Context sources

Enrich authorization with Okta user data

Automatically pull user profiles, group memberships, and application assignments from Okta into your Cerbos policy evaluations, no application code changes required.

Okta context

Automatically enrich authorization requests with user profiles and group memberships from Okta

Cached responses

Configurable TTLs cache enrichment results to balance data freshness against evaluation latency

Zero application code

Identity enrichment happens at the policy layer, your application code stays clean

How Cerbos works with Okta

Authorization decisions are only as good as the data behind them. Okta provides real-time context (user profiles, group memberships, or external attributes) that makes Cerbos policies richer and more accurate.

Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. With Okta as a context source, those policies can evaluate attributes beyond what's in the initial request.

Because enrichment happens at the policy layer, your application code stays clean, no custom plumbing to fetch and merge identity data before making authorization calls.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

Authorization powered by your Okta directory

Okta's Universal Directory is the source of truth for user identity in many organizations. But authorization decisions often rely on a fraction of that data, whatever fits in a JWT. Cerbos identity enrichment bridges this gap by pulling the full user profile from Okta into every authorization decision.

How it works

Your application sends an authorization request with the user's Okta identifier.
Cerbos Synapse queries the Okta API for the user's profile, group memberships, and application assignments via a proxy extension.
Enriched data is available in your policies, write rules based on department, job title, Okta groups, manager chain, or any custom profile attribute.
Cached with configurable TTLs to balance freshness and performance.

Real-time directory data in every decision

When a user's group membership changes in Okta, they move teams, get promoted, or leave the organization, those changes are reflected in Cerbos authorization decisions without a token refresh or application redeployment. Your policies always operate on current directory data.

Get started

Okta identity enrichment is available as part of Cerbos Synapse. Talk to us to learn more about enriching your authorization decisions with Okta data.

FAQ

How does Okta enrichment work with Cerbos?

Cerbos fetches user data from Okta's API at evaluation time, including Universal Directory profile attributes, group memberships, and application assignments. This data is available as principal attributes in your policies, enabling rules based on any Okta user property.

Can I use Okta group memberships in policies?

Yes. Cerbos automatically resolves the user's Okta group memberships and makes them available as principal attributes. You can write policies that reference specific groups, group hierarchies, or combinations of group memberships.

Is this different from the existing Okta authentication integration?

Yes. The authentication integration validates Okta-issued tokens. Identity enrichment goes further, it fetches the full user profile from Okta's directory at authorization time, giving your policies access to data beyond what's in the token.