Configure Okta as an IdP in the Cloud Identity Engine (Gallery)

Table of Contents

Configure Okta as an IdP in the Cloud Identity Engine (Gallery)

Learn about configruing Okta as an IdP in CIE.

Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine as a gallery application. Complete the following steps to add and configure the Okta gallery application in the Cloud Identity Engine. Be sure to complete all the steps here and in the Okta documentation.

The Cloud Identity Engine supports FedRAMP High for the gallery app only.

Log in to the Okta Admin Console and select ApplicationsApplications.
Click Browse App Catalog.
Search for Palo Alto Networks Cloud Identity Engine and select Show all results.
Select the Single sign-on version of the Cloud Identity Engine app.
Click Add Integration.
Optionally edit the Application label then click Next.
Verify that SAML 2.0 is the sign-on option type.
If you enabled Force Authentication in step 7, uncheck Disable Force Authentication.
Edit and paste the SAML Region.

The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and the paloaltonetworks.com domain. For example, if the Entity ID is https://cloud-auth.us.apps.paloaltonetworks.com/sp, the SAML Region is cloud-auth.us.apps.
Select the Application username format that you want to use to authenticate the user. For example, Email represents the UserPrincipalName (UPN) format.
Click Done.
(Optional) If you want to configure other attributes in addition to the username, refer to the Okta documentation.