:
  - client_credentials
has_role_assignments: true
oauth_scopes:
  - okta.trustedOrigins.read
  - okta.policies.read
  - okta.linkedObjects.read
  - okta.authModes.read
  - okta.templates.read
  - okta.apiTokens.read
  - okta.factors.read
  - okta.brands.read
  - okta.authenticators.read
  - okta.uischemas.read
  - okta.logs.read
  - okta.groups.read
  - okta.identitySources.read
  - okta.users.read
  - okta.orgs.read
  - okta.threatInsights.read
  - okta.pushProviders.read
  - okta.apps.read
  - ssf.read
  - okta.roles.read
  - okta.networkZones.read
  - okta.emailDomains.read
  - okta.manifests.read
  - okta.oauthIntegrations.read
  - okta.domains.read
  - okta.deviceAssurance.read
  - okta.reports.read
  - okta.authorizationServers.read
  - okta.enduser.read
  - okta.schemas.read
  - okta.idps.read
  - okta.agentPools.read
  - okta.appGrants.read
  - okta.inlineHooks.read
  - okta.certificateAuthorities.read
  - okta.devices.read
  - okta.behaviors.read
  - okta.profileMappings.read
  - okta.captchas.read
  - okta.clients.read
  - okta.features.read
  - okta.sessions.read
  - okta.userTypes.read
okta_domain: integrator-5415459.okta.com
sign_on_mode: OPENID_CONNECT
status: ACTIVE
user_name_mapping: ${source.login}
created: 2025-10-02T10:11:20+00:00
last_updated: 2025-10-02T10:26:27+00:00

Active Directory Integration

id: 0oaxg9rhdd7ncGCXv697
name: active_directory
display_name: contoso.local
domain_sid: S-1-5-21-71365889-924527929-2677699343
features:
  - IMPORT_PROFILE_UPDATES
  - PROFILE_MASTERING
  - OUTBOUND_DEL_AUTH
  - IMPORT_USER_SCHEMA
  - IMPORT_NEW_USERS
filter_groups_by_ou: false
has_role_assignments: false
naming_context: contoso.local
okta_domain: contoso.okta.com
status: ACTIVE
created: 2025-11-14T12:50:42+00:00
last_updated: 2026-01-31T15:12:24+00:00

User Name Mapping

User name mapping from Okta to SAML 2.0, OpenID Connect (OIDC), and Secure Web Authentication (SWA) applications is configurable in the Okta Admin Console, with the default setting being the Okta username pass-through, i.e., ${source.login}.
Application username formatMapping template
Okta username${source.login}
Email${source.email}
Okta username prefix${fn:substringBefore(source.login, "@")}
Email prefix${fn:substringBefore(source.email, "@")}
AD Employee ID${source.employeeID}
AD SAM account name${source.samAccountName}
AD SAM account name + domain${source.samAccountName}@${source.instance.namingContext}
AD user principal name${source.userName}
AD user principal name prefix${fn:substringBefore(source.userName, "@")}
(None)NONE
Custom?

API Service Applications

This application type is the most interesting one from the security perspective, as it represents OAuth 2.0 service (daemon) applications that can be granted machine-to-machine access to Okta APIs, without any user interaction. These applications can be assigned administrative roles, e.g., Super Admin, and OAuth 2.0 scope grants, e.g., okta.users.manage. Any API operation must be allowed by both the assigned roles and the granted scopes. Okta Application scopes and roles in BloodHound

Hybrid Edges

For supported systems like Active Directory, GitHub Enterprise Cloud, or Jamf Pro, hybrid edges in BloodHound to represent the relationships between these external systems and Okta.

Active Directory Synchronization

When Okta’s Active Directory (AD) integration is configured for user and group synchronization, the connected AD domain is represented as an Okta_Application node in BloodHound. This allows you to visualize the AD-backed application alongside other applications in your Okta environment and understand its relationships with users, groups, and roles. The synchronization is performed by domain-joined servers with the Okta AD Agent installed. This agent typically has Domain Admin privileges in the connected AD domain to perform user and group enumeration and synchronization, making it a high-value target for attackers. Okta AD agent settings Authentication can be delegated from Okta to AD in multiple ways:
There is no documented API available to determine the authentication delegation method(s) configured for an AD-backed Okta application. The collector therefore performs some heuristics that might not be 100% accurate in all cases.

GitHub Enterprise Cloud Organizations

When integrating Okta with GitHub Enterprise Cloud, each GitHub organization connected to Okta is represented as a separate Okta_Application node in BloodHound. Properties of the GitHub Application node

Jamf Pro

When integrating Okta with Jamf Pro using SAML 2.0, each Jamf Pro instance connected to Okta is represented as a separate Okta_Application node in BloodHound. The differentiator is the domain_fqdn property: Jamf Pro SAML application in BloodHound It is also possible to integrate Jamf Pro with Okta using Secure Web Authentication (SWA), but this option is less secure. Jamf Pro SWA settings

Google Workspace

Similarly to the Jamf Pro SAML applications, each Google Workspace (formerly G Suite) instance connected to Okta using SAML 2.0 is represented as a separate Okta_Application node in BloodHound and is identified by the domain_fqdn property: Google Workspace SAML application in BloodHound The SAML 2.0 protocol should always be preferred to SWA when integrating Okta with Google Workspace: Google Workspace sign-in protocol settings

Generic SAML 2.0 Applications

The assertion consumer service (ACS) URLs of generic (non-Catalog) Okta SAML 2.0 applications are exposed via the url attribute in BloodHound. Okta SAML application in BloodHound

Generic Secure Web Authentication (SWA) Applications

Secure Web Authentication (SWA) is an Okta technology that provides Single Sign-On (SSO) functionality to external web applications that don’t support federated protocols. SWA applications store user credentials in Okta and automatically fill them in when users access the application through the Okta dashboard. The app’s login page URL is exposed via the url attribute in BloodHound. Okta SWA application in BloodHound

Generic OpenID Connect (OIDC) Applications

Okta supports three types of OIDC applications:
  • Web Application
  • Single-Page Application (SPA)
  • Native Application
The default redirect URI of generic (non-Catalog) Okta OIDC single-page applications (SPAs) starts with http://localhost:8080/, making it hard to identify the actual application address. The optional Okta-initiated sign-in flow URL is therefore exposed in the url attribute in BloodHound instead, if configured. OIDC applications can be granted OAuth 2.0 scopes to access Okta APIs on behalf of users: Okta application OIDC grants

SCIM-Enabled Applications

The features attribute of Okta_Application nodes may contain the following SCIM-related values, indicating if SCIM is enabled and which protocol capabilities are supported:
FeatureDescription
PUSH_NEW_USERSSupports pushing new users from Okta to the application
PUSH_PASSWORD_UPDATESSupports pushing password updates from Okta to the application
PUSH_PENDING_USERSSupports pushing users from Okta to the application in pending state
PUSH_PROFILE_UPDATESSupports pushing profile updates from Okta to the application
PUSH_USER_DEACTIVATIONSupports pushing user deactivation from Okta to the application
REACTIVATE_USERSSupports reactivating users in the application from Okta
IMPORT_NEW_USERSSupports importing new users into Okta from the application
OPP_SCIM_INCREMENTAL_IMPORTSSupports incremental imports of users from the application into Okta
IMPORT_PROFILE_UPDATESUpdates a linked user’s app profile in Okta during manual or scheduled imports
GROUP_PUSHSupports pushing groups and group memberships from Okta to the application
PROFILE_MASTERINGSupports profile mastering in Okta, allowing the application to be the source of truth for user profiles