: Configure Okta as an IdP in the Cloud Identity Engine
Focus
Focus

Configure Okta as an IdP in the Cloud Identity Engine

Table of Contents

Configure Okta as an IdP in the Cloud Identity Engine

If you want to use Okta to authenticate users with the Cloud Identity Engine, there are two ways to configure Okta authentication with the Cloud Identity Engine:
  1. Select the method you want to use to integrate the Okta authentication in the Cloud Identity Engine and complete the steps in the Okta management console.
  2. Set up the Okta authentication in the Cloud Identity Engine.
    1. If you have not already done so, activate the Cloud Identity Engine app.
    2. In the Cloud Identity Engine app, select AuthenticationSP MetadataDownload SP Metadata and Save the metadata in a secure location.
  3. Add Okta as an authentication type in the Cloud Identity Engine app.
    1. Select Authentication Types and click Add New Authentication Type.
    2. Set Up a SAML 2.0 authentication type.
    3. Enter a Profile Name.
    4. Select Okta as your Identity Provider Vendor.
  4. Select the method you want to use to Add Metadata and Submit the IdP profile.
    • If you want to enter the information manually, copy the identity provider ID and SSO URL, download the certificate, then enter the information in the Cloud Identity Engine IdP profile.
      1. In the Okta Admin Console, click Identity Provider metadata.
      2. Copy the necessary information from the Okta Admin Console and enter it in the IdP profile on the Cloud Identity Engine app as indicated in the following table:
        Copy or Download from Okta Admin ConsoleEnter in Cloud Identity Engine
        Copy the Identity Provider Issuer.Enter it as the Identity Provider ID.
        Download the X.509 Certificate.Click to Upload the certificate from the Okta Admin Console.
        Copy the Identity Provider Single Sign-On URL.Enter the URL as the Identity Provider SSO URL.
      3. Select the HTTP Binding for SSO Request to IdP method you want to use for the SAML binding that allows the firewall and IdP to exchange request and response messages:
        • HTTP Redirect—Transmit SAML messages through URL parameters.
        • HTTP Post—Transmit SAML messages using base64-encoded HTML.
    • If you want to upload a metadata file, download the metadata file from your IdP management system.
      1. In the Okta Admin Console, click View Setup Info and copy the IDP metadata and save it to a secure location.
      2. In the Cloud Identity Engine app, click Browse Files to select the metadata file then Open the metadata file.
    • If you want to use a URL to retrieve the metadata, copy the IDP metadata from step 4.2. Paste it in the profile and click Get URL to obtain the metadata.
      #id4126bb2e-0974-45b8-81da-c13f5db29908_li_l5n_bz5_3xb
    • If you don't want to enter the configuration information now, you can Do it later. This option allows you to submit the profile without including configuration information. However, you must edit the profile to include the configuration information to use the authentication type in an authentication profile.
  5. Specify the Maximum Clock Skew (seconds), which is the allowed difference in seconds between the system times of the IdP and the firewall at the moment when the firewall validates IdP messages (default is 60; range is 1–900). If the difference exceeds this value, authentication fails.
  6. To require users to log in using their credentials to reconnect to GlobalProtect, enable Force Authentication.
  7. Test SAML setup to verify the profile configuration.
    This step is necessary to confirm that your firewall and IdP can communicate.
  8. Select the SAML attributes you want the firewall to use for authentication and Submit the IdP profile.
    You must select the username attribute in the Okta Admin Console for the attribute to display in the Cloud Identity Engine.
    1. In the Okta Admin Console, Edit the User Attributes & Claims.
    2. In the Cloud Identity Engine app, select the Username Attribute and optionally, the Usergroup Attribute, Access Domain, User Domain, and Admin Role.
      If you're using the Cloud Identity Engine for SAML authentication with GlobalProtect Clientless VPN, you must configure the User Domain attribute to the same value as the userdomain field in the Okta Admin Console (ApplicationsApplicationsSAML 2.0General).

Integrate Okta as a Gallery Application

Palo Alto Networks strongly recommends that you integrate Okta in the Cloud Identity Engine as a gallery application. Complete the following steps to add and configure the Okta gallery application in the Cloud Identity Engine. Be sure to complete all the steps here and in the Okta documentation.
  1. Log in to the Okta Admin Console and select ApplicationsApplications.
  2. Click Browse App Catalog.
  3. Search for and select Palo Alto Networks Cloud Identity Engine.
  4. Click Add Integration.
  5. Optionally edit the application name then click Next.
  6. Verify that SAML 2.0 is the sign-on option type.
  7. If you enabled Force Authenticationin step 6, select Applications, select the app you created, select Sign-On, Edit the Settings, and uncheck Disable Force Authentication.
  8. Edit and paste the SAML Region.
    The SAML Region is based on the Entity ID in the SP Metadata. To obtain the SAML Region, enter only the text between the backslash in the Entity ID and the paloaltonetworks.com domain. For example, if the Entity ID is https://cloud-auth.us.apps.paloaltonetworks.com/sp, the SAML Region is cloud-auth.us.apps.
  9. Select the Application username format that you want to use to authenticate the user. For example, Email represents the UserPrincipalName (UPN) format.
  10. Click Done.
  11. (Optional) If you want to configure other attributes in addition to the username, refer to the Okta documentation.

Integrate Okta as a Custom Application

Palo Alto Networks strongly recommends that you Integrate Okta as a Gallery Application. However, if you want to configure the Okta integration as a custom application, complete the following steps.
  1. Log in to the Okta Admin Console and select ApplicationsApplications.
  2. Click Create App Integration.
  3. Verify that SAML 2.0 is the sign-on method then click Next.
  4. Enter an App name then click Next.
  5. Copy the SP Metadata information from the Cloud Identity Engine and enter it in the Okta Admin Console as described in the following table:
    Copy from Cloud Identity EngineEnter in Okta Admin Console
    Copy the Entity ID from the SP Metadata page.Enter it as the Audience URI (SP Entity ID).
    Copy the Assertion Consumer Service URL.Enter the URL as the Single sign on URL.
  6. (Required for custom app) Select a Value for the user attributes (Attribute Statements (optional)) and optionally enter a Filter for the group attributes (Group Attribute Statements (optional)) to specify the attribute formats.
    You must configure at least one SAML attribute that contains identification information for the user (usually the username attribute) for the attributes to display in the Cloud Identity Engine. To configure administrator access, you must also enter values for the accessdomain attribute and for the adminrole attribute that match the values on the firewall.
  7. Click Next, specify whether you're a customer or partner, then click Finish.
  8. Click Add Rule to define a Sign On Policy that specifies which users and groups must authenticate with the Okta IdP using the Cloud Identity Engine.
  9. Select Assignments and Assign the users and groups that you require to authenticate using the Cloud Identity Engine. Save and Go Back to assign more users or groups.
    Be sure to assign the account you're using so you can test the configuration when it's complete. You may need to refresh the page after adding accounts to successfully complete the test.
  10. Select Sign On and View Setup Instructions.
  11. Select the SAML attributes you want the firewall to use for authentication.