Strata Copilot
    Cloud Identity Engine Getting Started
    : Configure Okta as an IdP in the Cloud Identity Engine
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud Identity
    3. Cloud Identity Engine Getting Started
    4. Authenticate Users with the Cloud Identity Engine
    5. Set Up a SAML 2.0 Authentication Type
    6. Configure Okta as an IdP in the Cloud Identity Engine
    Download PDF

    Cloud Identity Engine Getting Started

    Configure Okta as an IdP in the Cloud Identity Engine

    Table of Contents

    Configure Okta as an IdP in the Cloud Identity Engine

    If you want to use Okta to authenticate users with the Cloud Identity Engine, there are two ways to configure Okta authentication with the Cloud Identity Engine:
    1. Select the method you want to use to integrate the Okta authentication in the Cloud Identity Engine and complete the steps in the Okta management console.
    2. Set up the Okta authentication in the Cloud Identity Engine.
      1. If you have not already done so, activate the Cloud Identity Engine app.
      2. In the Cloud Identity Engine app, select AuthenticationAuthentication Type.
    3. Add Okta as an authentication type in the Cloud Identity Engine app.
      1. Set Up a SAML 2.0 authentication type.
      2. Select the Metadata Type.
      3. Copy the Entity ID and store it in a secure location.
      4. Copy the Assertion Consumer Service URL and store it in a secure location.
      5. Click Download SP Certificate and store it in a secure location.
      6. Click Download SP Metadata and store it in a secure location.
    4. Configure the Okta IDP profile.
      1. Enter a unique and descriptive Profile Name.
      2. Select Okta as the Identity Provider Vendor.
    5. Select the method you want to use to Add Metadata.
      • If you want to enter the information manually, copy the client ID and domain, download the SP metadata certificate, then enter the information in the Cloud Identity Engine IdP profile.
        1. In the Okta Admin Console, select ApplicationsAPI Service Integrations and select the Palo Alto Networks Cloud Identity Engine integration.
        2. Copy the necessary information from the Okta Admin Console and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
          Copy or Download from Okta Admin ConsoleEnter in Cloud Identity Engine
          Copy the Client ID.Enter it as the Identity Provider ID.
          N/AClick to Upload the SP metadata certificate you downloaded in step 3.e.
          Copy the Okta Domain.Enter the URL as the Identity Provider SSO URL.
        3. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:
          • HTTP Redirect—Transmit SAML messages through URL parameters.
          • HTTP Post—Transmit SAML messages using base64-encoded HTML.
      • If you want to upload a metadata file, download the metadata file from your IdP management system.
        1. In the Okta Admin Console, click View Setup Info and copy the IDP metadata and save it to a secure location.
        2. In the Cloud Identity Engine app, click Browse Files to select the metadata file then Open the metadata file.
      • If you want to use a URL to retrieve the metadata, copy the IDP metadata from step 4.2. Paste it in the profile and click Get URL to obtain the metadata.
        #id4126bb2e-0974-45b8-81da-c13f5db29908_li_l5n_bz5_3xb
      • If you don't want to enter the configuration information now, you can Do it later. This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.
    6. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    7. To require users to log in using their credentials to reconnect to GlobalProtect, enable Force Authentication.
    8. Test SAML setup to verify the profile configuration.
      The Test SAML setup option is not available until the Cloud Identity Engine validates the identity provider profile data.
      This step is necessary to confirm that your firewall and IdP can communicate.
    9. Select the SAML attributes you want the firewall to use for authentication and Submit the IdP profile.
      You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.
      1. In the Okta Admin Console, Edit the User Attributes & Claims.
      2. In the Cloud Identity Engine app, select the Username Attribute and optionally, the Usergroup Attribute, Access Domain, User Domain, and Admin Role.
        If you're using the Cloud Identity Engine for SAML authentication with GlobalProtect Clientless VPN, you must configure the User Domain attribute to the same value as the userdomain field in the Okta Admin Console (ApplicationsApplicationsSAML 2.0General).

    Integrate Okta as a Gallery Application

    Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine as a gallery application. Complete the following steps to add and configure the Okta gallery application in the Cloud Identity Engine. Be sure to complete all the steps here and in the Okta documentation.
    The Cloud Identity Engine supports FedRAMP High for the gallery app only.
    1. Log in to the Okta Admin Console and select ApplicationsApplications.
    2. Click Browse App Catalog.
    3. Search for Palo Alto Networks Cloud Identity Engine and select Show all results.
    4. Select the Single sign-on version of the Cloud Identity Engine app.
    5. Click Add Integration.
    6. Optionally edit the Application label then click Next.
    7. Verify that SAML 2.0 is the sign-on option type.
    8. If you enabled Force Authentication in step 7, uncheck Disable Force Authentication.
    9. Edit and paste the SAML Region.
      The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and the paloaltonetworks.com domain. For example, if the Entity ID is https://cloud-auth.us.apps.paloaltonetworks.com/sp, the SAML Region is cloud-auth.us.apps.
    10. Select the Application username format that you want to use to authenticate the user. For example, Email represents the UserPrincipalName (UPN) format.
    11. Click Done.
    12. (Optional) If you want to configure other attributes in addition to the username, refer to the Okta documentation.

    Integrate Okta as a Custom Application

    Palo Alto Networks strongly recommends that you Integrate Okta as a Gallery Application. However, if you want to configure the Okta integration as a custom application, complete the following steps.
    1. Log in to the Okta Admin Console and select ApplicationsApplications.
    2. Click Create App Integration.
    3. Select SAML 2.0 as the sign-on method then click Next.
    4. Enter an App name then click Next.
    5. Copy the SP Metadata information from the Cloud Identity Engine and enter it in the Okta Admin Console as described in the following table:
      Copy from Cloud Identity EngineEnter in Okta Admin Console
      Copy the Assertion Consumer Service URL in step 3.d.Enter the URL as the Single sign on URL.
      Copy the Entity ID in step 3.c.Enter it as the Audience URI (SP Entity ID).
    6. Specify the Name ID format and optionally the Application username.
      You must configure at least one SAML attribute that contains identification information for the user (usually the username attribute) for the attributes to display in the Cloud Identity Engine. To configure administrator access, you must also enter values for the accessdomain attribute and for the adminrole attribute that match the values on the firewall.
    7. Click Finish to save the configuration.
    Next Steps:

    © 2025 Palo Alto Networks, Inc. All rights reserved.