Configure Okta as an IdP in the Cloud Identity Engine
If you want to use Okta to authenticate users with the Cloud Identity Engine, there are two ways to configure Okta authentication with the Cloud Identity Engine:
- Select the method you want to use to integrate the Okta authentication in the Cloud Identity Engine and complete the steps in the Okta management console.
- Set up the Okta authentication in the Cloud Identity Engine.
- If you have not already done so, activate the Cloud Identity Engine app.
- In the Cloud Identity Engine app, selectandAuthenticationSP MetadataDownload SP MetadataSavethe metadata in a secure location.
- Add Okta as an authentication type in the Cloud Identity Engine app.
- SelectAuthentication Typesand clickAdd New Authentication Type.
- Set UpaSAML 2.0authentication type.
- Enter aProfile Name.
- SelectOktaas yourIdentity Provider Vendor.
- Select the method you want to use toAdd MetadataandSubmitthe IdP profile.
- If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
- In the Okta Admin Console, clickIdentity Provider metadata.
- Copy the necessary information from the Okta Admin Console and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:Copy or Download From Okta Admin ConsoleEnter in Cloud Identity EngineCopy theIdentity Provider Issuer.Enter it as theIdentity Provider ID.DownloadtheX.509 Certificate.Click to Uploadthe certificate from the Okta Admin Console.Copy theIdentity Provider Single Sign-On URL.Enter the URL as theIdentity Provider SSO URL.
- Select theHTTP Binding for SSO Request to IdPmethod you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (HTTP Redirect, which transmits SAML messages through URL parameters orHTTP Post, which transmits SAML messages using base64-encoded HTML).
- Specify theMaximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
- If you want to upload a metadata file, download the metadata file from your IdP management system.
- In the Okta Admin Console, clickView Setup Infoand copy theIDP metadataand save it to a secure location.
- In the Cloud Identity Engine app,Click to Uploadthe metadata file, thenOpenthe metadata file.
- If you want to use a URL to retrieve the metadata, copy theIDP metadatafrom step 4.2. Paste it in the profile andFetchthe metadata.
- To require users to log in using their credentials to reconnect to GlobalProtect, enableForce Authentication.
- Test SAML setupto verify the profile configuration.This step is required to confirm that your firewall and IdP can communicate.
- Select the SAML attributes you want the firewall to use for authentication andSubmitthe IdP profile.You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.
- In the Okta Admin Console,EdittheUser Attributes & Claims.
- In the Cloud Identity Engine app, select theUsername Attributeand optionally, theUsergroup Attribute,Access Domain,User Domain, andAdmin Role.If you are using the Cloud Identity Engine for SAML authentication with GlobalProtect Clientless VPN, you must configure theUser Domainattribute to the same value as theuserdomainfield in the Okta Admin Console ().ApplicationsApplicationsSAML 2.0General
Integrate Okta as a Gallery Application
Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine as a gallery application. Complete the following steps to add and configure the Okta gallery application in the Cloud Identity Engine. Be sure to complete all the steps here and in the Okta documentation.
- Log in to the Okta Admin Console and select.ApplicationsApplications
- ClickBrowse App Catalog.
- Search for and selectPalo Alto Networks Cloud Identity Engine.
- ClickAdd Integration.
- Optionally edit the application name then clickNext.
- Verify thatSAML 2.0is selected.
- If you enabledForce Authenticationin Step 5, selectApplications, select the app you created, selectSign-On,EdittheSettings, and uncheckDisable Force Authentication.
- Edit and paste theSAML Region.The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and thepaloaltonetworks.comdomain. For example, if the Entity ID ishttps://cloud-auth.us.apps.paloaltonetworks.com/sp, the SAML Region iscloud-auth.us.apps.
- Select theApplication username formatthat you want to use to authenticate the user. For example,
- (Optional) If you want to configure other attributes in addition to the username, refer to the Okta documentation.
Integrate Okta as a Custom Application
Palo Alto Networks strongly recommends that you Integrate Okta as a Gallery Application. However, if you want to configure the Okta integration as a custom application, complete the following steps.
- Log in to the Okta Admin Console and select.ApplicationsApplications
- ClickCreate App Integration.
- Verify thatSAML 2.0is selected then clickNext.
- Enter anApp namethen clickNext.
- Copy theSP Metadatainformation from the Cloud Identity Engine and enter it in the Okta Admin Console as described in the following table:Copy From Cloud Identity EngineEnter in Okta Admin ConsoleCopy theEntity IDfrom the SP Metadata page.Enter it as theAudience URI (SP Entity ID).Copy theAssertion Consumer Service URL.Enter the URL as theSingle sign on URL.
- (Required for custom app) Select aValuefor the user attributes (Attribute Statements (optional)) and optionally enter aFilterfor the group attributes (Group Attribute Statements (optional)) to specify the attribute formats.You must configure at least one SAML attribute that contains identification information for the user (usually the username attribute) for the attributes to display in the Cloud Identity Engine. To configure administrator access, you must also enter a value for theaccessdomainattribute and for theadminroleattribute that match the values on the firewall.
- ClickNext, specify whether you are a customer or partner, then clickFinish.
- ClickAdd Ruleto define aSign On Policythat specifies which users and groups must authenticate with the Okta IdP using the Cloud Identity Engine.
- SelectAssignmentsandAssignthe users and groups that you require to authenticate using the Cloud Identity Engine.Save and Go Backto assign more users or groups.Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
- SelectSign OnandView Setup Instructions.
- Select the SAML attributes you want the firewall to use for authentication.
Recommended For You
Recommended videos not found.