Set up Okta as an identity provider

Before you begin

Create an Okta developer account.

To integrate Okta as an IdP in ETP and create an internal application in Okta for authentication:

  1. Import Active Directory (AD) users and groups into Okta.

  2. Create a new application in Okta.

  3. Add Okta as an identity provider.

  4. Download and deploy an identity connector. For more information, see Create and download an identity connector.

  5. Add AD to ETP. As part of this process, make sure you assign the identity connector you created to the directory. For more information, see Add a directory.

  6. Assign the directory that you created in ETP to the Okta IdP. For more information, see Assign AD to the Okta identity provider.

  7. If this is the first Okta IdP that you are creating in ETP, add domains to the ETP network configuration that are specific to Okta. For more information, see Add identity provider domains to an exception list.

Import Active Directory (AD) users and groups into Okta

To import AD users and groups into Okta and assign specific AD user and groups to the application:

  1. Log in to the Okta development portal.

  2. Click Admin to access the main Administration UI.

  3. Import users and groups from the AD. Select Directories > Directory Integrations > Add Active Directory.

  4. Follow the on-screen instructions to install and approve the Okta AD Agent onto a host in your AD domain.

  5. Select the users and groups to sync from AD to Okta. Optionally, select the username format to use during Okta login.

  6. Select the AD user attributes to import to Okta.

  7. Import users. Click Import > Import Now > Full import.

  8. When you import AD users for the first time, you need to create associated Okta accounts. Select all imported users and confirm the assignments.

  9. Activate the new user accounts. Select Directory > People.

  10. Filter the list. Select Pending Activation.

  11. Activate all of the new accounts. Your People list shows the AD users in an active state.

Next steps

Create a new application in Okta.

Create a new application in Okta

Before you begin

Import Active Directory (AD) users and groups into Okta.

To authenticate with Okta, create an internal application in Okta and configure SAML:

  1. In Okta, navigate to the Applications tab and click Applications.

  2. Click Add application > Create new app.

  3. In the dialog, select SAML 2.0 as the sign on method.

  4. Click Create.

  5. In the General Settings, enter an application name and add an optional logo.

  6. In the App visibility section, make sure the options are deselected so the application is visible to end users within their Okta portals.

  7. Click Next.

  8. On the SAML Settings page, enter this URL into the Single sign on URL and Audience URI fields: https://<hostname>/saml/sp/response.

    where <hostname> is that hostname that you plan to use for the IdP in ETP. This hostname is used for the URL of the login portal.

  9. In the Name ID format menu, select EmailAddress.

  10. Click Show Advanced Settings. Apply these settings:

    1. In the Response menu, select Signed.

    2. In the Assertion Signature menu, make sure Signed is selected.

    3. In the Assertion Encryption menu, select Signed.

    4. In the Authentication context class menu, select PasswordProtectedTransport.

  11. Do not enter settings into the ATTRIBUTE STATEMENTS (OPTIONAL) area.

  12. In the GROUP ATTRIBUTE STATEMENTS (OPTIONAL) area, enter this information:

    1. In the Group Name field, enter Group.

    2. Do not specify a group filter. Leave the filter field blank.

  13. Click Next.

  14. Confirm that the app you're creating is internal.

  15. Click Finish. After the Okta application is created, click the Identity Provider metadata link to download the metadata.xml file.

Next steps

  1. Assign imported users or groups to the application your created:

    1. In the Assignment tab of the application you added, click Assign.

    2. Select Assign to People or Assign to Groups.

    3. Enter the people or groups that you want to authenticate with the Okta IdP.

    4. Click Assign.

    5. Verify the attributes, and click Save and Go Back.

    6. Click Done.

  2. Add Okta as an identity provider.

Add Okta as an identity provider

📘

This setup might fail without parameter values that are customized for your organization. Use the Okta Administrator Dashboard to add an application and view the values that are specific for your organization.

To add Okta as an IdP in ETP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Click the plus sign icon

  3. Configure basic IdP settings:

    1. In the Name and Description fields, enter a name and description of the IdP.

    2. In the Provider Type menu, select Okta.

    3. Click Continue.

  4. Complete the IdP general settings:

    1. Go to the General settings section or click the General tab.

    2. For Identity Intercept, select Use ​Akamai​ domain.

    3. Enter an external hostname that you want to use for the URL of the login portal.

    4. In the ​Akamai​ Cloud Zone, select a cloud zone that is closest to the user base.

  5. In the Session section, use the default settings for the Session Idle Expiry, Limit Session Life, and Max Session Duration fields.

  6. In the authentication configuration area:

    1. Go to the Authentication section or click the Authentication tab.

    2. In the URL, enter the Okta subdomain.

    3. In the Logout URL, copy and paste this URL into this field. To get this information, you need to sign in to the Okta Admin Dashboard to generate this variable.

    4. If Okta requires a signed SAML request, select Sign SAML request to send the signed SAML assertion to Okta.

    5. If Okta sends encrypted SAML responses to ETP, select this Encrypted SAML response checkbox to use certificates to encrypt responses. In the Certificate for IDP to encrypt responses field, use the provided certificate that's required to encrypt responses.

    6. Upload the metadata.xml file that you downloaded from Okta. Click Choose File and then select the file.

  7. In the Advanced Settings, select Enable Authorization.

  8. Click Save.

Next steps

  1. Download and deploy an identity connector. For more information, see Create and download an identity connector.

  2. Add the directory to ETP. As part of this process, make sure you assign the identity connector you created to the directory. For more information, see Add a directory.

  3. Assign AD to the Okta identity provider.

Assign AD to the Okta identity provider

Before you begin

Add AD to ETP. For instructions, see Add a directory.

To review the process of setting up Okta as an IdP, see Set up Okta as an identity provider.

To assign AD to your Okta IdP:

  1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Identity Providers.

  2. Click the name of the Okta IdP.

  3. Click the Directories tab.

  4. Click the link icon and select the AD that you added.

  5. Click Associate.

Next steps

  1. Deploy the IdP:

    • In the ETP IdP configuration, you can click the icon next to the Ready for Deployment status. A deployment icon also appears next to a failed deployment status in case you need to deploy the IdP again. This action starts the deployment process.

    • Deploy IdP configuration changes in the list of Pending Changes. For instructions, see Deploy configuration changes.

  2. If this is the first Okta IdP that you are creating, add the Okta IdP domains to an exception list. See Add identity provider domains to an exception list.

  3. Associate the IdP with a policy that's enabled for authentication. For more information, see Require authentication to access a website or web application.


Did this page help you?