: Configure Okta Directory
Focus
Focus

Configure Okta Directory

Table of Contents

Configure Okta Directory

The Cloud Identity Engine can integrate Okta Directory information. When you configure your Okta Directory as part of the Cloud Identity Engine, the Cloud Identity Engine uses Okta Directory to collect user and group attribute information for Security policy enforcement and for visibility into the users who access your network.
You must create an OpenID Connect (OIDC) app to configure an Okta directory for the Cloud Identity Engine, even if you’ve configured Okta for SAML. If you try to use the SAML app to configure an Okta directory instead of creating a new OIDC app, the initial sync might be successful, but any subsequent syncs fail because the refresh token from gallery applications does not support this configuration.
You can select one of two methods for the Cloud Identity Engine to use to connect to your Okta Directory:
  • The Auth Code Flow, which requires you to log in to make changes to the directory configuration in the Cloud Identity Engine
  • The Client Credential Flow, which initially requires additional permissions but does not require you to log in to change the directory configuration in the Cloud Identity Engine

Deploy Auth Code Flow for Okta Directory

  1. If you have not already done so, activate the Cloud Identity Engine and obtain the Sign-in redirect URI for Okta.
    1. After activating the Cloud Identity Engine, log in to the hub and select the Cloud Identity Engine app.
    2. Copy the URL for your Cloud Identity Engine tenant and edit it to obtain the Sign-in redirect URI that Okta requires. To edit the URL, replace the text after the domain with
      /authorize
      . For example, if your Cloud Identity Engine tenant URL is
      https://directory-sync.us.paloaltonetworks.com/directory?instance=<InstanceId>
      , your Redirect URL is
      https://directory-sync.us.paloaltonetworks.com/authorize
      .
  2. Using the Okta Administrator Dashboard, prepare to add your Okta Directory in the Cloud Identity Engine.
    To set up an Okta Directory in the Cloud Identity Engine, you must create a user then assign
    Admin Roles
    to that user to grant privileges for the Okta Directory in the Okta Administrator Dashboard (
    Admin
    Security
    Administrators
    Add Administrator
    Grant Administrator Role
    ). This is the account you’ll assign to the app in step 2.g. This is also the same account you'll use to log in for step 5 when using the Auth Code Flow for your Okta Directory.
    1. Create an app integration for the Cloud Identity Engine app in Okta.
    2. Select
      OIDC - OpenID Connect
      as the
      Sign-in method
      .
    3. Select
      Web Application
      as the
      Application type
      then click
      Next
      .
    4. For the
      Grant type
      , select
      Refresh Token
      .
    5. Replace any existing
      Sign-in redirect URIs
      with the edited URL from step 1.b.
      Palo Alto Networks recommends separating regions by aligning region-specific tenants with region-specific Okta accounts. However, for testing, if you have Cloud Identity Engine tenants in more than one region, add Sign-in redirect URIs for each region where you have a tenant.
    6. Skip the steps for
      Sign-out redirect URIs
      and
      Base URIs
      as these aren't required.
    7. Assign the app to a user or group and
      Save
      the configuration.
      Be sure to assign the app only to the administrator you created in the first step.
    8. Select
      General
      , then copy your
      Client ID
      and
      Client Secret
      .
    9. Copy your Okta domain.
    10. Select
      Assignments
      , then assign the Cloud Identity Engine app to the administrator who configures the Okta integration in the Cloud Identity Engine.
    11. Select
      Okta API Scopes
      and grant consent to the following scopes:
      • okta.authorizationServers.read
        (Required only if you have more than one Okta authorization server)
      • okta.groups.read
      • okta.logs.read
        The Cloud Identity Engine requires this scope to read the following log events only:
        • user.lifecycle.delete.initiated
        • group.lifecycle.delete
        • user.lifecycle.activate
        • user.lifecycle.deactivate
        The Cloud Identity Engine uses a filter to retrieve only these events, it does not receive any other events for this scope.
      • okta.users.read
      • okta.users.read.self
      If you want the Cloud Identity Engine to collect enterprise application data so that it is included when you View Directory Data, you must grant consent to the
      okta.apps.read
      scope before you select the option in step 6.
  3. In the Cloud Identity Engine app, select
    Directories
    Add Directory
    .
  4. Set Up
    a
    Cloud Directory
    and select
    Okta
    .
  5. Select the method you want to use to log in to the Okta directory.
    • Auth Code Flow
      —(Default) To make changes to your Okta directory in the Cloud Identity Engine, you must log in to the Okta directory.
    • Client Credential Flow
      —By granting the required permissions in advance, you do not need to log in to the Okta directory to make changes to that directory in the Cloud Identity Engine. This option requires additional configuration; for more information, refer to Deploy Client Credential Flow for Okta.
  6. Select whether you want to
    Collect enterprise applications
    data so that it displays when you View Directory Data.
    For beta users of this feature, the Cloud Identity Engine continues collecting enterprise application data for any directories configured in your tenant during the beta and no further configuration is required. If you configure a new directory, you must select whether you want to collect enterprise application data from the new directory and grant consent for the scope in step 2.k.
  7. Specify your Okta Directory information to allow the Cloud Identity Engine to connect to your Okta Directory.
    1. Paste your Okta Directory
      Domain
      that you copied in step 2.i.
    2. Paste your Okta Directory
      Client ID
      and
      Client Secret
      that you copied in step 2.h.
      The
      Client ID
      must begin with 0.
  8. Click to
    Sign in with Okta
    and enter your Okta Directory credentials.
    When the login is successful,
    Logged In
    displays. Palo Alto Networks recommends using the built-in authorization server. If you have more than one Okta authorization server, repeat the previous steps for each additional Okta Directory you want to add.
  9. Click
    Test Connection
    to verify your configuration.
    When the test is successful,
    Success
    displays.
  10. (Optional) Customize the name the Cloud Identity Engine displays for your Okta Directory.
    By default, the Cloud Identity Engine uses the default domain name.
    You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app.
  11. Submit
    the configuration.
    You can now use information from your Okta Directory in the Cloud Identity Engine when you configure a user- or group-based Security policy rule or with other Palo Alto Networks applications.
    For optimal performance, the Cloud Identity Engine does not support the default Okta group "Everyone" because Okta does not recommend using this group to define policy rules.

Recommended For You