Okta (SAML)
  • 12 Nov 2024
  • 2 Minutes to read
  • Contributors

    Okta (SAML)


      Article summary

      Introduction

      This guide offers insights into configuring Okta with SAML.

      By integrating with Okta, Harmony SASE can authenticate users through the Security Assertion Markup Language (SAML) protocol, ensuring a secure and streamlined login process.

      Supported Features

      The Okta/Harmony SASE SAML integration currently supports the following features:

      • SP-initiated SSO (only supported for the Webclient login)
      • IdP-initiated SSO (only supported for the Webclient and Agent login)
      • JIT (Just In Time) Provisioning

      Steps

      1. Log in to your Okta account.
      2. In the general Okta dashboard, select Applications.
      3. Using the list of shortcuts on the left-hand side of the screen, select Browse App Catalog and search for "Perimeter 81", select our application and click Add Integration.
      4. From the Region list, select your data residency region and click Done.
      5. Once the application has been created, click on the Sign On tab.
      6. Under the SAML 2.0 section click on More details, copy the Sign on URL and save it for later
         
      7. Download the SAML Signing Certificate and save it for later.
      8.  On top of the Sign On page Under the Settings section, click "Edit". Finally, you will add your Workspace name under the Workspace tab and select save.
      Workspace Name
      Your Workspace name is the subdomain of your Harmony SASE sign-in URL. For instance, if your sign-in URL is acme.perimeter81.com, your workspace will be "acme" It's important to note that this is case-sensitive.
      OPTIONAL: Group Support
      If you would like a group membership that exists on your Okta to sync over to Harmony SASE, you'll want to make sure the Groups portion has the following Syntax:
      • Groups: "Matches Regex" .* (Please note, this is a dot + asterisk)
      • You will also want to create the group on Harmony SASE manually for this to work.

      Configuring the SAML 2.0 Application on Harmony SASE

      1. Log in to your Harmony SASE Management Platform, and navigate to Settings, and then Identity Providers.
        360008600320addprovider11.png
      2. Select + Add Provider.
      3. Select Okta.
      4. Fill in the Sign In URL and upload the SAML Signing Certificate you previously copied.
      5. Add your organization's domain.
      6. Select Done.

      Assigning the App

      1. In Okta, navigate to Applications and select your SAML 2.0 Application 
      2. Click Assignments
      3. Assign the People or Groups you would like to get synchronized with Harmony SASE.
      4. Fill in any additional information, click Save and Go Back, Then click Done.

      SP-initiated SSO

      1. Browse to your Harmony SASE workspace URL.
      2. On the login screen click on Sign in with Okta.
      3. Verify you can successfully connect using your Okta credentials.

      Notes

      The following SAML attributes are supported:

      NameValue
      given_nameuser.firstName
      family_nameuser.lastName
      emailuser.email
      groupsConfigured in the app UI; See "Group Support" section above

      Recommendations

      • To use Okta with SCIM integration (recommended), use the following document.
      • Ensure you have admin access in both Okta and Harmony SASE platforms for a successful integration.
      • Always replace placeholders, such as YOUR_WORKSPACE, with the appropriate values during the setup.
      • Save your Sign In URL and X509 Signing Certificate from Okta for later use in Harmony SASE.
      • Periodically review your Okta configuration settings to ensure they align with any updates or changes made within the Harmony SASE platform.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Important note regarding group assignments
      Local users who are not defined through Okta will not be added/removed to/from any Okta-associated group they are assigned to automatically. You will need to manually add/remove them to any needed group.



      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success




      Was this article helpful?