Okta_IdentityProvider

Overview

Identity Providers (IdPs) in Okta represent external authentication sources that can be used to authenticate users. These can include social identity providers (such as Google, Facebook, or Microsoft), enterprise identity providers using SAML or OIDC, or other Okta organizations in an Org2Org configuration. When users authenticate through an external identity provider, Okta can optionally create or link user accounts, enabling federated authentication across multiple systems. Identity providers are represented as Okta_IdentityProvider nodes in BloodHound.

The inbound identity provider routing rules and JIT (Just-In-Time) provisioning settings are currently not evaluated.

Edges

The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions.

Inbound Edges

Edge Type	Source Node Types	Traversable
Okta_Contains	Okta_Organization	✅
Okta_InboundOrgSSO	AZTenant	✅
Okta_OutboundOrgSSO	Okta_Application	✅
Okta_ResourceSetContains	Okta_ResourceSet	✅

Outbound Edges

Edge Type	Destination Node Types	Traversable
Okta_IdentityProviderFor	Okta_User	✅
Okta_IdpGroupAssignment	Okta_Group	❌

Properties

These properties are common for all identity provider types:

Name	Source	Type	Description
`id`	`idp.id`	`string`	Unique identity provider identifier.
`name`	`idp.name`	`string`	Identity provider name.
`displayName`	`idp.name`	`string`	Display label used in BloodHound.
`oktaDomain`	Collector context (non-API)	`string`	Okta organization domain where the identity provider exists.
`issuerMode`	`idp.issuerMode`	`string`	Issuer mode for the identity provider.
`type`	`idp.type`	`string`	Identity provider category/type.
`enabled`	`idp.status == "ACTIVE"`	`bool`	Whether the IdP is active/enabled.
`autoUserProvisioning`	`idp.policy.provisioning.action == "AUTO"`	`bool`	Whether automatic user provisioning is enabled.
`governedGroupIds`	`idp.policy.provisioning.groups`	`string[]`	Group IDs governed by this IdP provisioning policy.
`protocolType`	`idp.protocol.*.type[0]`	`string`	Protocol configured for authentication through this IdP.
`url`	`idp.protocol..endpoints..url[0]`	`string`	Primary authorization/SSO endpoint URL for the IdP.
`created`	`idp.created`	`datetime`	IdP creation timestamp.

Additional properties are provider-specific:

Name	Source	Type	Description
`entraTenantId`	`TenantIdFromSamlEndpoint(url)`	`string`	Associated Entra tenant ID when identifiable.

Sample Property Values

id: 0oazpi53t1cRNcPL4697
name: Microsoft Entra ID
displayName: Microsoft Entra ID
oktaDomain: contoso.okta.com
created: 2026-01-31T15:21:37+00:00
issuerMode: DYNAMIC
type: MICROSOFT
enabled: false
autoUserProvisioning: true
governedGroupIds: []
protocolType: OIDC
url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Okta_IdentityProvider

Overview

Edges

Inbound Edges

Outbound Edges

Properties

Sample Property Values

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Documentation Index

​Overview

​Edges

​Inbound Edges

​Outbound Edges

​Properties

​Sample Property Values

Overview

Edges

Inbound Edges

Outbound Edges

Properties

Sample Property Values