chore: rename org_url into org_domain

Author: danibarranqueroo

docs/user-guide/providers/okta/authentication.mdx

@@ -111,7 +111,7 @@ Prowler sends DPoP (Demonstrating Proof of Possession) proofs on every token req
 Private key material **must** be supplied via environment variables — Prowler does not accept secrets through CLI flags.
 
 ```bash
-export OKTA_ORG_URL="https://YOUR-ORG.okta.com"
+export OKTA_ORG_DOMAIN="YOUR-ORG.okta.com"
 export OKTA_CLIENT_ID="0oa1234567890abcdef"
 
 # Either of the two — content takes precedence over file when both are set.
@@ -131,7 +131,7 @@ Non-secret values are also available as CLI flags for ergonomic overrides:
 
 | Flag | Equivalent env var |
 |---|---|
-| `--okta-org-url` | `OKTA_ORG_URL` |
+| `--okta-org-domain` | `OKTA_ORG_DOMAIN` |
 | `--okta-client-id` | `OKTA_CLIENT_ID` |
 | `--okta-scopes` | `OKTA_SCOPES` |
 
@@ -143,9 +143,9 @@ poetry run python prowler-cli.py okta --check signon_global_session_idle_timeout
 
 ## Troubleshooting
 
-### `OktaInvalidOrgURLError`
+### `OktaInvalidOrgDomainError`
 
-The org URL must be `https://<org>.okta.com` (or `oktapreview.com` / `okta-emea.com` / a custom domain), with no trailing slash and an `https://` scheme.
+The org domain must be `<org>.okta.com` (or `.oktapreview.com` / `.okta-emea.com` / `.okta-gov.com`). Pass the bare hostname only — no `https://` scheme, no path, no trailing slash. Custom (vanity) domains are not currently accepted.
 
 ### `OktaPrivateKeyFileError`
 

docs/user-guide/providers/okta/getting-started-okta.mdx

@@ -59,7 +59,7 @@ In **Admin assignments** for the service app, assign the built-in **Read-Only Ad
 Set the following environment variables. Using env vars is preferred over passing the values on the CLI.
 
 ```bash
-export OKTA_ORG_URL="https://acme.okta.com"
+export OKTA_ORG_DOMAIN="acme.okta.com"
 export OKTA_CLIENT_ID="0oa1234567890abcdef"
 export OKTA_PRIVATE_KEY_FILE="/secure/path/to/prowler-okta.pem"
 # Optional — defaults to "okta.policies.read"
@@ -73,7 +73,7 @@ The private key file may contain either a PEM-encoded RSA key or a JWK JSON docu
 For automated environments where writing the key to disk is not desirable (Prowler App, CI runners, container secrets, etc.), the private key may be passed directly as a string:
 
 ```bash
-export OKTA_ORG_URL="https://acme.okta.com"
+export OKTA_ORG_DOMAIN="acme.okta.com"
 export OKTA_CLIENT_ID="0oa1234567890abcdef"
 export OKTA_PRIVATE_KEY="$(cat /secure/path/to/prowler-okta.pem)"
 ```
@@ -127,7 +127,7 @@ As new services and checks land in the Okta provider, the default scope list gro
 
 ### Common Errors
 
-- **`OktaInvalidOrgURLError`** — the org URL must be `https://<org>.okta.com` (or `oktapreview.com` / `okta-emea.com`) with no trailing slash.
+- **`OktaInvalidOrgDomainError`** — the org domain must be `<org>.okta.com` (or `.oktapreview.com` / `.okta-emea.com` / `.okta-gov.com`). Pass the bare hostname only — no `https://` scheme, no path, no trailing slash.
 - **`OktaPrivateKeyFileError`** — confirm the file is readable and contains a non-empty PEM or JWK body.
 - **`OktaInsufficientPermissionsError`** — the credential probe reached Okta but the service app cannot perform the request. The error string carries `invalid_scope`, `Forbidden`, `not authorized`, or `permission`. Fix by granting the missing `okta.*.read` scope from **Okta API Scopes** and confirming the **Read-Only Administrator** role is assigned to the service app.
 - **`OktaInvalidCredentialsError`** — the credential probe reached Okta but Okta rejected the JWT. Typically the private key on disk does not match the public JWK uploaded to the service app, or the JWT signing parameters are wrong. Regenerate the keypair and re-upload the public JWK.

prowler/config/okta_mutelist_example.yaml

@@ -1,13 +1,16 @@
 ### Account, Check and/or Region can be * to apply for all the cases.
-### Account == <Okta organization URL, e.g. https://acme.okta.com>
+### Account == <Okta organization domain, e.g. acme.okta.com>
+###    Bare domain only — no scheme, no path, no trailing slash.
+### Region is always "*" — Okta has no regional concept.
+### Resources matches against the policy name (e.g. "Default Policy"), not the id.
 ### Resources and tags are lists that can have either Regex or Keywords.
 ### Tags is an optional list that matches on tuples of 'key=value' and are "ANDed" together.
 ### Use an alternation Regex to match one of multiple tags with "ORed" logic.
 ### For each check you can except Accounts, Regions, Resources and/or Tags.
 ###########################  MUTELIST EXAMPLE  ###########################
 Mutelist:
   Accounts:
-    "https://acme.okta.com":
+    "acme.okta.com":
       Checks:
         "signon_global_session_idle_timeout_15min":
           Regions:

prowler/lib/check/check.py

@@ -746,7 +746,9 @@ def execute(
                     global_provider.identity.tenancy_id
                 )
             elif global_provider.type == "okta":
-                is_finding_muted_args["org_url"] = global_provider.identity.org_url
+                is_finding_muted_args["org_domain"] = (
+                    global_provider.identity.org_domain
+                )
             for finding in check_findings:
                 if global_provider.type == "cloudflare":
                     is_finding_muted_args["account_id"] = finding.account_id

prowler/lib/check/models.py

@@ -939,7 +939,7 @@ class CheckReportOkta(Check_Report):
 
     resource_name: str
     resource_id: str
-    org_url: str
+    org_domain: str
     region: str
 
     def __init__(
@@ -948,7 +948,7 @@ def __init__(
         resource: Any,
         resource_name: str = None,
         resource_id: str = None,
-        org_url: str = None,
+        org_domain: str = None,
         region: str = "global",
     ) -> None:
         """Initialize the Okta Check's finding information.
@@ -958,13 +958,13 @@ def __init__(
             resource: Basic information about the resource.
             resource_name: The name of the resource related with the finding.
             resource_id: The id of the resource related with the finding.
-            org_url: The Okta organization URL related with the finding.
+            org_domain: The Okta organization domain related with the finding.
             region: Always "global" — Okta has no regional concept.
         """
         super().__init__(metadata, resource)
         self.resource_name = resource_name or getattr(resource, "name", "")
         self.resource_id = resource_id or getattr(resource, "id", "")
-        self.org_url = org_url or getattr(resource, "org_url", "")
+        self.org_domain = org_domain or getattr(resource, "org_domain", "")
         self.region = region
 
 

prowler/lib/outputs/finding.py

@@ -428,10 +428,10 @@ def generate_output(
             elif provider.type == "okta":
                 output_data["auth_method"] = provider.auth_method
                 output_data["account_uid"] = get_nested_attribute(
-                    provider, "identity.org_url"
+                    provider, "identity.org_domain"
                 )
                 output_data["account_name"] = get_nested_attribute(
-                    provider, "identity.org_url"
+                    provider, "identity.org_domain"
                 )
                 output_data["account_organization_uid"] = get_nested_attribute(
                     provider, "identity.client_id"

prowler/lib/outputs/summary_table.py

@@ -110,7 +110,7 @@ def display_summary_table(
                 audited_entities = provider.identity.username or "Personal Account"
         elif provider.type == "okta":
             entity_type = "Okta Org"
-            audited_entities = provider.identity.org_url
+            audited_entities = provider.identity.org_domain
 
         # Check if there are findings and that they are not all MANUAL
         if findings and not all(finding.status == "MANUAL" for finding in findings):

prowler/providers/common/provider.py

@@ -405,7 +405,7 @@ def init_global_provider(arguments: Namespace) -> None:
                     )
                 elif "okta" in provider_class_name.lower():
                     provider_class(
-                        okta_org_url=getattr(arguments, "okta_org_url", ""),
+                        okta_org_domain=getattr(arguments, "okta_org_domain", ""),
                         okta_client_id=getattr(arguments, "okta_client_id", ""),
                         okta_private_key=getattr(arguments, "okta_private_key", ""),
                         okta_private_key_file=getattr(

prowler/providers/okta/exceptions/exceptions.py

@@ -22,9 +22,9 @@ class OktaBaseException(ProwlerException):
             "message": "Okta credentials are not valid",
             "remediation": "Check the client ID and private key for the Okta service app.",
         },
-        (14004, "OktaInvalidOrgURLError"): {
-            "message": "Okta organization URL is not valid",
-            "remediation": "Provide an org URL in the form https://<org>.okta.com (no trailing slash).",
+        (14004, "OktaInvalidOrgDomainError"): {
+            "message": "Okta organization domain is not valid",
+            "remediation": "Provide an Okta-managed domain such as <org>.okta.com (or .oktapreview.com / .okta-emea.com / .okta-gov.com), with no scheme and no trailing slash.",
         },
         (14005, "OktaPrivateKeyFileError"): {
             "message": "Okta private key file could not be read",
@@ -85,7 +85,7 @@ def __init__(self, file=None, original_exception=None, message=None):
         )
 
 
-class OktaInvalidOrgURLError(OktaCredentialsError):
+class OktaInvalidOrgDomainError(OktaCredentialsError):
     def __init__(self, file=None, original_exception=None, message=None):
         super().__init__(
             14004, file=file, original_exception=original_exception, message=message

prowler/providers/okta/lib/arguments/arguments.py

@@ -12,11 +12,15 @@ def init_parser(self):
     )
     okta_auth_subparser = okta_parser.add_argument_group("Authentication")
     okta_auth_subparser.add_argument(
-        "--okta-org-url",
+        "--okta-org-domain",
         nargs="?",
-        help="Okta organization URL (e.g. https://acme.okta.com)",
+        help=(
+            "Okta organization domain (e.g. acme.okta.com). Must be an "
+            "Okta-managed domain (.okta.com / .oktapreview.com / "
+            ".okta-emea.com / .okta-gov.com), without scheme or path."
+        ),
         default=None,
-        metavar="OKTA_ORG_URL",
+        metavar="OKTA_ORG_DOMAIN",
     )
     okta_auth_subparser.add_argument(
         "--okta-client-id",