Configure Okta Directory
The Cloud Identity Engine can integrate Okta Directory information. When you configure your Okta Directory as part of the Cloud Identity Engine, the Cloud Identity Engine uses Okta Directory to collect user and group attribute information for security policy enforcement and for visibility into the users that access your network.
- If you have not already done so, activate the Cloud Identity Engine and obtain the Sign-in redirect URI for Okta.
- After activating the Cloud Identity Engine, log in to the hub and select the Cloud Identity Engine app.
- Copy the URL for your Cloud Identity Engine instance and edit it to obtain the Sign-in redirect URI that Okta requires. To edit the URL, replace the text after the domain with/authorize. For example, if your Cloud Identity Engine instance URL ishttps://directory-sync.us.paloaltonetworks.com/directory?instance=<InstanceId>, your Redirect URL ishttps://directory-sync.us.paloaltonetworks.com/authorize.
- Using the Okta Administrator Dashboard, prepare to add your Okta Directory in the Cloud Identity Engine.To set up an Okta Directory in the Cloud Identity Engine, you must configure Read Only Administrator privileges for Okta Directory in the Okta Administrator Dashboard (). This is the account you will assign to the app in Step 2.10.SecurityAdministratorsAdd AdministratorRead Only AdministratorAdd Administrator
- Create an app integration for the Cloud Identity Engine app in Okta.
- SelectOIDC - OpenID Connectas theSign-on method.
- SelectWeb Applicationas theApplication typethen clickNext.
- For theGrant type, selectRefresh Token.
- Replace any existingSign-in redirect URIswith the edited URL from Step 1.Palo Alto Networks recommends separating regions by aligning region-specific instances with region-specific Okta accounts. However, for testing, if you have Cloud Identity Engine instances in more than one region, add Sign-in redirect URIs for each region where you have an instance.
- Skip the steps forSign-out redirect URIsandBase URIsas these are not needed.
- SelectSkip group assignment for nowandSavethe configuration.
- SelectGeneral, then copy yourClient IDandClient Secret.
- Copy your Okta domain.
- SelectAssignments, then assign the Cloud Identity Engine app to the administrator who configures the Okta integration in the Cloud Identity Engine.
- SelectOkta API Scopesand grant consent to the following scopes:
- okta.authorizationServers.read(Required only if you have more than one Okta authorization server)
- In the Cloud Identity Engine app, select.DirectoriesAdd Directory
- Set UpaCloud Directoryand selectOkta.
- Specify your Okta Directory information to allow the Cloud Identity Engine to connect to your Okta Directory.
- Paste your Okta DirectoryDomain.
- Paste your Okta DirectoryClient IDandClient Secret.TheClient Secretis obscured by default; to display the secret, clickUnmask.
- Log in to Oktaby entering your Okta Directory credentials.When the login is successful,Logged Indisplays. Palo Alto Networks recommends using the built-in authorization server. If you have more than one Okta authorization server, repeat the previous steps for each additional Okta Directory you want to add.
- ClickTest Connectionto verify your configuration.When the test is successful,Successdisplays.
- (Optional) Customize the name the Cloud Identity Engine displays for your Okta Directory.By default, the Cloud Identity Engine uses the default domain name.
- Submitthe configuration.You can now use information from your Okta Directory in the Cloud Identity Engine when you configure a user- or group-based security policy rule or with other Palo Alto Networks applications.
Recommended For You
Recommended videos not found.