diff --git a/manifests/addons/okta.yml b/manifests/addons/okta.yml
index 1016ada..b8b167a 100644
--- a/manifests/addons/okta.yml
+++ b/manifests/addons/okta.yml
@@ -4,16 +4,25 @@ instance_groups:
     jobs:
       - name: core
         properties:
-          auth:
-          - identifier: okta # or whatever you used when registering
-            name:       Okta
-            backend:    okta
-            properties:
-              client_id:            (( vault meta.vault "/okta:client_id" ))
-              client_secret:        (( vault meta.vault "/okta:client_secret" ))
-              # NOTE: domain + auth_server === issuer
-              okta_domain:          (( vault meta.vault "/okta:domain" ))
-              authorization_server: (( vault meta.vault "/okta:auth_server" ))
-              deployment_uri:       (( vault meta.vault "" )) # SHIELD-DEPLOYMENT-URL
-              mapping:  []    # more on this later
+          core:
+            authentication:
+            - identifier: okta # or whatever you used when registering
+              name:       Okta
+              backend:    okta
+              properties:
+                client_id:            (( vault meta.vault "/okta:client_id" ))
+                client_secret:        (( vault meta.vault "/okta:client_secret" ))
+                # NOTE: domain + auth_server === issuer
+                okta_domain:          (( vault meta.vault "/okta:domain" ))
+                authorization_server: (( vault meta.vault "/okta:auth_server" ))
+                deployment_uri:       (( grab exodus.api_url )) # SHIELD-DEPLOYMENT-URL
+                mapping:  
+                - okta: okta
+                  tenant: Default Tenant
+                  rights:
+                    - { group: Admin, role: admin }
+                    - { group: User , role: engineer }
+                    - { group: Everyone, role: operator }
+                    - { role: operator }
+