> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Get started with Okta application requests

> Follow this guide to get started with self service requests for Okta apps.

## Before you begin

To complete this guide, you'll need:

* C1 **Super Administrator** or **Connector Administrator** role
* An Okta account

**Estimated time:** 10 minutes

## Step 1: Integrate your Okta instance

Start by integrating your Okta instance with C1. Use the [Okta connector](/baton/okta) to sync Okta to C1.

Once connected, C1 ingests all of the users, apps, groups, and other entitlements and resources from Okta.

## Step 2: Convert an Okta app to a managed app

Before managing access to an Okta app, you'll need to begin managing it with C1.

<Steps>
  <Step>
    Navigate to **Apps** and click the **Unmanaged apps** tab.

    Find the application you want to enable for self-service or lifecycle management.
  </Step>

  <Step>
    Click **Manage**.
  </Step>
</Steps>

<Tip>
  **Don’t stress.**

  Converting an app from unmanaged to managed in C1 does not change any configuration in the IdP.
</Tip>

Once an application is managed, you can enforce access controls, run user access reviews, and drive lifecycle management for the app.

## Step 3: Configure the app entitlements (optional)

Every managed application in C1 comes with a **Credential** resource. This "access entitlement" is used to manage account level access to application. In Okta, at a minimum, this means that the user is assigned to the Okta app.

Additionally, applications configured in Okta may use groups to SCIM roles and permissions to the connected application. C1 can easily convert these **linked entitlements** into resources and entitlements in your C1 instance.

If groups are assigned to the application in Okta, you can convert these linked entitlements from Okta into in-app entitlements in the C1 app:

<Steps>
  <Step>
    Click **Entitlements**, then click the **Linked entitlements** icon at the top right corner of the entitlements table (the icon looks like a Venn diagram).
  </Step>

  <Step>
    In the **Linked entitlements** drawer, click the **Setup** tab.
  </Step>

  <Step>
    For each IdP entitlement C1 has identified as linked to the app, choose an action:

    * **Create virtual role**: Set up a new role in the app that will be linked to the IdP entitlement. This role will only exist in C1, and will function as an alias for the IdP entitlement. Your colleagues can request and review the role, which will appear as part of the app, but they will in actuality be requesting or reviewing the IdP entitlement.

    * **Provision access for**: Link the IdP entitlement to an existing entitlement in the app. When your colleagues request or review the app entitlement, they will also be requesting or reviewing the IdP entitlement.

    * **Skip**: Do nothing.
  </Step>

  <Step>
    When you've made all of your selections, click **Save**.
  </Step>
</Steps>

C1 will now create the resources and entitlements in the managed app and set a binding for that entitlement to the Okta group. This binding is what allows C1 to automatically provision access when a user is granted the entitlement.

## Step 4: Configure the app and entitlements for self-service

Now we'll configure the application and any entitlements we created in Step 3 so they're ready for self-service requests.

<Steps>
  <Step>
    Navigate to the app's **Overview** page.
  </Step>

  <Step>
    In the **Entitlement management** section, click **Edit** next to **Default config rules**.
  </Step>

  <Step>
    In the configuration rules pane, click the toggle to **Enable configuration rules**.
  </Step>

  <Step>
    If you want to make the app itself requestable, click **Credential** in the selected resources.
  </Step>

  <Step>
    If you want to make the roles or other entitlements you created in Step 3 requestable, select those resource types.
  </Step>

  <Step>
    In the **Access profiles** field, search for and select an access profile. For example, select **Everyone** to make the entitlements requestable by all users.
  </Step>

  <Step>
    Finally, check the box at the bottom of the screen and click **Apply**.
  </Step>
</Steps>

## Step 5: Request your Okta app and entitlements

Submit a request to confirm the setup is working.

<Steps>
  <Step>
    Click **Requests** and make sure that **App catalog** is selected.
  </Step>

  <Step>
    Find the application you just created.

    If you've made the application requestable, you'll see a **Request** button on the app. If you've made individual entitlements requestable, you'll see those on the app.
  </Step>

  <Step>
    Select the app or an entitlement you want to request, and click **Request**.
  </Step>

  <Step>
    Enter the justification and click **Request**.
  </Step>
</Steps>

## Success!

The request will be auto-approved based on the policy, and C1 will provision your access by assigning you to the application and the correct groups in Okta.