Configure Okta for SAML

Cisco Secure Access uses the Security Assertion Markup Language (SAML) to authenticate and authorize web requests from user devices on networks and network tunnels with Web security enabled, and requests to private resources from user devices with Zero Trust Network Access (ZTNA) enabled.

To support SAML authentication and authorization, you must configure the integration of an SAML identity provider (IdP) in Secure Access. Configure Okta for SAML authentication with the Secure Access service provider metadata and then add your Okta SAML metadata to Secure Access.

For information about provisioning users from Okta to Secure Access, see Provision Users and Groups from Okta.

Table of Contents

• Prerequisites
• Procedure
• Test the Identity Provider Integration
• View the SAML Certificates in Secure Access

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• Send id.sse.cisco.com requests to the Secure Access secure web gateway (SWG), not directly to the internet. For more information about domains and the SWG, see Manage Domains.
• Ensure that traffic to your IdP URL is bypassed on the SWG to avoid an authentication loop. For more information, see Manage Domains.
• Configure SAML with an identity provider (IdP) that supports SAML 2.0 POST profiles.
• Enable SAML in the Secure Access web profile. For more information, see Manage Web Profiles.
• The IdP SAML metadata must have a signing key.
• Enable cookies on the browsers on user devices. For more information, see your browser's documentation.
• Enable HTTPS Inspection in the Secure Access Web profile. Secure Access must inspect the Cookie HTTP header to read the SAML cookie. The SAML cookie acts as the authentication token or surrogate. For more information, see Manage Web Profiles.
• You must install the Cisco Secure Access root certificate on all client machines that connect on networks or network tunnels where SAML is enabled. For more information, see Manage Certificates.

Procedure

• Step 1 – Choose an Authentication Method
• Step 2 – Add an Identity Provider
• Step 3 – Configure the Identity Provider's SAML Metadata

Step 1 – Choose an Authentication Method

1. Navigate to Connect > Users and Groups and click Configuration Management.

2. Navigate to SSO authentication and click Configure.

3. For Authentication Method, choose Security Assertion Markup Language (SAML), and then click Next.

Step 2 – Add an Identity Provider

1. For Identity Provider, choose Okta. Secure Access supports various IdPs.

2. (Optional) Enable an organization-specific entity ID.
   • Organization-specific Entity ID—Choose this option when you have multiple Secure Access Orgs and need to configure SAML authentication for Secure Access Internet Security and Zero Trust Network Access (ZTNA) for these Orgs against the same IdP. The Secure Access SAML default common EntityID is saml.fg.id.sse.cisco.com. Secure Access allows you to override the default Secure Access SAML EntityID on a per-Org basis.
3. For Entity ID URL, click Copy URL to make a local copy of the Secure Access Entity ID URL. The Secure Access SAML default common EntityID is saml.fg.id.sse.cisco.com.

4. Choose a time interval when a user must authenticate with Secure Access, or select Never.
   The time intervals are:
   • Daily
   • Weekly
   • Monthly

5. Click Next.

Step 3 – Configure the Identity Provider's SAML Metadata

Download the Cisco_SSE_SP_Metadata XML file from Secure Access and use the service provider metadata to configure your instance of Okta.

The Secure Access service provider metadata includes the service provider Issuer ID, the assertion consumer endpoint URL, and the SAML request signing certificate from Secure Access. The Secure Access metadata is required when configuring your IdP.

Your IdP must send the Cisco Secure Access User principal name in the NameID attribute in the SAML assertion.

Note: Okta does not provide the option to directly upload the metadata XML file. You must manually enter the Secure Access service provider metadata. For more information on configuring your IdP, exporting your IdP metadata, obtaining your IdP details, or downloading your IdP's signing certificate, refer to your vendor's documentation.

Step 3a – Download the Secure Access Service Provider XML File

1. Check Manual Configuration, and then click Download service provider XML file to save the Cisco_SSE_SP_Metadata XML file to your local device.

2. Open the Cisco_SSE_SP_Metadata XML file.
3. Copy the certificates from the Cisco_SSE_SP_Metadata XML file to a new file and save. Use the certificate file in the next step when you create the app integration in Okta.

Step 3b – Add Secure Access Service Provider Metadata to Okta

You can find the following steps described in the Okta Help. For more information, see Create a Basic Custom SAML Application Using SP Metadata File .

You must configure Secure Access as a generic SAML 2.0 application within Okta. Okta does not provide a method to upload Secure Access metadata for automatic configuration. Extract the EntityID and AssertionConsumerService values from the Secure Access metadata file and add these to the applicable fields in Okta. Contact Okta for assistance.

1. Sign in to your instance of Okta, then navigate to Applications > Create a new app integration.

2. Click SAML 2.0, and then click Next.
3. For General Settings, add a name for the app integration, and then click Next.
4. For SAML Settings > General, enter the values from the service provider metadata file that you downloaded in Step 3a – Download the Secure Access Service Provider XML File .
   • For Single sign-on URL, add the value of the Location attribute for the md:AssertionConsumerService element. The value should be something like: https://fg.id.sse.cisco.com/gw/auth/acs/response.
   • For Audience URI (SP Entity ID), add the value of the entityID element.
     The value should be something like: saml.fg.id.sse.cisco.com.

5. Click Show Advanced Settings.

6. For Signature Certificate, upload the root certificate that you downloaded from the Cisco_SSE_SP_Metadata XML file. Click Preview the SAML Assertion to show the created metadata file, and then click Next.

7. Click I'm an Okta customer adding an internal app, and then click Finish.

   

Step 3c – Add the Okta SAML Metadata to Secure Access

Complete the manual configuration of Okta in Secure Access. Enter your Okta SAML metadata for the following Secure Access settings:

• Entity ID—A globally unique name for an identity provider.
• Endpoint—The URL used to communicate with your identity provider.
• Signing Keys—Your identity provider’s x.509 certificate that is used to sign the authentication request.
• Signed Authentication Request (optional)—Choose whether to sign the authentication request for the IdP.

1. On Okta, navigate to Sign on > Settings > Metadata details.

   
   

2. On Okta, copy the value of Metadata URL. Navigate to Secure Access and and enter the value in Entity ID .

3. On Okta, click More Details.

4. On Okta, copy the value of Sign on URL. Navigate to Secure Access and enter the value in Endpoint.

5. On Okta, copy the value of Signing Certificate. Navigate to Secure Access and enter the value in Signing Keys.

6. (Optional) Navigate to Secure Access and choose whether to sign the authentication request.

7. On Secure Access, click Done.

Test the Identity Provider Integration

To complete the integration of the SAML IdP with Secure Access, evaluate the single sign-on authentication through the IdP. For more information, see Test SAML Identity Provider Integration.

View the SAML Certificates in Secure Access

Once you have completed the integration of an SAML IdP in Secure Access, you can manage the root certificates used in SAML authentication for Secure Access (service provider) and the SAML IdP. For more information, see Manage Certificates.

---

Configure Azure AD for SAML < Configure Okta for SAML > Configure AD FS for SAML