Provision Users and Groups from Okta

Cisco Secure Access supports the provisioning of users and groups from Okta. With your Secure Access System for Cross-domain Identity Management (SCIM) token, configure the Cisco User Management for Secure Access app on the Okta portal. Once you add users and groups in the app, Okta begins to exchange the user and group information with Secure Access.

Note: You do not need to deploy an on-premises Secure Access Active Directory (AD) Connector.

Table of Contents

• Prerequisites
• Limitations
• Supported Features
• Import the ObjectGUID Attribute from Okta
• Configure the Cisco User Management for Secure Access App
• View Provisioned Users and Groups in Secure Access
• Refresh SCIM Token

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• A valid Okta subscription.
• A valid SCIM token generated in Secure Access. For more information, see Provision Token for Identity Provider.
• No concurrent provisioning of the same users or groups from on-premises AD and Okta. If you are using the on-premises Secure Access AD Connector to import users and groups and choose to import the same users and groups from Okta, ensure that the on-premises Secure Access AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.
• For IP-to-user mapping deployments, you must use an on-premises Secure Access AD connector. Okta does not store the private IP to AD user mappings.

Limitations

• Secure Access supports provisioning a maximum of 200 groups from Okta. Any groups beyond this number that are in scope are not provisioned. Secure Access does not restrict the number of users that you can provision from Okta.
• To ensure that all users are provisioned, assign the Everyone group to the Cisco User Management for Secure Access app. You can push other additional groups for group-based Secure Access policy enforcement. 
• Okta does not support nested groups.
• If you previously imported groups from on-premises AD and push the same groups from Okta, the groups from Okta do not overwrite the groups imported from the on-premises AD. You must reassign any group-based Secure Access policy rules to the groups imported from Okta.
• Provisioning large numbers of users and groups to Secure Access may take several hours.
• After the initial provisioning of users and groups, it can take up to one hour for subsequent changes to users and groups to reflect in Secure Access.
• Concurrent synchronization of the same users and groups from the Secure Access AD Connector and the Cisco User Management for Secure Access app is not supported and leads to inconsistent policy enforcement.

Supported Features

The following Okta provisioning features are supported:

• Create Users—New users created in Okta are also created in Secure Access.
• Update User Attributes—Updates to a user's profile through Okta are pushed to Secure Access.
• Deactivate Users—Deactivating a user through Okta deactivates the user in Secure Access.
• Group Push—Groups in Okta are pushed to Secure Access.

Import the ObjectGUID Attribute from Okta to Secure Access

The on-premises Secure Access AD Connector and the Cisco Secure Client rely on the objectGUID attribute for user and group identification. Ensure that the objectGUID attribute of users is synchronized from Okta to Secure Access only if either of the following conditions are true:

• You have previously imported AD users to Secure Access using the on-premises Secure Access AD connector, are now importing the same user identities from Okta, and want the previously imported identities to be persisted for policy or reporting purposes.
• You have endpoints that authenticate against on-premises AD and run the Cisco Secure Client.

Note: Before setting up the import of the objectGUID, ensure that the on-premises Secure Access AD Connector that synchronizes these users and groups is switched off or that the OpenDNS Connector service on the connector machine is stopped.

The Okta Active Directory agent does not synchronize the  objectGUID attribute of users from on-premises  AD to Okta by default.

1. Navigate to the Provisioning tab on the Cisco Secure Access User Management app in Okta.
2. From Settings > To App, navigate to Profile Editor.

3. For Okta Attribute Mappings, click Add Attribute to create a custom attribute of string type called objectGUID.

4. For Cisco User Management for Secure Access User Profile Mappings, create a new User Profile Mapping for your AD domain that maps the Okta User appuser.externalId to the user.objectGUID .
5. For Okta Attribute Mappings, do a Force Sync of attributes to ensure that the objectGUID attribute for users is imported from AD.

Configure the Cisco Secure Access App

Configure the Cisco User Management for Secure Access app on the Okta portal.

Note: The To Okta setting is not supported on the Cisco User Management for Secure Access app.

Step 1 – Add the App to Okta

1. Sign in to Okta and add the Cisco Secure Access User Management app to your instance of Okta.

Step 2 – Add the Secure Access SCIM Token to the App

1. Navigate to the Provisioning tab on the Cisco Secure Access User Management app in Okta.
2. From Settings > Integration, select Enable API Integration, and then add the Secure Access SCIM API token.
3. Click Test API credentials, to confirm that you can use your Secure Access SCIM token to connect the Secure Access API with Okta, and then click Save.

Step 3 – Configure the Required User Options

1. Navigate to the Provisioning tab on the Cisco Secure Access User Management app in Okta.
2. From Settings > To App, enable the Create Users, Update User Attributes, and Deactivate Users options. You must select these options to provision users or groups.

3. Verify that the following attributes are chosen for synchronization to Secure Access. Other attributes are not required. Secure Access does not list the Given name and Family name attributes for users. Secure Access only lists the Display name and Username attributes.
   • Username 
   • Given name 
   • Family name 
   • Display name
   • Primary email

Step 4 – (Optional) Add a New Attribute and Create the User Profile Mapping

4a. If you need to import the objectGUID attribute for users, add a new attribute and map the attributes in the profile mapping.

1. Navigate to the Provisioning tab on the Cisco Secure Access User Management app in Okta.
2. From Settings > To App, navigate to Profile Editor.
3. Click Add Attribute.
   • Set Display name, Variable name, and External name to nativeObjectId.
   • For Scope, click User personal.
   • Set External namespace to urn:ietf:params:scim:schemas:extension:ciscoumbrella:2.0:user
4. Click Save.

4b. Add the new user profile mapping.

1. Navigate to the Provisioning tab on the Cisco Secure Access User Management app in Okta.
2. From Settings > To App, navigate to Profile Editor.
3. For Cisco User Management for Secure Access User Profile Mappings, create a new Okta User Profile that maps the Okta User to the Cisco User Management for Secure Access user. The profile must map the user.objectGUID to nativeObjectId.
4. Click Save Mappings to save the profile mapping. Select the option to Apply the Mappings to All Users with this Profile.

Step 5 – Assign Users and Groups in the App

Once you complete the provisioning configuration, assign users in the Cisco User Management for Secure Access app.

1. Navigate to the Assignments tab on the Cisco Secure Access User Management app in Okta.
   You can assign individual users or specific groups to the app. To assign all users, assign the Everyone group to the app. 
   Note: Assigning groups to the app does not provision these groups to Secure Access. Okta only provisions users that are members of the assigned groups.  Do not manually change the value of the nativeObjectId field when assigning any groups and users.
2. Once users and groups are assigned, these users automatically begin to provision to Secure Access. Wait for all users to show up in Secure Access before starting to push groups. This can take time depending on the number of users provisioned. Confirm that all users are provisioned to Secure Access.
3. Navigate to the Push Groups tab on the Cisco Secure Access User Management app in Okta.
4. Provision groups and group membership to Secure Access.
   Pushing a group does not sync any users and only provisions the group to Secure Access.
   Note: Okta does not recommend pushing groups that are assigned to the app. If you have assigned the Everyone group to the app, you should not push the same group.

Step 6 – View Logs in the App

1. Navigate to View Logs on the Cisco User Management for Secure Access app in Okta.
   The app displays the progress of the provisioning.

View Provisioned Users and Groups in Secure Access

1. Navigate to Connect > Users and Groups to view the users and groups provisioned from Okta.
   1. See View User Details
   2. See View Group Details

Refresh SCIM Token

Secure Access recommends that you refresh the SCIM token at least once every 180 days. Refresh the token in Secure Access and immediately copy the new token to the Cisco Secure Access app on Okta so that provisioning is not impacted. Refreshing the SCIM token is the full responsibility of the administrator. Secure Access does not perform this action.

Provision Token for Identity Provider < Provision Users and Groups from Okta > Provision Users and Groups from Azure