Configure Okta Directory

If you have not already done so, activate the Cloud Identity Engine and obtain the Sign-in redirect URI for Okta.
After activating the Cloud Identity Engine, log in to the hub and select the Cloud Identity Engine app.
Copy the URL for your Cloud Identity Engine tenant and edit it to obtain the Sign-in redirect URI that Okta requires. To edit the URL, replace the text after the domain with
/authorize
. For example, if your Cloud Identity Engine tenant URL is
https://directory-sync.us.paloaltonetworks.com/directory?instance=<InstanceId>
, your Redirect URL is
https://directory-sync.us.paloaltonetworks.com/authorize
.
Using the Okta Administrator Dashboard, prepare to add your Okta Directory in the Cloud Identity Engine.
To set up an Okta Directory in the Cloud Identity Engine, you must create a user then assign
Admin Roles
to that user to grant privileges for the Okta Directory in the Okta Administrator Dashboard (
Admin
Security
Administrators
Add Administrator
Grant Administrator Role
). This is the account you’ll assign to the app in step 2.7.

Create an app integration for the Cloud Identity Engine app in Okta.

Select

OIDC - OpenID Connect

as the

Sign-in method

.

Select

Web Application

as the

Application type

then click

Next

.



For the

Grant type

, select

Refresh Token

.



Replace any existing

Sign-in redirect URIs

with the edited URL from step 1.

Palo Alto Networks recommends separating regions by aligning region-specific tenants with region-specific Okta accounts. However, for testing, if you have Cloud Identity Engine tenants in more than one region, add Sign-in redirect URIs for each region where you have a tenant.

Skip the steps for

Sign-out redirect URIs

and

Base URIs

as these aren't required.

Assign the app to a user or group and

Save

the configuration.

Be sure to assign the app only to the administrator you created in the first step.

Select

General

, then copy your

Client ID

and

Client Secret

.



Copy your Okta domain.



Select

Assignments

, then assign the Cloud Identity Engine app to the administrator who configures the Okta integration in the Cloud Identity Engine.



Select

Okta API Scopes

and grant consent to the following scopes:

okta.authorizationServers.read
(Required only if you have more than one Okta authorization server)
okta.groups.read
okta.logs.read
okta.users.read
okta.users.read.self


In the Cloud Identity Engine app, select
Directories
Add Directory
.
Set Up
a
Cloud Directory
and select
Okta
.

Specify your Okta Directory information to allow the Cloud Identity Engine to connect to your Okta Directory.

Paste your Okta Directory
Domain
.
Paste your Okta Directory
Client ID
and
Client Secret
.
The
Client ID
must begin with 0.
Sign in with Okta
by entering your Okta Directory credentials.

When the login is successful,
Logged In
displays. Palo Alto Networks recommends using the built-in authorization server. If you have more than one Okta authorization server, repeat the previous steps for each additional Okta Directory you want to add.
Click
Test Connection
to verify your configuration.
When the test is successful,
Success
displays.
(Optional) Customize the name the Cloud Identity Engine displays for your Okta Directory.
By default, the Cloud Identity Engine uses the default domain name.
You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app.
Submit
the configuration.
You can now use information from your Okta Directory in the Cloud Identity Engine when you configure a user- or group-based Security policy rule or with other Palo Alto Networks applications.
For optimal performance, the Cloud Identity Engine does not support the default Okta group "Everyone" because Okta does not recommend using this group to define policy rules.