Add Zero Trust Network Access to the Okta Platform as an authentication factor

In this topic, you will find instructions on how to add Portnox™ Zero Trust Network Access to the Okta Platform as an authentication factor.

Prerequisites:

  • You must first integrate your Portnox Cloud instance with your Okta Workforce Identity repository as an authentication provider. For more information, see the following topic: Integrate with Okta Wokforce Identity.

When Portnox ZTNA is added as an authentication factor to Okta, every time you access a web application using Okta single sign-on (SSO), you are verified by Portnox ZTNA instead of only receiving Okta Verify prompts. This adds all the benefits of ZTNA, such as device compliance checks.

This setup lets you configure the integration once and then use it with any app that supports Okta SSO. You do not need to configure Okta as an identity provider for each app individually. However, this also gives you less control over specific apps, since you cannot apply different configurations in Portnox Cloud (for example, policies).

Note:
This setup does not use Portnox as an identity provider. Instead, it relies only on resource configuration in ZTNA.

Create a new resource configuration in Portnox Cloud

In this section, you will create a new resource configuration in Portnox Cloud, which will let you add Portnox ZTNA as a factor to the Okta Platform.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Zero Trust Resources option.

  3. On the Resources screen, click on the Create resource button.

    1. In the What type of resource is this? section, select the Okta Factor option.
    2. Click on the Next button.

  4. In the Resource details section, enter a Resource name and optionally a Description.

    In this example, we used the name Okta Factor but you can use any name you like.

  5. Keep this browser tab open. You will need it later.

Create an Identity Provider configuration in Okta

In this section, you will create an identity provider configuration in the Okta Platform.

  1. In a new browser tab, access your Okta Platform administration interface at https://your_tenant_name-admin.okta.com/, for example, https://vorlon-admin.okta.com/.

    From now on, we will call this tab the Okta tab.

  2. In the left-hand side menu, select: Security > Identity Providers.

  3. In the right-hand side pane, click on the Add identity provider button.

  4. In the right-hand side pane, in the list of tiles representing identity provider types, click on the OpenID Connect tile, and then click on the Next button.

  5. In the Configure OpenID Connect IdP pane, in the General settings section, in the Name field, enter a name for this integration.

    In this example, we used the name Portnox ZTNA, but you can use any name you like.

  6. In the IdP Usage field, select the Factor only option.

Copy values between the Portnox tab and the Okta tab

In this section, you will keep switching between the Portnox tab and the Okta tab, and copy values required for the integration.

  1. In the Portnox tab, click on the  ⧉  icon next to the Client ID field to copy the value to the clipboard.

  2. In the Okta tab, in the Client details section, click on the empty Client ID field, and paste the value that you copied from Portnox Cloud.

  3. In the Portnox tab, click on the  ⧉  icon next to the Client Secret field to copy the value to the clipboard.

  4. In the Okta tab, click on the empty Client Secret field, and paste the value that you copied from Portnox Cloud.

  5. In the Portnox tab, click on the  ⧉  icon next to the Issuer field to copy the value to the clipboard.

  6. In the Okta tab, in the Endpoints section, click on the empty Issuer field, and paste the value that you copied from Portnox Cloud.

  7. In the Portnox tab, click on the  ⧉  icon next to the Authorization Endpoint field to copy the value to the clipboard.

  8. In the Okta tab, click on the empty Authorization endpoint field, and paste the value that you copied from Portnox Cloud.

  9. In the Portnox tab, click on the  ⧉  icon next to the Token endpoint field to copy the value to the clipboard.

  10. In the Okta tab, click on the empty Token endpoint field, and paste the value that you copied from Portnox Cloud.

  11. In the Portnox tab, click on the  ⧉  icon next to the JWKS endpoint field to copy the value to the clipboard.

  12. In the Okta tab, click on the empty JWKS endpoint field, and paste the value that you copied from Portnox Cloud.

  13. In the Portnox tab, click on the  ⧉  icon next to the UserInfo endpoint field to copy the value to the clipboard.

  14. In the Okta tab, click on the empty Userinfo endpoint field, and paste the value that you copied from Portnox Cloud.

  15. In the Okta tab, click on the Finish button.

  16. In the Okta tab, in the Identity Providers pane, click on row representing the identity provider that you just created.

  17. Click on the Copy button under the Redirect URI field to copy the value to the clipboard.

  18. In the Portnox tab, click on the empty Allowed Callback URI field, and paste the value copied from the Okta Platform.

Finalize the configuration in Portnox Cloud

In this section, you will finalize the configuration in Portnox Cloud.

  1. In the Portnox tab, click on the Next button, and in the Policy enforcement section, in the Device risk assessment section, change the setting to Override with custom policy and then select a risk assessment policy if you want to assess risk with Okta applications using a custom risk assessment policy, and in the Access control section, change the setting to Override with custom policy and then select an access control policy if you want to control access to Okta applications using a custom access control policy.
  2. Scroll all the way down to the end of the page, and then click on the Add resource button.

Add ZTNA as an authenticator in the Okta Platform

In this section, you will add Portnox ZTNA as an Authenticator in the Okta Platform.

  1. In the Okta tab, in the left-hand side menu, select: Security > Authenticators.

  2. In the Authenticators pane, click on the Add authenticator button.

  3. In the right-hand side pane, in the list of tiles representing authenticator types, click on the Add button in the IdP Authenticator tile.

  4. In the Add IdP Authenticator window, in the Settings section, in the Identity Provider (IdP) field, select the identity provider that you added earlier.

  5. If required, change the name and/or add a logo for this identity provider, and then click on the Add button to add the authenticator.

Modify Okta app sign-in policies

In this section, you will modify Okta authentication policies as needed by your organization.

  1. In the Okta tab, in the left-hand side menu, select: Security > Authentication Policies.

  2. In the Authentication policies pane, click on the App sign-in tile.

  3. Review and modify existing policies as needed to include the IdP Authenticator that you added earlier.
    Note:
    After you add a new Authenticator, Portnox ZTNA will be added by default to all policies that require any two factors. However, you may want to modify these policies according to your organization’s needs. For details, see the Okta Platform documentation for App sign-in policies.