Identity
Configure Okta as an IdP in the Cloud Identity Engine (Gallery)
Table of Contents
Configure Okta as an IdP in the Cloud Identity Engine (Gallery)
Learn about configruing Okta as an IdP in CIE.
Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity
Engine as a gallery application. Complete the following steps to add and configure
the Okta gallery application in the Cloud Identity Engine. Be sure to complete all
the steps here and in the Okta documentation.
The Cloud Identity Engine supports FedRAMP High for the gallery app only.
- Log in to the Okta Admin Console and select .
![]()
Click Browse App Catalog.![]()
Search for Palo Alto Networks Cloud Identity Engine and select Show all results.![]()
Select the Single sign-on version of the Cloud Identity Engine app.![]()
Click Add Integration.![]()
Optionally edit the Application label then click Next.![]()
Verify that SAML 2.0 is the sign-on option type.![]()
If you enabled Force Authentication in step 7, uncheck Disable Force Authentication.![]()
Edit and paste the SAML Region.The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and the paloaltonetworks.com domain. For example, if the Entity ID is https://cloud-auth.us.apps.paloaltonetworks.com/sp, the SAML Region is cloud-auth.us.apps.![]()
Select the Application username format that you want to use to authenticate the user. For example, Email represents the UserPrincipalName (UPN) format.![]()
Click Done.(Optional) If you want to configure other attributes in addition to the username, refer to the Okta documentation.
