Deploy Client Credential Flow for Okta

1. Download the Okta integration app from the Okta Integration Network.

   1. In the Okta Administrator Portal, select Applications API Service Integrations.

   2. Click Add Integration.

   3. Search for Palo Alto Networks Cloud Identity Engine.

   4. Select the app integration you want to use based on whether you want to enable app data and click Next.

      To ensure that you select the correct app, either use Find in your browser (Ctrl+ F) to search for the app you want to use or hover over the app to display the full app name.

      • If you use application data in your security policy, select the Palo Alto Networks Cloud Identity Engine (Application-enabled) app. For more information on collecting application data, see Step 9 in Configure Okta Directory.

      • If you do not use application data in your security policy, select the Palo Alto Networks Cloud Identity Engine app.

2. Install and configure the API service integration.
3. Install & Authorize the API service integration.

   The Okta API service integration automatically configures the following required API scopes:

   • Users and groups—Read existing users’ profiles and credentials. Read about groups and their members. Read the signed-in user's profile and credentials.
   • Authorization servers—Read about authorization servers.
   • (Application-enabled app only)Apps—Read about apps.
   • Logs—Read about system log entries.
4. Click Copy to clipboard to copy the client secret and store it in a secure location, then click Done.

   The client secret displays only once, so make sure to copy it and store it securely before clicking Done.
5. Copy the Okta Domain and the Client ID and store them in a secure location.

   You must edit the domain by removing the https:// before pasting it.

6. If you have not already done so, activate your Cloud Identity Engine tenant.
7. Set up a Cloud Directory and select Okta.
8. Under Select Connection Flow, select Client Credential Flow.

9. Select Collect enterprise applications to display application data when you view directory data.

   If you select this option, you must use the Palo Alto Networks Cloud Identity Engine (Application-enabled) app to ensure the correct permissions. For more information, see step 1.d.

10. (Strata Logging Service only) Select whether you want to Collect authentication logs and forward to Strata Logging Service for retention and further analysis.

11. Paste the information you copied from the Okta management console into the fields as indicated in the following table.

    Okta Managment Console Field	Cloud Identity Engine App Field
    Okta Domain	Domain
    Client ID	Client ID
    Client Secret	Client Secret

12. Click Test Connection to verify the Cloud Identity Engine can successfully communicate with your Okta directory.

    You must test the connection to submit the configuration.
13. (Optional) Customize the name of the directory that displays in the Cloud Identity Engine.

    If you want to use a custom name for this directory in the Cloud Identity Engine, enter the custom name as the Directory Name (Optional).
14. Submit your changes and verify your directory information when the Directories page displays.