Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Okta as an Identity Provider

You can use Okta Workforce Identity Cloud through the Juniper Mist dashboard to authenticate end users attempting to access the network. Juniper Mist Access Assurance uses Okta as an identity provider (IdP) to perform various authentication tasks.:

  • For credential-based (EAP-TTLS) authentication, Okta:
    • Performs delegated authentication, that is, checks username and password by using OAuth.
    • Retrieves user group membership information to support authentication policies based on this user identity.
    • Gets the status—active or suspended—of an user account
  • For certificate-based (EAP-TLS or EAP-TTLS ) authorization, Okta:
    • Retrieves user group membership information to support authentication policies based on this user identity
    • Gets the status—active or suspended—of an user account

Prerequisites

  • Create a subscription for Okta and get your tenant ID. During subscription creation, you specify a tenant that is used to create a URL to access the Okta dashboard. You can find your ID at the top- right corner of the Okta dashboard. Note that the tenant ID must not include okta.com.

    Note:

    Your Okta login URL has the following format:

    https://{your-okta-account-id}-admin.okta.com/admin/getting-started.

    Replace {your-okta-account-id} with your Okta account ID.
  • You must have super user permission on the Juniper Mist portal.

OKTA Resource Owner Password Credential App Integration

  1. Log in to the Okta administration console and select Applications > Applications.
  2. Click Create App Integration.
    The Create a new app integration page opens.
  3. Under Sign-in method, select OIDC-OpenID Connect and under Application Type, select Native Application.
  4. On the New Native App Integration page, select:
    • App integration name—Enter a name that you resonate with.
    • Grant Type—Select Resource Owner Password.
    • Controlled Access—Select Allow everyone in your organization to access. In this example, we are granting everyone access to the application.
  5. Click Save.

    After the system is saved as a new app integration, the application reloads with the General tab selected.

  6. On the General tab, click Edit and select following options: .
    • Client Authentication—Select Client Secret
    • Proof Key for Code Exchange—Select Require PKCE as Additional Verification
  7. Click Save to continue.
    Okta generates the client ID and the client secret after this step.

    Note the client ID and client secret. You'll need this information later.

  8. Go to the Okta API Scopes tab and select the following check boxes to grant read permissions:
    • okta.roles.read
    • okta.users.read
    • okta.users.read.self
Now, go to the Juniper Mist cloud portal and start integrating Okta as an IdP.

Okta Client Credential App Integration

  1. Log in to the Okta administration console and select Applications > Applications.
  2. Click Create App Integration.
    The Create a new app integration page opens.
  3. Under Sign-in method, select API Services.
    The New API Services App Integration page opens.
  4. Enter a name for App integration name and then click Save.
  5. Go to the General tab in the new app integration page and click Edit.
  6. Click Edit and select the client authentication method as Public key / Private key and then click Add Key in the PUBLIC KEYS section.
  7. Select the file format as PEM in the Private Key section, then copy the private key and save it in a safe place.
    In a safe place, save the private key file that Okta generates.

    You will not be able to retrieve this private key again.

    Click Done.
  8. Click Save to store and activate the key.

    You can notice that the status of the key is now Active. Copy the Client ID and secret displayed on the screen,

  9. Go to the Okta API Scopes tab and allow the following read permissions:
    • okta.roles.read
    • okta.users.read
    • okta.users.read.self

Configuration on Juniper Mist Dashboard

  1. On the Juniper Mist portal, click Organization and select Identity Providers under Access.
    The Identity Providers page opens displaying a list of configured identity providers (if any).
  2. Click Add IDP to add a new identity provider.
  3. On the New Identity Provider page, enter the following information:
    1. Name—Enter an IdP name.
    2. IDP Type—Select an IdP type as OAuth.
      Table 1: Settings for Identity Provider Type OAuth

      Parameters

      Description

      OAuth Type

      		 Select Okta

      OAuth Tenant ID

      Enter OAuth tenant ID. Use the ID you received during Okta application configuration.

      Domain Names

      Enter your Okta users domain name. Example: abc.com

      Default IDP

      Set the selected identity provider as default if user domain name is not specified.

      OAuth Client Credential (CC) Client Id

      Use the ID you received during Okta application configuration.

      Okta Client Credential App Integration
      OAuth Client Credential (CC) Client Private Key Enter the private key generated during Okta application configuration. See Okta Client Credential App Integration

      OAuth Resource Owner Password Credential (ROPC) Client Id

      Enter the secret ID you received and stored during Okta application configuration.

      See OKTA Resource Owner Password Credential App Integration.
      OAuth Resource Owner Password Credential (ROPC) Client Secret

      Provide client secret value you received and stored during Okta application configuration.

      See OKTA Resource Owner Password Credential App Integration
  4. Click Create to save the changes.

In Juniper Mist portal, go to Monitoring > Insights > Client Events.

When a user authenticates using EAP-TLS with Okta, you can see the event called NAC IDP Group Lookup Success as shown below:

In case of EAP-TTLS authentication, you can see the NAC IDP Authentication Success event. This event indicates that Azure AD has validated user credentials. You can also see the NAC IDP Group Lookup Success event that fetches user group memberships.

See Also