Deploy Client Credential Flow for Okta
Table of Contents
Deploy Client Credential Flow for Okta
By granting a few read-only permissions for
your Okta directory in advance, the Client Credential Flow option
for Okta in the Cloud Identity Engine allows you to use a service account
to log in to your Okta directory in the Cloud Identity Engine. Using
a service account is strongly recommended, as this is a more secure
method for directory access and does not require the account to
be associated with a specific user.
You must obtain a
new client ID and secret if you have an existing Okta directory
configuration. The client ID and secret for the Okta directory auth
code flow (the existing method) are not compatible with the API
service integration that the client credential flow method uses.
- Download the Okta integration app from the Okta Integration Network.
- In the Okta Administrator Portal, select .
![]()
Click Add Integration.![]()
Select the app integration you want to use based on whether you want to enable app data and click Next.- If you use application data in your security policy, select the
Palo Alto Networks Cloud Identity Engine
(Application-enabled) app. For more information
on collecting application data, see Step 9 in Configure Okta Directory.
![]()
- If you do not use application data in your security policy,
select the Palo Alto Networks Cloud Identity
Engine app.
![]()
To ensure that you select the correct app, either use Find in your browser (Ctrl+ F) to search for the app you want to use or hover over the app to display the full app name.Install and configure the API service integration.Install & Authorize the API service integration.![]()
The Okta API service integration automatically configures the following required API scopes:- Users and groups—Read existing users’ profiles and credentials. Read about groups and their members. Read the signed-in user's profile and credentials.
- Authorization servers—Read about authorization servers.
- (Application-enabled app only)Apps—Read about apps.
- Logs—Read about system log entries.
Click Copy to clipboard to copy the client secret and store it in a secure location, then click Done.![]()
The client secret displays only once, so make sure to copy it and store it securely before clicking Done.Copy the Okta Domain and the Client ID and store them in a secure location.You must edit the domain by removing the https:// before pasting it.![]()
If you have not already done so, activate your Cloud Identity Engine tenant.Set up a Cloud Directory and select Okta.Under Select Connection Flow, select Client Credential Flow.![]()
Select Collect enterprise applications to display application data when you view directory data.If you select this option, you must use the Palo Alto Networks Cloud Identity Engine (Application-enabled) to ensure the correct permissions.![]()
Paste the information you copied from the Okta management console into the fields as indicated in the following table.![]()
Okta Managment Console Field Cloud Identity Engine App Field Okta Domain Domain Client ID Client ID Client Secret Client Secret Click Test Connection to verify the Cloud Identity Engine can successfully communicate with your Okta directory.You must test the connection to submit the configuration.(Optional) Customize the name of the directory that displays in the Cloud Identity Engine.If you want to use a custom name for this directory in the Cloud Identity Engine, enter the custom name as the Directory Name (Optional).Submit your changes and verify your directory information when the Directories page displays.
