The Cloud Identity Engine can integrate Okta Directory information. When you configure your
Okta Directory as part of the Cloud Identity Engine, the Cloud Identity Engine uses Okta
Directory to collect user and group attribute information for Security policy
enforcement and for visibility into the users who access your network.
You must create an OpenID Connect (OIDC) app to configure an Okta directory for
the Cloud Identity Engine, even if you’ve configured Okta for SAML. If you try
to use the SAML app to configure an Okta directory instead of creating a new
OIDC app, the initial sync might succeed, fail because the refresh token from
gallery applications does not support this configuration.
If you have not already done so, activate the Cloud Identity Engine and
obtain the Sign-in redirect URI for Okta.
After activating the Cloud Identity Engine, log in to the hub and
select the Cloud Identity Engine app.
Copy the URL for your Cloud Identity Engine tenant and edit it to
obtain the Sign-in redirect URI that Okta requires. To edit the URL,
replace the text after the domain with
/authorize
. For example, if your Cloud Identity
Engine tenant URL is
Palo Alto Networks recommends separating regions by aligning
region-specific tenants with region-specific Okta accounts.
However, for testing, if you have Cloud Identity Engine tenants
in more than one region, add Sign-in redirect URIs for each
region where you have a tenant.
Skip the steps for
Sign-out redirect URIs
and
Base URIs
as these aren't required.
Assign the app to a user or group and
Save
the
configuration.
Be sure to assign the app
only to the administrator you created in the first step.
(Required only if you have more than one Okta authorization
server)
okta.groups.read
okta.logs.read
The Cloud Identity Engine requires this scope to read the
following log events only:
user.lifecycle.delete.initiated
group.lifecycle.delete
user.lifecycle.activate
user.lifecycle.deactivate
The Cloud Identity Engine uses a filter to retrieve
only these events, it does not receive any other events for
this scope.
okta.users.read
okta.users.read.self
If you want the Cloud Identity Engine to
collect enterprise application data so that it is included when you
View Directory Data, you must grant consent to the
Select the method you want to use to log in to the Okta directory.
Auth Code Flow
—To make changes to your Okta
directory in the Cloud Identity Engine, you must log in to the Okta
directory.
(Default)
Client Credential Flow
—By granting the
required permissions in advance, you do not need to log in to the Okta
directory to make changes to that directory in the Cloud Identity
Engine. This option requires additional configuration; for more
information, refer to Deploy Client Credential Flow for Okta.
For beta users of this feature, the Cloud Identity
Engine continues collecting enterprise application data for any directories
configured in your tenant during the beta and no further configuration is
required. If you configure a new directory, you must select whether you want
to collect enterprise application data from the new directory and grant
consent for the scope in step 2.11.
Specify your Okta Directory information to allow the
Cloud Identity Engine to connect to your Okta Directory.
displays.
Palo Alto Networks recommends using the built-in authorization server. If you
have more than one Okta authorization server, repeat the previous steps for each
additional Okta Directory you want to add.
Click
Test Connection
to verify
your configuration.
When the test is successful,
Success
displays.
(Optional) Customize the name the Cloud Identity Engine displays
for your Okta Directory.
By default, the Cloud Identity Engine uses the default domain name.
You can use up to 15 lowercase alphanumeric characters
(including hyphens, periods, and underscores) for the directory name in the
Cloud Identity Engine. You don't need to change the name of the directory
itself, only the name of the directory in the Cloud Identity Engine app.
Submit
the configuration.
You can now use information from your Okta Directory in the Cloud Identity Engine when you
configure a user- or group-based Security policy rule or with other Palo Alto
Networks applications.
For optimal performance, the
Cloud Identity Engine does not support the default Okta group "Everyone" because Okta does not
recommend using this group to define policy rules.