Configure Okta Directory

The Cloud Identity Engine can integrate Okta Directory information. When you configure your Okta Directory as part of the Cloud Identity Engine, the Cloud Identity Engine uses Okta Directory to collect user and group attribute information for security policy enforcement and for visibility into the users that access your network.
  1. If you have not already done so, activate the Cloud Identity Engine and obtain the Sign-in redirect URI for Okta.
    1. After activating the Cloud Identity Engine, log in to the hub and select the Cloud Identity Engine app.
    2. Copy the URL for your Cloud Identity Engine instance and edit it to obtain the Sign-in redirect URI that Okta requires. To edit the URL, replace the text after the domain with
      /authorize
      . For example, if your Cloud Identity Engine instance URL is
      https://directory-sync.us.paloaltonetworks.com/directory?instance=<InstanceId>
      , your Redirect URL is
      https://directory-sync.us.paloaltonetworks.com/authorize
      .
  2. Using the Okta Administrator Dashboard, prepare to add your Okta Directory in the Cloud Identity Engine.
    To set up an Okta Directory in the Cloud Identity Engine, you must configure Read Only Administrator privileges for Okta Directory in the Okta Administrator Dashboard (
    Security
    Administrators
    Add Administrator
    Read Only Administrator
    Add Administrator
    ). This is the account you will assign to the app in Step 2.10.
    1. Create an app integration for the Cloud Identity Engine app in Okta.
    2. Select
      OIDC - OpenID Connect
      as the
      Sign-on method
      .
    3. Select
      Web Application
      as the
      Application type
      then click
      Next
      .
    4. For the
      Grant type
      , select
      Refresh Token
      .
    5. Replace any existing
      Sign-in redirect URIs
      with the edited URL from Step 1.
      Palo Alto Networks recommends separating regions by aligning region-specific instances with region-specific Okta accounts. However, for testing, if you have Cloud Identity Engine instances in more than one region, add Sign-in redirect URIs for each region where you have an instance.
    6. Skip the steps for
      Sign-out redirect URIs
      and
      Base URIs
      as these are not needed.
    7. Select
      Skip group assignment for now
      and
      Save
      the configuration.
    8. Select
      General
      , then copy your
      Client ID
      and
      Client Secret
      .
    9. Copy your Okta domain.
    10. Select
      Assignments
      , then assign the Cloud Identity Engine app to the administrator who configures the Okta integration in the Cloud Identity Engine.
    11. Select
      Okta API Scopes
      and grant consent to the following scopes:
      • okta.authorizationServers.read
        (Required only if you have more than one Okta authorization server)
      • okta.groups.read
      • okta.logs.read
      • okta.users.read
      • okta.users.read.self
  3. In the Cloud Identity Engine app, select
    Directories
    Add Directory
    .
  4. Set Up
    a
    Cloud Directory
    and select
    Okta
    .
  5. Specify your Okta Directory information to allow the Cloud Identity Engine to connect to your Okta Directory.
    1. Paste your Okta Directory
      Domain
      .
    2. Paste your Okta Directory
      Client ID
      and
      Client Secret
      .
      The
      Client Secret
      is obscured by default; to display the secret, click
      Unmask
      .
  6. Log in to Okta
    by entering your Okta Directory credentials.
    When the login is successful,
    Logged In
    displays. Palo Alto Networks recommends using the built-in authorization server. If you have more than one Okta authorization server, repeat the previous steps for each additional Okta Directory you want to add.
  7. Click
    Test Connection
    to verify your configuration.
    When the test is successful,
    Success
    displays.
  8. (Optional) Customize the name the Cloud Identity Engine displays for your Okta Directory.
    By default, the Cloud Identity Engine uses the default domain name.
  9. Submit
    the configuration.
    You can now use information from your Okta Directory in the Cloud Identity Engine when you configure a user- or group-based security policy rule or with other Palo Alto Networks applications.

Recommended For You