: Deploy Client Credential Flow for Okta
Focus
Focus

Deploy Client Credential Flow for Okta

Table of Contents

Deploy Client Credential Flow for Okta

By granting a few read-only permissions for your Okta directory in advance, the Client Credential Flow option for Okta in the Cloud Identity Engine allows you to use a service account to log in to your Okta directory in the Cloud Identity Engine. Using a service account is strongly recommended, as this is a more secure method for directory access and does not require the account to be associated with a specific user.
You must obtain a new client ID and secret if you have an existing Okta directory configuration. The client ID and secret for the Okta directory auth code flow (the existing method) are not compatible with the API service integration that the client credential flow method uses.
  1. Download the Okta integration app from the Okta Integration Network.
    1. In the Okta Administrator Portal, select
      Applications
      API Service Integrations
      .
    2. Click
      Add Integration
      .
    3. Select the app integration you want to use based on whether you want to enable app data and click
      Next
      .
      • If you use application data in your security policy, select the
        Palo Alto Networks Cloud Identity Engine (Application-enabled)
        app. For more information on collecting application data, see Step 6 in Configure Okta Directory.
      • If you do not use application data in your security policy, select the
        Palo Alto Networks Cloud Identity Engine
        app.
      To ensure that you select the correct app, either use
      Find
      in your browser (
      Ctrl
      +
      F
      ) to search for the app you want to use or hover over the app to display the full app name.
  2. Install and configure the API service integration.
  3. Install & Authorize
    the API service integration.
    The Okta API service integration automatically configures the following required API scopes:
    • Users and groups
      —Read existing users’ profiles and credentials. Read about groups and their members. Read the signed-in user's profile and credentials.
    • Authorization servers
      —Read about authorization servers.
    • (
      Application-enabled app only
      )
      Apps
      —Read about apps.
    • Logs
      —Read about system log entries.
  4. Click
    Copy to clipboard
    to copy the client secret and store it in a secure location, then click
    Done
    .
    The client secret displays only once, so make sure to copy it and store it securely before clicking
    Done
    .
  5. Copy the
    Okta Domain
    and the
    Client ID
    and store them in a secure location.
    You must edit the domain by removing the
    https://
    before pasting it.
  6. If you have not already done so, activate your Cloud Identity Engine tenant.
  7. Set up
    a
    Cloud Directory
    and select
    Okta
    .
  8. Under
    Select Connection Flow
    , select
    Client Credential Flow
    .
  9. Select
    Collect enterprise applications
    to display application data when you view directory data.
    If you select this option, you must use the
    Palo Alto Networks Cloud Identity Engine (Application-enabled)
    to ensure the correct permissions.
  10. Paste the information you copied from the Okta management console into the fields as indicated in the following table.
    Okta Managment Console Field
    Cloud Identity Engine App Field
    Okta Domain
    Domain
    Client ID
    Client ID
    Client Secret
    Client Secret
  11. Click
    Test Connection
    to verify the Cloud Identity Engine can successfully communicate with your Okta directory.
    You must test the connection to submit the configuration.
  12. (Optional) Customize the name of the directory that displays in the Cloud Identity Engine.
    If you want to use a custom name for this directory in the Cloud Identity Engine, enter the custom name as the
    Directory Name (Optional)
    .
  13. Submit
    your changes and verify your directory information when the
    Directories
    page displays.

Recommended For You