Cloud Identity Engine Getting Started
    : Configure Okta as an IdP in the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Configure a SAML 2.0 Authentication Type
    6. Configure Okta as an IdP in the Cloud Identity Engine
    Download PDF

    Cloud Identity Engine Getting Started

    Configure Okta as an IdP in the Cloud Identity Engine

    Table of Contents

    Configure Okta as an IdP in the Cloud Identity Engine

    If you want to use Okta to authenticate users with the Cloud Identity Engine, there are two ways to configure Okta authentication with the Cloud Identity Engine:
    1. Select the method you want to use to integrate the Okta authentication in the Cloud Identity Engine and complete the steps in the Okta management console.
    2. Set up the Okta authentication in the Cloud Identity Engine.
      1. If you have not already done so, activate the Cloud Identity Engine app.
      2. In the Cloud Identity Engine app, select
        Authentication
        SP Metadata
        Download SP Metadata
         and
        Save
         the metadata in a secure location.
    3. Add Okta as an authentication type in the Cloud Identity Engine app.
      1. Select
        Authentication Types
         and click
        Add New Authentication Type
        .
      2. Set Up
         a
        SAML 2.0
         authentication type.
      3. Enter a
        Profile Name
        .
      4. Select
        Okta
         as your
        Identity Provider Vendor
        .
    4. Select the method you want to use to
      Add Metadata
       and
      Submit
       the IdP profile.
      • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
        1. In the Okta Admin Console, click
          Identity Provider metadata
          .
        2. Copy the necessary information from the Okta Admin Console and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
          Copy or Download From Okta Admin Console
          Enter in Cloud Identity Engine
          Copy the
          Identity Provider Issuer
          .
          Enter it as the
          Identity Provider ID
          .
          Download
           the
          X.509 Certificate
          .
          Click to Upload
           the certificate from the Okta Admin Console.
          Copy the
          Identity Provider Single Sign-On URL
          .
          Enter the URL as the
          Identity Provider SSO URL
          .
        3. Select the
          HTTP Binding for SSO Request to IdP
           method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
          HTTP Redirect
          , which transmits SAML messages through URL parameters or
          HTTP Post
          , which transmits SAML messages using base64-encoded HTML).
        4. Specify the
          Maximum Clock Skew (seconds)
          , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
      • If you want to upload a metadata file, download the metadata file from your IdP management system.
        1. In the Okta Admin Console, click
          View Setup Info
           and copy the
          IDP metadata
           and save it to a secure location.
        2. In the Cloud Identity Engine app,
          Click to Upload
           the metadata file, then
          Open
           the metadata file.
      • If you want to use a URL to retrieve the metadata, copy the
        IDP metadata
         from step 4.2. Paste it in the profile and
        Fetch
         the metadata.
    5. To require users to log in using their credentials to reconnect to GlobalProtect, enable
      Force Authentication
      .
    6. Test SAML setup
       to verify the profile configuration.
      This step is required to confirm that your firewall and IdP can communicate.
    7. Select the SAML attributes you want the firewall to use for authentication and
      Submit
       the IdP profile.
      You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.
      1. In the Okta Admin Console,
        Edit
         the
        User Attributes & Claims
        .
      2. In the Cloud Identity Engine app, select the
        Username Attribute
         and optionally, the
        Usergroup Attribute
        ,
        Access Domain
        ,
        User Domain
        , and
        Admin Role
        .
        If you are using the Cloud Identity Engine for SAML authentication with GlobalProtect Clientless VPN, you must configure the
        User Domain
         attribute to the same value as the
        userdomain
         field in the Okta Admin Console (
        Applications
        Applications
        SAML 2.0
        General
        ).

    Integrate Okta as a Gallery Application

    Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine as a gallery application. Complete the following steps to add and configure the Okta gallery application in the Cloud Identity Engine. Be sure to complete all the steps here and in the Okta documentation.
    1. Log in to the Okta Admin Console and select
      Applications
      Applications
      .
    2. Click
      Browse App Catalog
      .
    3. Search for and select
      Palo Alto Networks Cloud Identity Engine
      .
    4. Click
      Add Integration
      .
    5. Optionally edit the application name then click
      Next
      .
    6. Verify that
      SAML 2.0
       is selected.
    7. If you enabled
      Force Authentication
      in Step 5, select
      Applications
      , select the app you created, select
      Sign-On
      ,
      Edit
       the
      Settings
      , and uncheck
      Disable Force Authentication
      .
    8. Edit and paste the
      SAML Region
      .
      The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and the
      paloaltonetworks.com
       domain. For example, if the Entity ID is
      https://cloud-auth.us.apps.paloaltonetworks.com/sp
      , the SAML Region is
      cloud-auth.us.apps
      .
    9. Select the
      Application username format
       that you want to use to authenticate the user. For example,
      Email
       represents the UserPrincipalName (UPN) format.
    10. Click
      Done
      .
    11. (Optional) If you want to configure other attributes in addition to the username, refer to the Okta documentation.

    Integrate Okta as a Custom Application

    Palo Alto Networks strongly recommends that you Integrate Okta as a Gallery Application. However, if you want to configure the Okta integration as a custom application, complete the following steps.
    1. Log in to the Okta Admin Console and select
      Applications
      Applications
      .
    2. Click
      Create App Integration
      .
    3. Verify that
      SAML 2.0
       is selected then click
      Next
      .
    4. Enter an
      App name
       then click
      Next
      .
    5. Copy the
      SP Metadata
       information from the Cloud Identity Engine and enter it in the Okta Admin Console as described in the following table:
      Copy From Cloud Identity Engine
      Enter in Okta Admin Console
      Copy the
      Entity ID
       from the SP Metadata page.
      Enter it as the
      Audience URI (SP Entity ID)
      .
      Copy the
      Assertion Consumer Service URL
      .
      Enter the URL as the
      Single sign on URL
      .
    6. (
      Required for custom app
      ) Select a
      Value
       for the user attributes (
      Attribute Statements (optional)
      ) and optionally enter a
      Filter
       for the group attributes (
      Group Attribute Statements (optional)
      ) to specify the attribute formats.
      You must configure at least one SAML attribute that contains identification information for the user (usually the username attribute) for the attributes to display in the Cloud Identity Engine. To configure administrator access, you must also enter a value for the
      accessdomain
       attribute and for the
      adminrole
       attribute that match the values on the firewall.
    7. Click
      Next
      , specify whether you are a customer or partner, then click
      Finish
      .
    8. Click
      Add Rule
       to define a
      Sign On Policy
       that specifies which users and groups must authenticate with the Okta IdP using the Cloud Identity Engine.
    9. Select
      Assignments
       and
      Assign
       the users and groups that you require to authenticate using the Cloud Identity Engine.
      Save and Go Back
       to assign more users or groups.
      Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
    10. Select
      Sign On
       and
      View Setup Instructions
      .
    11. Select the SAML attributes you want the firewall to use for authentication.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.