Configure Okta as an IdP in the Cloud Identity Engine
If you want
to use Okta to authenticate users with the Cloud Identity Engine, there
are two ways to configure Okta authentication with the Cloud Identity
Engine:
Select the method you want to use to integrate
the Okta authentication in the Cloud Identity Engine and complete
the steps in the Okta management console.
Set up the Okta authentication in the Cloud Identity
Engine.
If you have not already done so, activate the Cloud Identity
Engine app.
In the Cloud Identity Engine app, select
Authentication
SP Metadata
Download SP Metadata
and
Save
the
metadata in a secure location.
Add Okta as an authentication type in the Cloud Identity
Engine app.
Select
Authentication Types
and
click
Add New Authentication Type
.
Set Up
a
SAML 2.0
authentication
type.
Enter a
Profile Name
.
Select
Okta
as your
Identity
Provider Vendor
.
Select the method you want to use to
Add Metadata
and
Submit
the
IdP profile.
If you want to enter the information manually, copy
the identity provider ID and SSO URL, download the certificate,
then enter the information in the Cloud Identity Engine IdP profile.
In the Okta Admin Console, click
Identity Provider
metadata
.
Copy the necessary information from the Okta Admin Console and enter it in
the IdP profile on the Cloud Identity Engine app as indicated in
the following table:
Copy or Download From Okta
Admin Console
Enter in Cloud Identity Engine
Copy the
Identity
Provider Issuer
.
Enter it as the
Identity Provider
ID
.
Download
the
X.509
Certificate
.
Click to
Upload
the certificate from the Okta
Admin Console.
Copy the
Identity
Provider Single Sign-On URL
.
Enter the URL as the
Identity Provider SSO
URL
.
Select the
HTTP Binding for SSO Request to IdP
method
you want to use for the SAML binding that allows the firewall and
IdP to exchange request and response messages (
HTTP Redirect
,
which transmits SAML messages through URL parameters or
HTTP
Post
, which transmits SAML messages using base64-encoded
HTML).
Specify the
Maximum Clock Skew (seconds)
,
which is the allowed difference in seconds between the system times
of the IdP and the firewall at the moment when the firewall validates
IdP messages (default is 60; range is 1–900). If the difference
exceeds this value, authentication fails.
If you want to upload a metadata file, download the metadata
file from your IdP management system.
In the Okta Admin
Console, click
View Setup Info
and copy the
IDP
metadata
and save it to a secure location.
In the Cloud Identity Engine app,
Click to Upload
the
metadata file, then
Open
the metadata file.
If you want to use a URL to retrieve the metadata, copy the
To require users to log in using their credentials to reconnect to
GlobalProtect, enable
Force Authentication
.
Test SAML setup
to verify the
profile configuration.
This step
is required to confirm that your firewall and IdP can communicate.
Select the SAML attributes you want the firewall to use
for authentication and
Submit
the IdP profile.
You must select the username attribute in the Okta Admin
Console for the attribute to display in the Cloud Identity Engine.
In the Okta Admin Console,
Edit
the
User
Attributes & Claims
.
In the Cloud Identity Engine app, select the
Username
Attribute
and optionally, the
Usergroup Attribute
,
Access Domain
,
User
Domain
, and
Admin Role
.
If
you are using the Cloud Identity Engine for SAML authentication
with GlobalProtect Clientless VPN, you must configure the
User
Domain
attribute to the same value as the
userdomain
field
in the Okta Admin Console (
Applications
Applications
SAML 2.0
General
).
Integrate Okta as a Gallery Application
Palo Alto Networks strongly recommends that
you integrate Okta in the Cloud Identity Engine as a gallery application.
Complete the following steps to add and configure the Okta gallery
application in the Cloud Identity Engine. Be sure to complete all
the steps here and in the Okta documentation.
The SAML Region is based on the Entity ID in the SP Metadata.
To obtain the SAML Region, enter only the text between the backslash
in the Entity ID and the
that
you want to use to authenticate the user. For example,
Email
represents
the UserPrincipalName (UPN) format.
Click
Done
.
(Optional) If you want to configure other attributes
in addition to the username, refer to the Okta documentation.
Integrate Okta as a Custom Application
Palo Alto Networks strongly recommends that
you Integrate Okta as a Gallery Application. However, if you
want to configure the Okta integration as a custom application,
complete the following steps.
Log in to the Okta Admin Console and select
Applications
Applications
.
Click
Create App Integration
.
Verify that
SAML 2.0
is selected
then click
Next
.
Enter an
App name
then click
Next
.
Copy the
SP Metadata
information
from the Cloud Identity Engine and enter it in the Okta Admin Console
as described in the following table:
Copy From Cloud Identity Engine
Enter in Okta Admin Console
Copy the
Entity ID
from
the SP Metadata page.
Enter it as the
Audience URI (SP Entity
ID)
.
Copy the
Assertion Consumer Service
URL
.
Enter the URL as the
Single sign on
URL
.
(
Required for custom app
) Select a
Value
for
the user attributes (
Attribute Statements (optional)
)
and optionally enter a
Filter
for the group
attributes (
Group Attribute Statements (optional)
)
to specify the attribute formats.
You must configure at least one SAML attribute that contains
identification information for the user (usually the username attribute)
for the attributes to display in the Cloud Identity Engine. To configure
administrator access, you must also enter a value for the
accessdomain
attribute
and for the
adminrole
attribute that match
the values on the firewall.
Click
Next
, specify whether you
are a customer or partner, then click
Finish
.
Click
Add Rule
to define a
Sign
On Policy
that specifies which users and groups must
authenticate with the Okta IdP using the Cloud Identity Engine.
Select
Assignments
and
Assign
the users
and groups that you require to authenticate using the Cloud Identity
Engine.
Save and Go Back
to assign more users
or groups.
Be sure to assign the account you are using so you can
test the configuration when it is complete. You may need to refresh
the page after adding accounts to successfully complete the test.
Select
Sign On
and
View
Setup Instructions
.
Select the SAML attributes you want the firewall to use
for authentication.