Configure Okta Directory

If you have not already done so, activate the Cloud Identity Engine and obtain the Sign-in redirect URI for Okta.
After activating the Cloud Identity Engine, log in to the hub and select the Cloud Identity Engine app.
Copy the URL for your Cloud Identity Engine tenant and edit it to obtain the Sign-in redirect URI that Okta requires. To edit the URL, replace the text after the domain with
/authorize
. For example, if your Cloud Identity Engine tenant URL is
https://directory-sync.us.paloaltonetworks.com/directory?instance=<InstanceId>
, your Redirect URL is
https://directory-sync.us.paloaltonetworks.com/authorize
.
Using the Okta Administrator Dashboard, prepare to add your Okta Directory in the Cloud Identity Engine.
To set up an Okta Directory in the Cloud Identity Engine, you must create a user then assign
Admin Roles
to that user to grant privileges for the Okta Directory in the Okta Administrator Dashboard (
Admin
Security
Administrators
Add Administrator
Grant Administrator Role
). This is the account you’ll assign to the app in step 2.7.

Create an app integration for the Cloud Identity Engine app in Okta.

Select

OIDC - OpenID Connect

as the

Sign-in method

.

Select

Web Application

as the

Application type

then click

Next

.



For the

Grant type

, select

Refresh Token

.



Replace any existing

Sign-in redirect URIs

with the edited URL from step 1.2.

Palo Alto Networks recommends separating regions by aligning region-specific tenants with region-specific Okta accounts. However, for testing, if you have Cloud Identity Engine tenants in more than one region, add Sign-in redirect URIs for each region where you have a tenant.

Skip the steps for

Sign-out redirect URIs

and

Base URIs

as these aren't required.

Assign the app to a user or group and

Save

the configuration.

Be sure to assign the app only to the administrator you created in the first step.

Select

General

, then copy your

Client ID

and

Client Secret

.



Copy your Okta domain.



Select

Assignments

, then assign the Cloud Identity Engine app to the administrator who configures the Okta integration in the Cloud Identity Engine.



Select

Okta API Scopes

and grant consent to the following scopes:

okta.authorizationServers.read
(Required only if you have more than one Okta authorization server)
okta.groups.read
okta.logs.read
The Cloud Identity Engine requires this scope to read the following log events only:
user.lifecycle.delete.initiated
group.lifecycle.delete
user.lifecycle.activate
user.lifecycle.deactivate
The Cloud Identity Engine uses a filter to retrieve only these events, it does not receive any other events for this scope.
okta.users.read
okta.users.read.self

If you want the Cloud Identity Engine to collect enterprise application data so that it is included when you View Directory Data, you must grant consent to the

okta.apps.read

scope before you select the option in step 6.


In the Cloud Identity Engine app, select
Directories
Add Directory
.
Set Up
a
Cloud Directory
and select
Okta
.

Select the method you want to use to log in to the Okta directory.
Auth Code Flow
—To make changes to your Okta directory in the Cloud Identity Engine, you must log in to the Okta directory.
(Default)
Client Credential Flow
—By granting the required permissions in advance, you do not need to log in to the Okta directory to make changes to that directory in the Cloud Identity Engine. This option requires additional configuration; for more information, refer to Deploy Client Credential Flow for Okta.

Select whether you want to
Collect enterprise applications
data so that it displays when you View Directory Data.
For beta users of this feature, the Cloud Identity Engine continues collecting enterprise application data for any directories configured in your tenant during the beta and no further configuration is required. If you configure a new directory, you must select whether you want to collect enterprise application data from the new directory and grant consent for the scope in step 2.11.

Specify your Okta Directory information to allow the Cloud Identity Engine to connect to your Okta Directory.

Paste your Okta Directory
Domain
that you copied in step2.9.
Paste your Okta Directory
Client ID
and
Client Secret
that you copied in step 2.8.
The
Client ID
must begin with 0.
(
Auth Code Flow only
)
Sign in with Okta
by entering your Okta Directory credentials.

When the login is successful,
Logged In
displays. Palo Alto Networks recommends using the built-in authorization server. If you have more than one Okta authorization server, repeat the previous steps for each additional Okta Directory you want to add.
Click
Test Connection
to verify your configuration.
When the test is successful,
Success
displays.
(Optional) Customize the name the Cloud Identity Engine displays for your Okta Directory.
By default, the Cloud Identity Engine uses the default domain name.
You can use up to 15 lowercase alphanumeric characters (including hyphens, periods, and underscores) for the directory name in the Cloud Identity Engine. You don't need to change the name of the directory itself, only the name of the directory in the Cloud Identity Engine app.
Submit
the configuration.
You can now use information from your Okta Directory in the Cloud Identity Engine when you configure a user- or group-based Security policy rule or with other Palo Alto Networks applications.
For optimal performance, the Cloud Identity Engine does not support the default Okta group "Everyone" because Okta does not recommend using this group to define policy rules.