Configure Okta as an IdP in the Cloud Identity Engine

  1. Enable the Cloud Identity Engine app in the Okta Admin Console.
    1. If you have not already done so, activate the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select
      Authentication
      SP Metadata
      Download SP Metadata
      and
      Save
      the metadata in a secure location.
    3. Log in to the Okta Admin Console and select
      Applications
      Applications
      .
    4. Add Application
      then
      Create New App
      .
    5. Verify that
      Web
      is the
      Platform
      , select
      SAML 2.0
      as the
      Sign on method
      , and
      Create
      the app.
    6. Enter an
      App name
      then click
      Next
      .
    7. Copy the metadata information from the Cloud Identity Engine and enter it in the Okta Admin Console as described in the following table:
      Copy From Cloud Identity Engine
      Enter in Okta Admin Console
      Copy the
      Entity ID
      from the SP Metadata page.
      Enter it as the
      Audience URI (SP Entity ID)
      .
      Copy the
      Assertion Consumer Service URL
      .
      Enter the URL as the
      Single sign on URL
      .
    8. Select a
      Value
      for the user attributes (
      Attribute Statements (optional)
      ) and optionally enter a
      Filter
      for the group attributes (
      Group Attribute Statements (optional)
      ) to specify the attribute formats.
      You must enter a username attribute for the attributes to display in the Cloud Identity Engine. To configure administrator access, you must also enter a value for the
      accessdomain
      attribute and for the
      adminrole
      attribute that match the values on the firewall.
    9. Click
      Next
      , specify whether you are a customer or partner, then click
      Finish
      .
    10. Click
      Add Rule
      to define a
      Sign On Policy
      that specifies which users and groups must authenticate with the Okta IdP using the Cloud Identity Engine.
    11. Select
      Assignments
      and
      Assign
      the users and groups that you require to authenticate using the Cloud Identity Engine.
      Save and Go Back
      to assign more users or groups.
      Be sure to assign the account you are using so you can test the configuration when it is complete. You may need to refresh the page after adding accounts to successfully complete the test.
    12. Select
      Sign On
      and
      View Setup Instructions
      .
  2. Add an IdP Provider profile in the Cloud Identity Engine app.
    1. Select
      Authentication
      Identity Providers
      .
    2. Click
      Add IDP Provider
      .
    3. Enter a
      Profile Name
      .
    4. Select
      Okta
      as your
      IdP Vendor
      .
  3. Select the method you want to use to
    Add Metadata
    and
    Submit
    the IdP profile.
    • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
      1. In the Okta Admin Console, click
        View Setup Info
        .
      2. Copy the necessary information from the Okta Admin Console and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
        Copy or Download From Okta Admin Console
        Enter in Cloud Identity Engine
        Copy the
        Identity Provider Issuer
        .
        Enter it as the
        Identity Provider ID
        .
        Download
        the
        X.509 Certificate
        .
        Click to Upload
        the certificate from the Okta Admin Console.
        Copy the
        Identity Provider Single Sign-On URL
        .
        Enter the URL as the
        Identity Provider SSO URL
        .
      3. Select the
        HTTP Binding for SSO Request to IdP
        method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages (
        HTTP Redirect
        , which transmits SAML messages through URL parameters or
        HTTP Post
        , which transmits SAML messages using base64-encoded HTML).
      4. Specify the
        Maximum Clock Skew (seconds)
        , which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
    • If you want to upload a metadata file, download the metadata file from your IdP management system.
      1. In the Okta Admin Console, click
        View Setup Info
        and copy the
        IDP metadata
        and save it to a secure location.
      2. In the Cloud Identity Engine app,
        Click to Upload
        the metadata file, then
        Open
        the metadata file.
    The Cloud Identity Engine does not currently support the
    Get URL
    method for Okta.
  4. Test SAML setup
    to verify the profile configuration.
    This step is required to confirm that your firewall and IdP can communicate.
  5. Select the SAML attributes you want the firewall to use for authentication and
    Submit
    the IdP profile.
    1. In the Okta Admin Console,
      Edit
      the
      User Attributes & Claims
      .
    2. In the Cloud Identity Engine app, select the
      Username Attribute
      and optionally, the
      Usergroup Attribute
      ,
      Access Domain
      ,
      User Domain
      , and
      Admin Role
      .
      You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.

Recommended For You