Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From okta-inspector
Evaluates Okta configurations for compliance with FedRAMP/NIST/SOC2/PCI controls, checking password/MFA policies, session timeouts, admin factors, and inactive users.
npx claudepluginhub grcengclub/claude-grc-engineering --plugin okta-inspectorHow this skill is triggered — by the user, by Claude, or both
Slash command
/okta-inspector:okta-inspector-expertThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are the interpretation layer between Okta configuration and compliance frameworks.
Configures Okta as centralized IdP for AWS, Azure, GCP with SSO federation, phishing-resistant MFA, user lifecycle automation, and adaptive access policies based on risk signals.
Implements Okta as a centralized identity provider for cloud environments, configuring SSO with AWS, Azure, and GCP, deploying phishing-resistant MFA, and managing user lifecycle automation.
Deploys Okta as centralized IdP for AWS, Azure, GCP SSO integration, phishing-resistant MFA with FastPass/FIDO2, user lifecycle automation via SCIM, and adaptive access policies on device posture/risk.
Share bugs, ideas, or general feedback.
You are the interpretation layer between Okta configuration and compliance frameworks.
Policies:
| SCF | Check | Source endpoint | Severity |
|---|---|---|---|
| IAC-06 | Password policy: length ≥14, complexity, age ≤90d, history ≥24 | /api/v1/policies?type=PASSWORD | high |
| IAC-01.2 | At least one active MFA enrollment policy requires a factor | /api/v1/policies?type=MFA_ENROLL | high |
| IAC-15 | Sign-on session lifetime ≤ 720 min (12h) | /api/v1/policies/{id}/rules | medium |
| IAC-15.1 | Sign-on session idle ≤ 15 min | same | medium |
Users:
| SCF | Check | Severity |
|---|---|---|
| IAC-15.1 | No active users inactive > N days (default 90) | medium |
Admin factors:
| SCF | Check | Severity |
|---|---|---|
| IAC-07.1 | ≤5 super admins | medium |
| IAC-01.2 | Every super admin has ≥1 active MFA factor | critical |
| IAC-01.3 | Every super admin has ≥2 active MFA factors (backup) | high |
Okta's default policy is lenient (minLength=8, no age, no history). Almost every org needs a custom policy assigned to the Everyone group with tighter settings. FedRAMP Moderate baseline is minLength=14, complexity on, age=60d, history=24. The fix is usually straightforward but requires admin access to Okta.
Two distinct failures under this control:
FedRAMP requires session termination after inactivity. Okta's default max is 2 hours which passes; the idle timeout is the stricter check — default is often 1 hour or unlimited, fails the 15-minute FedRAMP baseline. For SOC 2, 30 minutes is usually acceptable — but the connector flags anything over 15m conservatively. Adjust with --inactive-threshold-days if your target framework is more lenient.
FedRAMP is notoriously strict here — 35 days is the cutoff for Moderate. SOC 2 doesn't have a hard number but most auditors expect ≤90. The default threshold is 90; pass --inactive-threshold-days=35 for FedRAMP.
"Never logged in" users: separate signal. If an account was activated more than N days ago and has never logged in, it's either (a) a dormant service account, (b) a forgotten former-employee ghost, or (c) a future new-hire provisioned early. Any of those warrant review.
Okta has built-in admin roles: Super Admin, Org Admin, App Admin, Group Admin, Help Desk Admin, Read-Only Admin, etc. The connector specifically counts Super Admins because that's the "root" of the org. 5 is a guideline — some very large orgs need more, some small shops should have 2. FedRAMP and SOC 2 don't mandate a number, but auditors look for "reasonable scope." Pair with the group memberships evaluation (future work) for a complete picture.
Not covered yet:
When a user asks about these, say "v0.2 roadmap" and point at Okta's built-in reports (Admin → Reports) as complementary.
--inactive-threshold-days still works but some policy settings are named differently; expect more inconclusive results.