Does Okta have native backup?

No. Okta operates under a shared responsibility model and does not provide built-in backup or restore capabilities. You are responsible for your own disaster recovery.

What Okta resources can Butterfly Security backup?

Butterfly Security supports 70+ resource types including users, groups, applications, policies, authorization servers, Workflows (flows, tables, connectors), brands, and more.

Can I backup Okta Workflows?

Yes. Butterfly Security provides complete Workflows backup including flow definitions, folder structure, table data (CSV export), and custom connectors from Connector Builder.

How long does an Okta backup take?

Backup time depends on org size and provider rate limits. Small orgs (under 1,000 users): 2-5 minutes. Medium orgs (1K-10K users): 10-20 minutes. Large orgs (10K-50K users): 20-45 minutes. Enterprise (50K+ users): 45 minutes to 2+ hours. Nested resources and API rate limits add natural pacing.

Is Butterfly Security secure?

Yes. All backups are encrypted at rest with AES-256, stored in isolated per-account storage, with credentials encrypted separately. We use SOC 2 compliant infrastructure.

Can I export Okta configuration to Terraform?

Yes. Butterfly Security can generate Terraform HCL from your backups, enabling Infrastructure as Code workflows and version-controlled Okta configuration management.

What is a dry-run restore?

Dry-run restore generates a preview showing exactly what would be created, updated, or skipped before making any changes. This ensures safe, predictable restores with no surprises.

Can I restore to a different Okta org?

Yes. Backups use name-based matching so they are portable across orgs. This enables sandbox sync, environment replication, and disaster recovery to alternate orgs.

Documentation | Butterfly Security

Supported Identity Providers

Butterfly Security supports Okta, Microsoft Entra ID, Auth0, Ping Identity, and 1Password.

Important: Only connect your organization's own identity provider instances (e.g., yourcompany.okta.com, your Entra tenant, your Auth0 domain).

We recommend testing with sandbox/preview environments before connecting production. See Terms of Service.

Quick Start

Get your first backup running in under 10 minutes

Create an Account

Configure Your Provider

Set up API credentials for your identity provider (Okta OAuth app, Entra app registration, Auth0 M2M app, etc.). See detailed setup guide below →

Connect Your Provider

Add your provider URL and credentials. We'll automatically detect which resources you can access.

Run Your First Backup

Click "Run Backup" on your connection. Backups typically complete in 2-30 minutes depending on org size.

Free Trial

Get started with a 14-day free trial

Free Trial14 days, no credit card required

Try Butterfly Security risk-free. Your trial starts when you create your first backup connection and includes full access to all features.

Full Backup Coverage

5 providers, 45+ resource types

Workflows Backup

Flows, tables, and connectors

Terraform Export

Generate HCL from backups

Git Integration

Export to GitHub, GitLab, Bitbucket, Azure DevOps, and AWS CodeCommit

Compliance Checks

SOC2, HIPAA, PCI DSS, and more

Scheduled Backups

Hourly to monthly automation

The Most Comprehensive Identity Backup Platform

Butterfly Security supports 5 identity providers — Okta, Microsoft Entra ID, Auth0, Ping Identity, and 1Password — with 45+ resource types, full Workflows backup, Terraform export, Git integration, and compliance checks all in one platform.

CLI Authentication

Modern OAuth device flow for seamless CLI login

The Butterfly Security CLI uses OAuth device flow authentication for seamless login without manual token copy/paste.

Quick Start

Install the CLI

Why: Available via Homebrew or direct download

bash

brew install butterfly-cli

Or download from: GitHub Releases

Authenticate

Why: Browser opens automatically - no manual token copy needed

bash

butterfly login

Browser opens automatically to login page
Choose your auth method (Google, GitHub, Microsoft, GitLab, or Email)
Token automatically sent to CLI -- no copy/paste needed

Start Using the CLI

Why: All commands work immediately after authentication

bash

# Show backup status
butterfly status

# List all backups
butterfly list

# Trigger a new backup
butterfly backup

# Compare two backups
butterfly diff <backup1-id> <backup2-id>

# Export to Terraform
butterfly export terraform <backup-id>

Authentication Methods

OAuth Device Flow (Recommended)

bash

butterfly login

Browser auto-opens
Automatic token delivery
Works offline after login

API Key (Legacy)

bash

butterfly login --api-key sk_xxxxx

For programmatic / CI/CD access
No browser required
Still fully supported

How OAuth Device Flow Works

1
Run butterfly login
CLI generates a unique device code
2
Browser opens automatically
You are taken to the login page with your device code
3
Complete authentication
Choose your login method (Google, GitHub, Email, etc.)
4
Token returned to CLI
You are logged in -- no manual copy/paste needed

Token Storage

Stored locally on your computer only
Automatically expires after 1 hour of use
Never transmitted unless making API requests

macOS: ~/Library/Application Support/butterfly-cli/config.json

Linux: ~/.config/butterfly-cli/config.json

Windows: %APPDATA%\butterfly-cli\config.json

Browser Didn't Open?

The CLI will display your device code and URL. You can manually visit https://butterflysecurity.org/cli/authorize and enter the code.

Identity Provider Setup

Configure secure authentication for your identity provider

Each provider uses a different authentication mechanism. Select your provider below for step-by-step instructions. All methods use read-only credentials to minimize risk.

OAuth 2.0 with Private Key JWT

Okta uses OAuth 2.0 client credentials with private key JWT — the most secure M2M auth method. The private key never leaves your control; only signed JWTs are sent.

Create an API Services Application

Log into your Okta Admin Console
Navigate to Applications → Applications
Click Create App Integration
Select API Services as the sign-in method
Name it Butterfly Security Service
Click Save

Configure Public Key Authentication

In your app, go to the General tab
Under Client Credentials, click Edit
Change to Public key / Private key
Click Add Key → Generate new key
Download and save the private key immediately!
Click Done, then Save

Save your private key securely! Okta will not show it again.

Grant API Scopes

Go to the Okta API Scopes tab
Grant all *.read scopes for backup
Grant *.manage scopes for restore

See the complete Okta scope reference below →

Assign Administrator Role

Go to the Admin roles tab
Click Edit assignments
Select Super Administrator (recommended for full backups)
Click Save changes

Copy Your Credentials

Okta Org URL:https://yourorg.oktapreview.com

Client ID:0oa2mcw4nukE8tHCA0h8

Private Key:(the PEM file you downloaded)

API Scopes & Permissions Reference

Provider-specific scopes for backup and restore

Select a provider below to see the required API scopes and permissions. Read scopes are needed for backups; write/manage scopes are needed for restores.

Essential scopes for user and group management

okta.users.read

Read user profiles, status, and metadata

Backup

okta.users.manage

Create, update, and delete users

Restore

okta.groups.read

Read groups and group memberships

Backup

okta.groups.manage

Create, update groups and manage memberships

Restore

okta.userTypes.read

Read user type definitions

Backup

okta.userTypes.manage

Create and modify user types

Restore

Application configuration, assignments, and OAuth grants

okta.apps.read

Read app configurations and settings

Backup

okta.apps.manage

Create, update, and configure applications

Restore

okta.clients.read

Read OAuth 2.0 client configurations

Backup

okta.clients.manage

Create and modify OAuth clients

Restore

okta.appGrants.read

Read OAuth app grant configurations

Backup

okta.appGrants.manage

Configure app grants

Restore

Sign-on policies, password policies, MFA policies, and access policies

okta.policies.read

Read all policy types and their rules

Backup

okta.policies.manage

Create, update, and activate policies

Restore

Quick Copy: All Backup Scopes

Copy this list to grant all read scopes for comprehensive backups:

All Read Scopes

okta.users.read
okta.groups.read
okta.apps.read
okta.clients.read
okta.policies.read
okta.authorizationServers.read
okta.idps.read
okta.networkZones.read
okta.trustedOrigins.read
okta.authenticators.read
okta.behaviors.read
okta.deviceAssurance.read
okta.threatInsights.read
okta.captchas.read
okta.riskProviders.read
okta.factors.read
okta.sessions.read
okta.pushProviders.read
okta.eventHooks.read
okta.inlineHooks.read
okta.logStreams.read
okta.brands.read
okta.domains.read
okta.emailDomains.read
okta.templates.read
okta.schemas.read
okta.profileMappings.read
okta.linkedObjects.read
okta.uischemas.read
okta.userTypes.read
okta.roles.read
okta.apiTokens.read
okta.appGrants.read
okta.principalRateLimits.read
okta.devices.read
okta.logs.read
okta.orgs.read
okta.features.read
okta.agentPools.read
okta.realms.read
okta.emailServers.read
okta.identitySources.read

Quick Copy: All Restore Scopes

Add these manage scopes if you also want restore capability:

All Manage Scopes

okta.users.manage
okta.groups.manage
okta.apps.manage
okta.clients.manage
okta.policies.manage
okta.authorizationServers.manage
okta.idps.manage
okta.networkZones.manage
okta.trustedOrigins.manage
okta.authenticators.manage
okta.behaviors.manage
okta.deviceAssurance.manage
okta.threatInsights.manage
okta.captchas.manage
okta.factors.manage
okta.sessions.manage
okta.pushProviders.manage
okta.eventHooks.manage
okta.inlineHooks.manage
okta.logStreams.manage
okta.brands.manage
okta.domains.manage
okta.templates.manage
okta.schemas.manage
okta.profileMappings.manage
okta.linkedObjects.manage
okta.uischemas.manage
okta.userTypes.manage
okta.roles.manage
okta.appGrants.manage
okta.principalRateLimits.manage
okta.devices.manage
okta.features.manage
okta.realms.manage
okta.emailServers.manage
okta.identitySources.manage

Supported Resources

55+ resource types across Okta, Entra ID, Auth0, Ping, 1Password, Workato, Boomi & Zapier

Butterfly Security supports 8 providers — 5 identity platforms and 3 iPaaS automation platforms — with comprehensive resource coverage. Select a provider below for the full resource list. When you connect a provider, we automatically detect which resources you have access to.

Okta Resources (Full List)

Core Identity

Users
User profiles, status, credentials, and metadata
Groups
Groups, memberships, and group owners
Group Rules
Automatic group membership rules
User Types
Custom user type definitions
User Schemas
Custom user profile attributes
Group Schemas
Custom group profile attributes
Profile Mappings
Attribute mappings between sources
Linked Objects
Manager/report relationships
UI Schemas
Custom enrollment form layouts

Applications

Applications
SAML, OIDC, SWA, and custom apps
User Assignments
User-to-app assignments with credentials
Group Assignments
Group-to-app assignments
OAuth Clients
OAuth 2.0 client configurations
App Features
App-specific feature settings
App Schemas
App-specific profile attributes

Policies

Sign-On Policies
Global and app-level sign-on policies
Password Policies
Password strength and expiration rules
MFA Enrollment
MFA enrollment and factor policies
Access Policies
Application access control policies
IdP Discovery
Identity provider routing rules
Profile Enrollment
Self-service registration policies
Policy Rules
All policy rules and conditions

Security

Network Zones
IP-based and dynamic network zones
Trusted Origins
CORS and redirect origins
Authenticators
MFA factor configurations
Behaviors
Anomaly detection and risk rules
Device Assurance
Device compliance policies
Risk Providers
Third-party risk signal integrations
CAPTCHAs
CAPTCHA configurations
Push Providers
Custom push notification providers

Authorization

Auth Servers
Custom authorization servers
Claims
Custom token claims
Scopes
OAuth scope definitions
Auth Policies
Auth server access policies and rules
Identity Providers
SAML, OIDC, and social IdPs
Custom Roles
Custom admin role definitions
Resource Sets
Resource set definitions for RBAC
Role Permissions
Role permission assignments

Hooks & Integrations

Event Hooks
Outbound webhooks for events
Inline Hooks
Synchronous API hooks for customization
Hook Keys
Cryptographic keys for hook verification
Log Streams
Log streaming to SIEM/analytics
SSF Receivers
Shared Signals receivers
SSF Transmitters
Shared Signals transmitters
Security Events
Security event provider configs

Branding & Communication

Brands
Branding and theme settings
Custom Domains
Custom domain configurations
Email Domains
Email sending domain settings
Email Templates
Customized email templates
SMS Templates
SMS message templates
Email Servers
Custom SMTP configurations
Telephony Providers
Custom voice/SMS providers

Organization & Governance

Org Settings
Organization-level configurations
Features
Enabled feature flags
Agent Pools
AD/LDAP agent configurations
Realms
OIG realm configurations
Realm Assignments
User realm assignments
Access Certifications
OIG certification campaigns
Access Requests
OIG access request configs
Governance Bundles
Entitlement bundles

Dynamic Resource Detection

When you connect any provider, we test each resource endpoint to determine exactly which resources you have permission to access. Only accessible resources will appear in your backup options.

AI-Powered Security Analysis

Context-aware AI analysis of your identity topology

Butterfly Security integrates AI-powered analysis directly into the topology viewer, enabling you to ask questions about any entity in your identity environment and receive context-aware security insights.

Multi-Provider AI Support

Bring your own API key and choose your preferred AI provider:

Claude (Anthropic)

Advanced reasoning and security analysis

ChatGPT (OpenAI)

Broad knowledge and natural language understanding

Copilot (Microsoft)

Azure-integrated AI capabilities

Gemini (Google)

Google AI with multimodal understanding

How It Works

Auto-analysis on node selection -- Click any user, group, app, or policy in the topology to trigger an automatic security assessment
Quick action buttons -- Use preset prompts like "Risks?", "Over-provisioned?", and "Improvements?" for instant analysis
Conversational follow-ups -- Ask follow-up questions about the selected entity for deeper investigation

Configure Your API Key

Navigate to Dashboard → Settings to configure your preferred AI provider and API key. Your key is stored securely and never shared.

Natural Language Search

Query your identity topology using plain English

Search your entire identity topology using natural language queries instead of manual filtering. Type questions like you would ask a colleague.

Example Queries

Who has access to AWS?

Show all admin users

Which apps have no MFA policy?

Find service accounts with super admin

Show groups with more than 100 members

Features

Autocomplete Suggestions

Get query suggestions as you type

Topology Results

Results displayed as interactive topology views

Relationship Exploration

Follow connections between users, groups, and apps

Search History

Quickly re-run previous queries

Topology Viewer

Interactive resource relationship graph for your identity environment

The topology viewer provides an interactive graph powered by React Flow that visualizes the relationships between all resources in your identity environment -- users, groups, applications, and policies.

Capabilities

Visualize connections between users, groups, apps, and policies in a single graph
Click any node to see details, metadata, and trigger AI security analysis
Zoom, pan, and search within the graph to find specific resources
Multiple relationship types -- member_of, assigned_to, governed_by, authenticates_with, and more

Relationship Types

member_of

User belongs to a group

assigned_to

User or group assigned to an app

governed_by

Resource governed by a policy

authenticates_with

App uses an auth server or IdP

managed_by

Resource managed by an admin role

connected_to

Hook or integration linked to an app

Non-Human Identity Security

Identify and manage service accounts, API tokens, and OAuth apps

Non-human identities (NHIs) such as service accounts, API tokens, and OAuth applications often have elevated privileges and are frequently overlooked in security reviews. Butterfly Security helps you identify and manage these risks.

What We Detect

Over-privileged service accounts

Service accounts with more permissions than needed

Stale credentials

API tokens and service accounts that haven't been used recently

Unused OAuth apps

OAuth applications with no recent activity

Shared service accounts

Service accounts used across multiple integrations

Why NHI Security Matters

Non-human identities are the fastest-growing attack surface. Service accounts with static credentials and excessive permissions are a top target for attackers. Regular review of NHI security posture is essential.

Compliance Remediation

Actionable fix guidance for every compliance finding

When compliance checks identify issues, Butterfly Security provides actionable remediation guidance so you know exactly what to fix and how to fix it.

Remediation Features

Step-by-step instructions -- Each finding includes detailed remediation steps specific to your identity provider configuration
Priority-based triage -- Findings are ranked by severity (critical, high, medium, low) so you can address the most important issues first
Framework mapping -- Each remediation links back to the specific compliance control it satisfies (SOC 2, HIPAA, PCI DSS, etc.)

Continuous Improvement

Run compliance checks after remediation to verify fixes and track your compliance score improvement over time.

Unified Identity Graph

Cross-provider identity correlation and inconsistency detection

The Unified Identity Graph correlates identities across all connected providers (Okta, Entra ID, Auth0, Ping Identity, 1Password) to give you a single view of every person and service account in your organization.

How It Works

Email-based correlation

Identities across providers are matched by email address, building a unified profile for each person

Inconsistency detection

Automatically flags mismatches -- different names, statuses, or roles for the same person across providers

Risk scoring

Each correlated identity gets a risk score based on inconsistencies, orphaned accounts, and privilege mismatches

What Gets Detected

Orphaned accounts

Identities that exist in one provider but not others

Name mismatches

Same email with different display names across providers

Status conflicts

Active in one provider, suspended in another

Role inconsistencies

Admin in Okta but regular user in Entra ID

Try It

Open the Identity Graph dashboard to see correlated identities across your connected providers, or try the interactive demo.

IAM Chaos Engineering

Simulate identity disasters safely to test your resilience

IAM Chaos Engineering lets you simulate identity-related disasters in a safe, read-only environment. See the blast radius of changes before they happen, and understand how your IAM configuration handles failures.

10 Simulation Types

User Lockout

Simulate a user losing all access

Group Deletion

See what breaks when a group is removed

MFA Disable

Assess risk of MFA being turned off

Admin Compromise

Model an admin account takeover

Policy Removal

Simulate deleting authentication policies

App Deletion

See cascade effects of removing an application

Provider Outage

Model a full identity provider outage

Credential Leak

Simulate API key or credential exposure

Mass Deprovisioning

Model bulk user removal scenarios

Authenticator Failure

Simulate MFA authenticator going down

Simulation Results Include

Risk score (0-100) -- Overall severity of the simulated incident
Blast radius -- Exact count of affected users, apps, and policies
Cascade effects -- Secondary and tertiary impacts traced through your topology
Mitigation steps -- Actionable recommendations to reduce risk

Safe Simulation

All simulations are read-only. No changes are made to your actual IAM configuration. Chaos engineering runs against a graph model of your topology, not your live environment.

Backup

How backups work and what to expect

How Backup Works

1
Authentication
We generate a short-lived OAuth access token using your private key
2
Data Collection
We call your provider's APIs to fetch each resource type, respecting rate limits
3
Snapshot Creation
All data is combined into a versioned snapshot with SHA-256 hashes for integrity
4
Secure Storage
The snapshot is encrypted and stored in your isolated storage bucket

Backup Duration

Small org (<1,000 users)	2-5 min
Medium org (1K-10K users)	10-20 min
Large org (10K-50K users)	20-45 min
Enterprise (50K+ users)	45 min - 2+ hrs

Storage Features

AES-256 encryption at rest
TLS 1.3 encryption in transit
Isolated per-user buckets
Configurable retention

Data Not Included in Backups

For security reasons, the following sensitive data is never stored:

• User passwords — Cannot be read via API; users are restored in STAGED status
• MFA factors — Factor secrets cannot be exported; users must re-enroll
• OAuth client secrets — App secrets must be regenerated on restore
• SAML signing certificates — Private keys cannot be exported
• IdP credentials — Social login secrets, LDAP passwords, etc.
• Hook auth headers — Webhook authentication tokens

Scheduled Backups

Automate your identity backups on a schedule

Paid Feature

Scheduled backups require a paid plan. Trial users can run manual backups but cannot enable automatic scheduling.

Configuring a Schedule

You can configure scheduled backups from the Connections page by clicking on the schedule display for any connection.

Go to Dashboard → Connections
Click on the schedule text (e.g., "Manual" or "Daily at 02:00")
Toggle "Enable scheduled backups"
Select your preferred frequency, time, and timezone
Click "Save Schedule"

Schedule Options

Frequency

• Hourly — Runs every hour on the hour
• Daily — Runs once per day at your specified time
• Weekly — Runs once per week on your specified day and time

Timezone

All schedule times are based on your selected timezone. Common options include US Eastern, Pacific, UTC, and more.

Failure Handling

If a scheduled backup fails, the system will automatically:

Increment a failure counter and log the error
Continue scheduling future backups
After 3 consecutive failures, pause scheduling for 24 hours
Display warnings in the schedule modal

To resume after a pause, simply re-save the schedule configuration. This will clear the failure count and immediately reschedule the next backup.

Best Practices

Schedule backups during off-peak hours to minimize impact on API rate limits
Use daily backups for most organizations; hourly is rarely necessary
Monitor the schedule history to ensure backups are completing successfully
Consider your data retention needs when choosing a backup frequency

Restore

How to safely restore your identity configuration

Restore Modes

Dry Run Mode

Preview all changes without modifying anything. Shows exactly what would be created, updated, or skipped.

Recommended: Always run a dry run first

Execute Mode

Actually perform the restore. Creates new resources and optionally updates existing ones.

Requires explicit confirmation

Restore Behavior

Create Missing Resources

Resources in the backup but not in the target org will be created

Skip Existing (Default)

Resources that already exist in the target org are skipped by default

Selective Restore

Choose specific resource types to restore; others are ignored

Restore Support by Provider

Okta

Full restore support. Requires *.manage scopes granted to your OAuth app.

Key scopes: okta.users.manage, okta.groups.manage, okta.apps.manage, okta.policies.manage

Microsoft Entra ID

Full restore support. Requires write permissions on your app registration.

Key permissions: User.ReadWrite.All, Group.ReadWrite.All, Application.ReadWrite.All, Policy.ReadWrite.ConditionalAccess

Auth0

Full restore support. Requires Management API scopes on your M2M application.

Key scopes: create:users, update:users, create:clients, update:connections, create:roles

Ping Identity

Full restore support. Requires write permissions on your PingOne worker application.

Key scopes: p1:create:user, p1:update:user, p1:create:group, p1:update:application, p1:update:policy

1Password

Read-only support. 1Password Connect Server API is read-only — restore, Terraform export, and compliance checks are not available. Butterfly Security backs up your vault metadata and item structure for disaster recovery documentation.

User Restore Limitations

Users restored via the API have important limitations (applies to all providers):

• Users are created in STAGED/PENDING status and require activation
• Passwords are not restored — users must set new passwords
• MFA factors are not restored — users must re-enroll in MFA
• Directory-sourced users (AD/LDAP/SCIM) cannot be created via API
• Federated users may need IdP configuration restored first

Safe Restore Workflow

1Select Backup

Choose a backup snapshot

→

2Dry Run

Preview all changes

→

3Review

Check the dry run report

→

4Execute

Run the actual restore

→

5Verify

Confirm resources in your environment

Diff & Compare

Compare backup snapshots to see exactly what changed

The diff tool lets you compare any two backup snapshots side by side to understand exactly what changed in your identity environment between two points in time.

What You Can See

Added Resources

New users, groups, apps, or policies created since the previous backup

Modified Resources

Configuration changes with field-level detail showing old vs new values

Removed Resources

Resources that were deleted between backups

Severity Classification

Changes classified as critical, high, medium, low, or info

How to Compare

Navigate to Dashboard → Diff
Select your connection
Choose two backup snapshots to compare
Review the summary of added, modified, and removed resources
Click into any resource to see field-level changes

Use Case: Change Auditing

Run a diff after scheduled backups to detect unexpected configuration changes. This is especially valuable for identifying unauthorized modifications in production environments.

Environment Sync

Sync configuration between environments

Environment sync lets you replicate identity configuration from one environment to another -- for example, promoting changes from dev to staging to production.

Features

Preview mode -- See exactly what would change before applying any modifications
Selective sync -- Choose specific resource types to sync (e.g., only policies and groups)
Multi-environment support -- Sync across dev, staging, and production environments

Preview First

Always use preview mode before applying a sync. This ensures you understand the full scope of changes before modifying a target environment.

Okta Workflows Backup

Backup your Okta Workflows automations and custom connectors (Okta only)

Okta Workflows uses a separate authentication mechanism from the main Okta APIs. To backup your Workflows, you need to provide a service account with Workflows access.

What's Backed Up

Flows

All flow definitions, cards, and configurations

Folders/Groups

Folder structure and organization

Tables

Workflows table schemas and data (CSV export)

Connections

Connector configurations (not credentials)

Connector Builder Projects

Custom connector definitions and flows

Flow Exports

Importable .flopack exports per folder

Connector Builder Support

Butterfly Security fully supports Okta Workflows Connector Builder, backing up your custom connector projects:

Project metadata — Names, descriptions, and settings
Flow definitions — All connector flows (actions, triggers)
Card configurations — Input/output schemas and logic
Authentication configs — OAuth, API key, and custom auth setups (not credentials)

Setup Requirements

To backup Workflows, you need a dedicated service account with specific configuration:

Step 1: Create Service Account User

• Create a dedicated user (e.g., workflows-backup@yourdomain.com)
• Set authentication to Password (not federated/SSO)
• Store credentials securely for Butterfly Security configuration

Step 2: Assign to Okta Workflows App

• Navigate to Applications → Applications
• Find the "Okta Workflows" application
• Click Assign → Assign to People
• Select your service account user and click Save and Go Back

Step 3: Grant Workflows Admin Role

• Navigate to Security → Administrators
• Click Add Administrator
• Select your service account user
• Assign the Workflow Administrator role
• For Connector Builder access, also assign Super Administrator or ensure the role has Connector Builder permissions

Step 4: Configure Sign-On Policy (Bypass MFA)

• Navigate to Applications → Okta Workflows → Sign On
• Click Add Rule or edit the default rule
• Set rule name (e.g., Service Account Bypass)
• Under IF User is: Select User → your service account
• Under THEN Access is: Set to Allowed
• Under AND Authentication is: Set to Password only (no MFA)
• Set priority to 1 (highest) so it evaluates before other rules
• Click Save

Step 5: (Optional) Connector Builder Access

• If backing up custom connectors, the service account needs Connector Builder access
• Navigate to Workflow → Connector Builder
• Ensure the service account can access and view connector projects
• This typically requires Super Administrator or a custom admin role with Connector Builder permissions

Connection Credentials Not Backed Up

Workflow connection credentials (API keys, OAuth tokens for third-party services) are not exported. After a restore, you'll need to re-authenticate all connectors. This applies to both standard connectors and custom Connector Builder projects.

Workflows Restore

Restore your Okta Workflows automations and custom connectors (Okta only)

What Gets Restored

Workflow Folders

Complete folders with all flows via flopack import

Created with "(Restored)" suffix

Flow Definitions

All cards, connections, and configurations

Tables

Table schemas and row data (CSV import)

Connector Builder Projects

Custom connector definitions and flows

Created with "(Restored)" suffix

Restore Modes

Preview (Dry Run)

See exactly what will be restored without making any changes. Shows folder, table, and connector counts.

Recommended: Always preview first

Live Restore

Actually creates the folders, imports flopack data, restores tables, and creates connectors.

Requires typing "RESTORE" to confirm

How Restore Works

Folder Creation

New folders are created with "(Restored)" suffix to avoid conflicts

Flopack Import

The complete folder export (flopack) is imported, recreating all flows and their configurations

Table Data Restore

Table schemas are created by flopack; row data is then imported via CSV

Connector Builder Projects

Custom connector projects are recreated with their flows and auth schemas

Empty Folders with Custom Connectors

Some folders may show as "empty" if they only contain references to custom Connector Builder projects. The flopack import will report an error for these folders, but this is expected — the actual connector content is restored separately as a Connector Builder project.

Post-Restore Requirements

After restoring Workflows, you'll need to:

• Re-authenticate connections — All connector auth (OAuth, API keys) must be reconfigured
• Verify table data — Check that table rows imported correctly
• Test flows before enabling — Flows are restored in disabled state; test thoroughly
• Update any hardcoded references — IDs, URLs, or org-specific values may need updating

Selective Restore

You can choose exactly which items to restore:

Individual folders — Select specific folders to restore
Individual connectors — Choose which Connector Builder projects to restore
Skip table data — Restore schemas only, without row data

Note: Individual flows cannot be restored separately due to the flopack format — entire folders are restored as a unit.

Best Practices

Recommendations for reliable backup and disaster recovery

Recommended Backup Schedule

Org Size	Backup Frequency	Retention	Reasoning
Small (<1K users)	Daily	30 days	Lower change frequency; daily is sufficient
Medium (1K-10K users)	Daily	60 days	Moderate changes; more retention for auditing
Large (10K-50K users)	Every 6 hours	90 days	Frequent changes; shorter RPO needed
Enterprise (50K+)	Every 2-4 hours	90+ days	High change velocity; compliance requirements

Disaster Recovery Tips

Test Restores Regularly

Run dry-run restores monthly to verify backup integrity and practice the recovery process

Document Your Configuration

Keep notes on custom configurations, especially secrets that aren't backed up

Stagger Major Changes

After major configuration changes, run a backup before and after

Monitor Backup Status

Set up alerts for failed backups; don't rely on the last backup being fresh

Security Recommendations

Use OAuth with private key authentication for service access
Grant only the minimum scopes needed for your backup requirements
Rotate your OAuth private key periodically (annually at minimum)
Monitor your provider's audit log for unusual API activity from your backup app

Terraform Export

Generate Terraform HCL from your identity provider backups

Infrastructure as Code

Terraform export generates HCL configuration files from your backups, enabling you to manage your identity provider as code using official Terraform providers.

Supported Providers

Terraform export is available for providers with official Terraform providers. Select a provider below for details.

Select a provider above to see available Terraform resources and configuration.

Prerequisites

Terraform installed on your local machine (v1.0+)
At least one backup completed for your Okta connection
Terraform provider: okta/okta

Supported Resources (Okta)

We generate HCL for the following okta/okta resource types:

Users (okta_user)

Groups (okta_group)

Group Rules (okta_group_rule)

Applications (OIDC, SAML, Bookmark)

App User Assignments (okta_app_user)

App Group Assignments (okta_app_group_assignment)

Policies (Sign-on, Password, MFA)

Policy Rules

Authorization Servers

Auth Server Claims & Scopes

Network Zones (okta_network_zone)

Trusted Origins (okta_trusted_origin)

Step-by-Step Export Guide

Navigate to the Terraform Page

Why: This is where you can generate HCL and export to Git.

From your dashboard, click "Terraform" in the left sidebar navigation. You'll see two tabs: "Generate HCL" and "Export to Git".

Select Your Connection and Backup

Why: The export uses your backup data, not live data.

Choose your Okta connection from the dropdown
Select which backup you want to export (most recent is pre-selected)
The backup timestamp shows when the data was captured

Choose Resource Types

Why: Export only what you need to keep files manageable.

Check the boxes for resource types you want to include
Uncheck resources you manage manually or don't need in Terraform

Generate and Download

Why: The HCL file is ready to use with Terraform.

Click "Generate Terraform" to create the HCL
Preview the generated code in the viewer
Click "Download" to save the main.tf file

Use the Generated Terraform

Why: Initialize and plan before applying any changes.

Place the downloaded file in your Terraform project directory and run:

Terminal

# Initialize the provider
terraform init

# Preview what Terraform will do
terraform plan

# Apply changes (be careful!)
terraform apply

Okta Provider Configuration

The generated HCL includes the provider block. You'll need to set these environment variables:

Environment Variables

# Required - your Okta org URL
export OKTA_ORG_NAME="your-org"
export OKTA_BASE_URL="oktapreview.com"  # or okta.com

# OAuth 2.0 authentication
export OKTA_API_CLIENT_ID="your-client-id"
export OKTA_API_PRIVATE_KEY_ID="your-key-id"
export OKTA_API_PRIVATE_KEY="path/to/private-key.pem"

Sensitive Values Not Exported

For security, we don't export sensitive values. These use Terraform variable placeholders:

Passwords → var.user_password
Client secrets → var.client_secret_[name]
API keys / tokens → var.api_key_[name]

Define these variables in a terraform.tfvars file (don't commit to Git!).

Common Use Cases

Disaster Recovery

Keep Terraform files in Git. If your identity provider is compromised, quickly rebuild from code.

Environment Sync

Export from production, modify provider config, and apply to dev/staging environments.

Audit Trail

Commit HCL to Git after each backup for a complete version history.

Policy as Code

Review policy changes in pull requests before applying to your identity provider.

Git Export

Export backups to GitHub, GitLab, Bitbucket, Azure DevOps, or AWS CodeCommit

Version Control Your Identity Config

Git export commits your backup JSON files to a Git repository, giving you full version history, diffs between backups, and integration with your existing GitOps workflows. Connect your account with one click via OAuth — no tokens to create or manage.

Supported Platforms

GitHub

Public and private repositories via OAuth

GitLab

SaaS (gitlab.com) and self-hosted instances via OAuth

Bitbucket

Bitbucket Cloud and Data Center via OAuth

Azure DevOps

Azure Repos via OAuth

AWS CodeCommit

AWS CodeCommit repositories via OAuth

How It Works

Butterfly Security uses OAuth to connect to your Git provider. You authorize access through your provider's login page — no tokens to create, copy, or manage. Your credentials are encrypted and stored securely on our servers.

1. Connect

Click "Connect" and log in to your Git provider

2. Select

Pick a repository from the auto-populated list

3. Export

Click export — files are committed to your repo

Step-by-Step Guide

Navigate to Export

Why: Found in the main dashboard.

Go to Dashboard → Export and select the "Export to Git" tab.

Connect Your Git Provider

Why: One-click OAuth — no tokens needed.

Select your provider (GitHub, GitLab, Bitbucket, Azure DevOps, or AWS CodeCommit)
Click "Connect {Provider}"
You'll be redirected to your provider's login page to authorize Butterfly Security
After authorizing, you'll be redirected back — your account will show as connected with your username and avatar

Select Repository and Backup

Why: Your repos are fetched automatically.

Select your connection and backup from the dropdowns
Choose a repository from the auto-populated list (only repos you have write access to are shown)
Optionally set a branch and directory path

Export

Why: Files are committed directly via the provider API.

Click "Export to Git"
Wait for the export to complete (usually a few seconds)
You'll see a success message with a direct link to the commit

What Gets Exported

Each export creates a timestamped directory with your backup data:

Repository Structure

identity-backups/
└── 2025-01-15T10-30-00Z/
    ├── users.json
    ├── groups.json
    ├── applications.json
    ├── policies.json
    ├── authorization-servers.json
    ├── network-zones.json
    └── ...

The commit message includes a summary of what was backed up (e.g., "Backup: 150 users, 25 groups, 12 apps").

Security

OAuth credentials are encrypted at rest (AES-256-GCM) and only decrypted server-side during export
Use a private repository — backup files may contain sensitive configuration details
You can disconnect your Git provider at any time from the export page
Butterfly Security requests only the minimum permissions needed to push commits

Compliance Checks

Automated security and compliance scanning

Continuous Compliance

Run compliance checks against your backups to identify security gaps, policy violations, and configuration drift. Checks run against your backup data (not live), so there's no impact on your production environment.

Supported Compliance Frameworks

Each framework has specific checks mapped to its control requirements. Click on a framework to view the official requirements:

SOC 2

Service organization controls for security, availability, and confidentiality

12 checks

HIPAA

Healthcare data protection and privacy requirements

10 checks

PCI DSS

Payment card industry security standards

14 checks

NIST 800-53

Federal information security controls

16 checks

ISO 27001

International information security management

11 checks

CIS Controls

Center for Internet Security critical controls

15 checks

What We Check

Our compliance engine analyzes your configuration for security best practices across identity, automation, and vault platforms:

Authentication & MFA

• MFA required for all users
• Strong authenticator types enforced
• No password-only sign-on policies

Password Policies

• Minimum password length (12+ chars)
• Complexity requirements enabled
• Password history enforcement

Session Security

• Session timeout configured
• Idle timeout reasonable
• Persistent sessions disabled for admins

Automation Security

Workato · Boomi · Zapier

• Recipe/zap configurations reviewed
• Connection credential rotation verified
• Error handling & retry policies set

Admin & Access Control

• Limited super admin accounts
• Admin MFA enforced
• Role-based access configured

Network Security

• Network zones defined
• Admin access IP restricted
• Trusted origins configured

User Lifecycle

• No stale inactive accounts
• Deprovisioning configured
• Group membership reviewed

Vault Security

1Password

• Credential rotation schedules verified
• Watchtower alerts reviewed
• Vault access permissions audited

Running Compliance Checks

Navigate to Compliance

Why: You need at least one completed backup to run checks.

From your dashboard, click "Compliance" in the left sidebar navigation.

Select Your Connection

Why: Checks run against your most recent backup data.

Choose a connection from the dropdown
The page shows when the last backup was taken
If no backups exist, you'll need to run one first

Choose a Compliance Framework

Why: Different frameworks have different check requirements.

Click on a framework tab (SOC 2, HIPAA, PCI DSS, etc.)
You'll see all the checks for that framework
Each check shows what it validates

Run Checks

Why: You can run all checks or pick specific ones.

"Run All Checks" — executes every check for the selected framework
Or click "Run" on individual checks you care about
Results appear in real-time as each check completes

Review Results

Why: Understand what passed, what failed, and what to fix.

Each check shows one of three statuses:

Pass — Configuration meets the requirementFail — Requires immediate attentionWarning — Review recommended

Click on any check to see detailed findings and remediation guidance.

Using Compliance Results

Audit Preparation

Run checks before audits to identify and fix gaps. Export results as evidence of your security posture.

Continuous Monitoring

Run checks after each backup to detect configuration drift and security regressions.

Security Baseline

Use checks to establish a security baseline when onboarding new identity environments.

Remediation Tracking

Track progress over time as you remediate findings and improve your score.

Tip: Run Checks After Each Backup

Schedule compliance checks after your automated backups to catch configuration drift early. This helps maintain continuous compliance rather than scrambling before audits.

Monitoring

Real-time backup status and history

Stay Informed

The monitoring dashboard provides real-time visibility into your backup operations. Watch backups in progress, review history, and quickly identify any issues.

Monitoring Dashboard Overview

The monitoring page gives you a single view of all backup activity across your connections:

Live Status

See backups in progress with real-time updates. The page auto-refreshes every 30 seconds during active backups.

Backup History

Complete history of all backups with timestamps, durations, and status. Filter by connection or date range.

Resource Counts

Summary of what was backed up: users, groups, apps, policies, recipes, connections, vaults, and other resource types with exact counts.

Error Details

When backups fail, see the full error message and stack trace to diagnose issues quickly.

Using the Monitoring Dashboard

Navigate to Monitor

Why: This is where you see all backup activity.

From your dashboard, click "Monitor" in the left sidebar navigation.

View Active Backups

Why: See what's happening right now.

Active backups show at the top with a progress indicator
You can see which resource types are currently being backed up
The page auto-refreshes, but you can click "Refresh" to update immediately

Review Backup History

Why: Understand your backup patterns and catch issues.

See all completed backups sorted by time (newest first)
Each entry shows: status, timestamp, duration, and resource counts
Click on a backup to see detailed breakdown by resource type

Check Scheduled Backups

Why: Know when your next automated backup will run.

See the schedule for each connection (daily, weekly, etc.)
View when the next scheduled backup will run
Schedules are configured on the connection settings page

Backup Status Reference

Each backup shows one of these statuses:

Running

Backup in progress

The backup is actively fetching data from your identity provider. This can take 2-30 minutes depending on org size.

Completed

Backup successful

All data was backed up successfully. Click to see detailed resource counts.

Partial

Backup completed with warnings

Most data was backed up, but some resources failed (often due to permission issues).

Failed

Backup failed

The backup could not complete. Click to see the error details and troubleshoot.

Common Monitoring Scenarios

Backup taking longer than usual?

Large orgs with many users or groups can take 30+ minutes. If a backup runs for over an hour, check your connection's OAuth app permissions.

Missing scheduled backups?

Check that your connection has a schedule enabled. Go to the connection settings and verify the backup frequency is set.

Want to be notified of failures?

Email and Slack notifications are coming soon. For now, check the monitoring dashboard periodically or set up your own monitoring via the API.

Backup Retention

Manage how long backups are stored

Backup retention policies control how long your identity configuration snapshots are stored. Configure retention to meet compliance requirements while managing storage costs.

Retention Options

Time-based

Automatically delete backups older than a specified number of days

Count-based

Keep only the N most recent backups per connection

Compliance hold

Prevent deletion of backups needed for regulatory compliance

Manual cleanup

Review and delete individual backups from the dashboard

Compliance Tip

For SOC 2 and HIPAA compliance, consider retaining backups for at least 90 days. Many organizations keep 1 year of backup history for audit trails.

Troubleshooting

Common issues and their solutions

The troubleshooting steps below are primarily for Okta connections. For other providers (Entra ID, Auth0, Ping Identity, 1Password), refer to the provider-specific setup guide in the Provider Setup section above.

Connection & Authentication Issues

invalid_clientInvalid OAuth Client

Possible Causes

•Client ID is incorrect or doesn't exist
•The OAuth app was deleted or disabled
•Public key doesn't match the private key you're using

Solutions

→Verify the Client ID matches exactly (copy/paste from Okta)
→Check that the OAuth app is active in Okta Admin Console
→Regenerate a new key pair and update both Okta and Butterfly Security

invalid_grantInvalid Grant / Key Mismatch

Possible Causes

•Private key doesn't match the public key in Okta
•Key ID (kid) is specified but doesn't match
•Clock skew between your server and Okta

Solutions

→Regenerate a new key pair in Okta and download the private key again
→If you have multiple keys, specify the correct Key ID (kid)
→Ensure your server's clock is synchronized (NTP)

invalid_scopeNo Scopes Granted

Possible Causes

•No API scopes have been granted to the OAuth app
•The requested scopes don't match what's granted

Solutions

→Go to your OAuth app in Okta → Okta API Scopes tab
→Grant at least the basic read scopes (okta.users.read, okta.groups.read, etc.)
→See the API Scopes section above for the complete list

403 ForbiddenAccess Denied

Possible Causes

•OAuth app doesn't have an admin role assigned
•The admin role doesn't have access to the requested resource
•Resource requires a feature that isn't enabled

Solutions

→Go to your OAuth app → Admin roles tab → Assign Super Admin or Org Admin
→For specific resources, ensure the admin role has the necessary permissions
→Some resources (Realms, Device Assurance) require specific Okta features to be enabled

Connection timed outNetwork/Timeout Issues

Possible Causes

•Network connectivity issues
•Okta org URL is incorrect
•Firewall blocking outbound connections

Solutions

→Verify the Okta org URL is correct and accessible
→Check if you're using the correct domain (oktapreview.com for preview orgs)
→Ensure your firewall allows HTTPS connections to Okta

Backup Issues

Backup taking too longSlow Backup Performance

Possible Causes

•Large number of users or groups
•Rate limit capacity set too low
•Network latency to Okta

Solutions

→Set Application Rate Limits to 100% in your OAuth app settings
→For very large orgs (50K+ users), backups may take 1-2 hours—this is normal
→Consider scheduling backups during off-peak hours

Some resources showing 0 itemsMissing Resource Data

Possible Causes

•Missing OAuth scope for that resource
•Admin role doesn't have access to that resource
•The resource type genuinely has no items

Solutions

→Re-test your connection to see which resources are accessible
→Check the Okta API Scopes granted to your OAuth app
→Verify your admin role has access to that resource type

Rate limit exceededAPI Rate Limiting

Possible Causes

•Backup running simultaneously with other API activity
•Rate limit capacity set too low
•Multiple backup jobs running at once

Solutions

→Wait and retry—rate limits reset every minute
→Increase Application Rate Limits to 100%
→Avoid running multiple backups of the same org simultaneously

Backup failedGeneric Backup Failure

Possible Causes

•OAuth token expired mid-backup
•Okta service interruption
•Network connectivity issues

Solutions

→Check Okta status page (status.okta.com) for any ongoing incidents
→Retry the backup after a few minutes
→If persistent, check the error message for specific details

Restore Issues

User creation failedCannot Create Users

Possible Causes

•User with same login already exists
•Email domain not allowed by org settings
•Missing okta.users.manage scope

Solutions

→Enable 'skip existing' option to skip users that already exist
→Check your org's email domain restrictions
→Grant the okta.users.manage scope to your OAuth app

Group assignment failedCannot Assign Users to Groups

Possible Causes

•Group doesn't exist (wasn't created first)
•User doesn't exist
•Group is a directory-sourced group (AD/LDAP)

Solutions

→Restore groups before restoring group memberships
→Ensure users are created/exist before assigning to groups
→Directory-sourced groups can't have manually assigned members

Policy activation failedCannot Activate Policies

Possible Causes

•Policy has validation errors
•Required authenticators not configured
•Conflicting policy priority

Solutions

→Review policy configuration in Okta Admin Console
→Ensure all referenced authenticators exist
→Manually adjust policy priorities if there are conflicts

App assignment failedCannot Assign Users/Groups to Apps

Possible Causes

•Application doesn't exist
•User/group doesn't exist
•App requires specific profile attributes

Solutions

→Restore applications before restoring assignments
→Ensure users and groups exist before assigning to apps
→Check app's required profile attributes in Okta

Dry run shows different results than actual restoreDry Run vs Execute Mismatch

Possible Causes

•Configuration changed between dry run and execute
•Another admin made changes to the org
•Timing-sensitive resources (like policies)

Solutions

→Run dry run immediately before executing
→Coordinate with other admins during restore operations
→For critical restores, consider a maintenance window

Still Need Help?

If you're experiencing issues not covered here, we're here to help:

Email us at support@butterflysecurity.org
Include error messages, screenshots, and your org URL (without credentials)

Ready to protect your identity infrastructure?

Enterprise-grade backup & disaster recovery. Free to start.

Get Started Free