fctr-okta-mcp-server by fctr-id - MCP Server

Built by the Fctr Identity team • Not affiliated with Okta

TAKO MCP Server for Okta (beta v0.1)

⚡ Powered by Anthropic's Code Execution with MCP Architecture

Production-ready MCP server implementing Anthropic's Code Execution with MCP pattern with dual-mode operation, context-engineering, enhanced security sandbox, and enterprise-grade features.

Overview

A production-ready MCP server for Okta administration with dual-mode operation. Successor to okta-mcp-server.

This server enables AI assistants to query Okta resources using the Model Context Protocol. It is designed for IAM engineers, security teams, and Okta administrators who want to give their AI tools safe, controlled access to their Okta environment.

Key Features:

🔄 Dual-Mode Operation - Standard MCP server mode or autonomous agent mode
🌐 Flexible Transports - STDIO for desktop clients, HTTP for remote deployments
🔑 Okta Tokens - API Token (simple) or OAuth2 with Private Key JWT (production)
📊 CSV Export - Save query results to files for reporting
🔒 Secure Execution - AST-based sandbox with whitelisted operations
✅ MCP Compliant - Elicitation, Progress notifications, logging, and tool annotations

🧠 Core Concepts

Before installing, it's helpful to understand the two key configuration choices: Mode and Transport.

1. Operating Modes

Controls how the AI interacts with the server. Set via ENABLE_AGENT_MODE environment variable.

Feature	Basic MCP Mode (`false`)	Agent Mode (`true`)
Context Size	Higher - all tools loaded upfront	Lower - progressive discovery
Token Cost	Higher initial cost	Lower initial cost
Use Case	MCP gateways, tool composition, granular control	Autonomous AI workflows
Architecture	Standard MCP tool exposure	Meta-tool discovery pattern
Data Fetching	Sample data (3 results) + endpoint metadata	Full result sets via code execution
Available Tools	`read_system_instructions`, `get_code_generation_prompt`, `execute_code`, `okta_*` tools	`get_available_operations`, `get_operation_details`, `get_code_generation_prompt`, `execute_code`

Basic MCP ServerMode (Default)

Tools exposed directly to the LLM. The AI calls read_system_instructions() first, then uses okta_* tools for sample data and execute_code() for full results.

Basic MCP Mode

Can be used for:

Category	Supported Platforms
Desktop Clients	Claude Desktop, Cursor, Zed, VS Code (Windsurf)
Enterprise Gateways	Obot.ai, Smithery, Lasso Security
Agent Frameworks	LangGraph, LlamaIndex, Goose

Agent Mode

AI discovers APIs dynamically via get_available_operations() and get_operation_details(), then generates code for execution. This mode is ideal for complex, multi-step queries where the agent explores the API surface as needed.

Agent Mode

2. Transports

Controls how clients connect to the server.

Transport	Description	Best For
STDIO (Default)	Communicates via standard input/output pipes.	Local desktop apps (Claude, Cursor, VS Code).
HTTP (SSE)	Exposes a web server endpoint (`/mcp`).	Remote deployments, Docker, Web-based agents.

🚀 Quick Start

Choose the installation method that fits your workflow.

Option A: Docker (Recommended)

The fastest way to get started without managing Python dependencies.

# 1. Clone the repository
git clone https://github.com/fctr-id/fctr-okta-mcp-server.git
cd fctr-okta-mcp-server

# 2. Create directories for persistent data
mkdir -p logs okta_results  # Windows: New-Item -ItemType Directory -Path logs, okta_results -Force

# 3. Create a .env file (see Configuration section for all options)
cp .env.sample .env
# Edit .env with your Okta credentials

# 4. Build with Docker
docker build --target stdio -t tako-mcp-server:stdio .  # STDIO mode
docker build --target http -t tako-mcp-server:http .    # HTTP mode

Option B: Local Python (uv)

We recommend uv for fast, reliable package management.

# 1. Clone and setup
git clone https://github.com/fctr-id/fctr-okta-mcp-server.git
cd fctr-okta-mcp-server

# 2. Create virtual environment
uv venv .venv
source .venv/bin/activate  # Windows: .venv\Scripts\activate

# 3. Install dependencies
uv pip install -e .

# 4. Create a .env file (see Configuration section for all options)
cp .env.sample .env
# Edit .env with your Okta credentials

# 5. Run (HTTP - for remote/web access)
python -m fctr_okta_mcp.server --http-transport --i-understand-the-risks

⚙️ Configuration

Configuration is managed via environment variables. Set these in a .env file or pass them directly.

Environment Variables

Variable	Required	Default	Description
`OKTA_CLIENT_ORGURL`	Yes	-	Okta org URL (e.g., `https://example.okta.com`)
`TOKEN_METHOD`		`API_TOKEN`	Auth method: `API_TOKEN` or `OAUTH2`
`OKTA_API_TOKEN`	*	-	API token (required if `TOKEN_METHOD=API_TOKEN`)
`OKTA_OAUTH2_CLIENT_ID`	*	-	OAuth2 client ID (required if `TOKEN_METHOD=OAUTH2`)
`OKTA_OAUTH2_PRIVATE_KEY_PEM`	*	-	Private key in PEM format
`OKTA_OAUTH2_SCOPES`		`okta.users.read okta.groups.read okta.apps.read`	OAuth2 scopes
`ENABLE_AGENT_MODE`		`false`	Enable Agent Mode
`MCP_BASE_URL`		`http://127.0.0.1:8000`	Base URL for HTTP transport (supports https for reverse proxy)
`OKTA_CONCURRENT_LIMIT`		`10`	Max concurrent API requests (configure by plan)
`OKTA_MCP_EXECUTION_TIMEOUT_SECONDS`		`300`	Code execution timeout
`OKTA_MCP_LOG_LEVEL`		`INFO`	Log level: `DEBUG`, `INFO`, `WARNING`, `ERROR`

Okta Authentication

Option 1: API Token (Default)

Best for development and simple deployments.

Go to Okta Admin → Security → API → Tokens
Create a new token with read permissions
Configure:

TOKEN_METHOD=API_TOKEN
OKTA_API_TOKEN=your-api-token-here

Option 2: OAuth2 with Private Key JWT (Recommended for Production)

More secure, uses client credentials flow with private key JWT (RFC 7523).

Step 1: Create OAuth2 App in Okta

Go to Okta Admin → Applications → Create App Integration
Select API Services → Next
Name your application and click Save
Note the Client ID

Step 2: Configure Public Key Authentication

In your app, go to General → Client Credentials → Edit
Select Public key / Private key
Click Add Key → Generate new key
Download the private key (PEM format)
Click Save

Step 3: Grant API Scopes

Go to Okta API Scopes tab
Grant required scopes: okta.users.read, okta.groups.read, okta.apps.read, okta.logs.read, okta.policies.read

Step 4: Configure Environment

TOKEN_METHOD=OAUTH2
OKTA_OAUTH2_CLIENT_ID=your-client-id
OKTA_OAUTH2_SCOPES=okta.users.read okta.groups.read okta.apps.read
OKTA_OAUTH2_PRIVATE_KEY_PEM="-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqh...
...your-private-key...
-----END PRIVATE KEY-----"

Tip: The private key can be multi-line (as shown) or single-line with \n escapes.

🔌 MCP Client Setup

STDIO Transport (Desktop Clients)

For Claude Desktop, VS Code, Cursor, and other local MCP clients:

{
  "mcpServers": {
    "tako-mcp": {
      "command": "path/to/.venv/Scripts/python",
      "args": ["-m", "fctr_okta_mcp.server"],
      "env": {
        "OKTA_CLIENT_ORGURL": "https://your-org.okta.com",
        "OKTA_API_TOKEN": "your_api_token",
        "ENABLE_AGENT_MODE": "true"
      }
    }
  }
}

HTTP Transport (Remote/Web)

For web-based deployments, remote access, or programmatic clients.

Start the server first:

python -m fctr_okta_mcp.server --http-transport --i-understand-the-risks

Then configure your MCP client:

{
  "mcpServers": {
    "tako-mcp": {
      "url": "http://localhost:8000/mcp",
      "type": "http"
    }
  }
}

Docker (STDIO)

See Quick Start - Docker for build instructions.

{
  "mcpServers": {
    "tako-mcp": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-v", "./logs:/app/logs",
        "-v", "./okta_results:/app/okta_results",
        "-e", "OKTA_CLIENT_ORGURL",
        "-e", "OKTA_API_TOKEN",
        "-e", "ENABLE_AGENT_MODE=true",
        "tako-mcp-server:stdio"
      ],
      "env": {
        "OKTA_CLIENT_ORGURL": "https://your-org.okta.com",
        "OKTA_API_TOKEN": "your_api_token"
      }
    }
  }
}

Docker (HTTP)

For HTTP transport with Docker:

docker run -p 8000:8000 \
  -v ./logs:/app/logs \
  -v ./okta_results:/app/okta_results \
  -e OKTA_CLIENT_ORGURL=https://your-org.okta.com \
  -e OKTA_API_TOKEN=your_api_token \
  -e MCP_BASE_URL=http://localhost:8000 \
  tako-mcp-server:http

Note: The server binds to 0.0.0.0:8000 inside the container (required for Docker networking), but MCP_BASE_URL controls what URL is reported to MCP clients.

🛠️ Available Tools

When in Basic MCP Mode, the following tools are available:

User Management

okta_user_list - List users with filtering, search, and pagination
okta_user_get - Get detailed user profile by ID or login
okta_user_list_groups - List groups a user belongs to
okta_user_list_applications - List applications assigned to a user
okta_user_list_factors - List enrolled authentication factors

Group Operations

okta_group_list - List groups with filtering and pagination
okta_group_get - Get detailed group information
okta_group_list_users - List members of a group
okta_group_list_applications - List applications assigned to a group

Application Management

okta_app_list - List applications with filtering
okta_app_get - Get detailed application information
okta_app_list_users - List users assigned to an application
okta_app_list_groups - List groups assigned to an application

System Logs

okta_log_get_events - Query system log events with advanced filtering

Policies & Network Zones

okta_policy_list_rules - List rules for a specific policy
okta_policy_get_rule - Get detailed policy rule configuration
okta_network_list_zones - List network zones
okta_network_get_zone - Get detailed network zone information

Utilities

okta_datetime_now - Get current UTC timestamp for queries
okta_datetime_parse_relative - Parse natural language time expressions (e.g., "24 hours ago")

In Agent Mode, these tools are hidden. The agent uses get_available_operations to discover them dynamically.

🔒 Security

Code Execution Sandbox

All generated Python code is validated before execution:

Layer	Protection
Pattern Blocking	`os.system`, `subprocess`, `exec`, `eval`, `open`
Import Control	All modules pre-injected; imports blocked
Function Whitelist	Only safe builtins (`len`, `str`, `dict`, etc.)
HTTP Restriction	Only `GET` requests allowed

Data Privacy

Okta data is sent to the AI model during queries
Large result sets export to CSV; only summaries return to AI
Auto-Cleanup: CSV files generated in HTTP mode are automatically deleted after 1 hour
Ensure organizational policies permit AI processing of Okta data

🚨 Rate Limits

Step 1: Identify your Okta API rate limit percentage (we recommend setting it to 100% in the Okta Admin Console).

Step 2: Set OKTA_CONCURRENT_LIMIT in your .env file based on your Okta plan:

Tenant Type	API Rate Limit %	Recommended Setting	Tested Maximum (⚠️)
Integrator	50%	22	30
Integrator	75%	34	40
Integrator	100%	45	50
One App	50%	135	200
One App	75%	203	300
One App	100%	270	400
Enterprise	50%	135	200
Enterprise	75%	203	300
Enterprise	100%	270	400
Workforce Identity	50%	135	270
Workforce Identity	75%	203	405
Workforce Identity	100%	270	540

⚠️ Monitor for Rate Limit Warnings:

WARNING - Concurrent limit rate exceeded

If you see this frequently:

Reduce your OKTA_CONCURRENT_LIMIT by 10-20%
Cancel the sync and try a lower value
Contact support@fctr.io if issues persist

🆘 Get Help

Before raising an issue, check:

📝 Server configuration and .env file
🔑 Okta API token permissions
🔌 MCP client compatibility
📊 Server logs in logs/ directory

Support Channels:

🐛 GitHub Issues - Bug reports and feature requests
📧 Email: support@fctr.io - General support
💬 Slack: dan@fctr.io - Quick questions

📄 License

Elastic License 2.0 - See .

✅ Use for internal purposes • ✅ Modify and distribute
❌ Hosted/managed service • ❌ Remove license notices