Guides
Secure Access Help Center

Provision Users and Groups from Okta

This topic describes how to configure the provisioning of users and groups with Secure Access in the Cisco User Management Connector app on the Okta portal. After you add users and groups in the app, Okta begins to exchange the user and group information with Secure Access.

Table of Contents

Prerequisites

  • Full Admin user role. For more information, see Manage Accounts.
  • A valid Okta subscription.
  • Add the IdP in Secure Access and generate a valid SCIM token. For more information, see Add a Cloud Identity Provider.
  • (Optional) Enable the authorization of the authName attribute in Secure Access. For more information, see Manage Advanced Configuration Settings.
  • No concurrent provisioning of the same users or groups from on-premises AD and Okta. If you are using the on-premises AD Connector to import users and groups and choose to import the same users and groups from Okta, ensure that the on-premises AD Connector is switched off or that the Connector service on the connector machine is stopped.

Limits and Best Practices

  • Secure Access supports provisioning a maximum of 1000 groups from Okta. Any groups beyond this number that are in scope are not provisioned. Secure Access does not restrict the number of users that you can provision from Okta. For more information, see Limitations and Range Limits.
  • To ensure that all users are provisioned, assign the Everyone group to the Cisco User Management Connector app. You can push other additional groups for group-based Secure Access rule enforcement. 
  • Okta does not support nested groups.
  • If you previously imported groups from the on-premises AD and push the same groups from Okta, the groups from Okta do not overwrite the groups imported from the on-premises AD. You must reassign any group-based Secure Access policy rules to the groups imported from Okta.
  • Provisioning large numbers of users and groups to Secure Access may take several hours.
  • After the initial provisioning of users and groups, it can take up to one hour for subsequent changes to users and groups to reflect in Secure Access.
  • Concurrent synchronization of the same users and groups from the on-premises AD and the Cisco User Management Connector app is not supported and leads to inconsistent policy enforcement.
  • For IP-to-user mapping deployments, you must use an on-premises AD Connector. Okta does not store the private IP to AD user mappings.

Supported Features

Secure Access supports these features in Okta:

  • Create Users—New users created in Okta are also created in Secure Access.
  • Update User Attributes—Updates to a user's profile through Okta are pushed to Secure Access.
  • Deactivate Users—Deactivating a user through Okta deactivates the user in Secure Access.
  • Group Push—Groups in Okta are pushed to Secure Access.

Configure the Cisco User Management Connector App in Okta

Configure the Cisco User Management Connector app on the Okta portal.

Note: The To Okta setting is not supported in the Cisco User Management Connector app.

Step 1 – Add the Cisco User Management Connector App in Okta

  1. Sign in to your instance of Okta.
  2. Navigate to Applications, and then select Create App Integration or Browser App Catalog.
  3. Select the Cisco User Management Connector app.

Step 2 – Add the Secure Access SCIM Token in the App

  1. Click the Provisioning tab in the app.

  2. Navigate to Settings, and then click Integration.

  3. Select Enable API Integration, and then navigate to Integration.

  4. For API Token, enter the Secure Access SCIM API token.

  5. Click Test API credentials, to confirm that you can use your Secure Access SCIM token to connect the Secure Access API with Okta.

  6. Click Save.

Step 3 – Configure User Options in the App

  1. Click the Provisioning tab in the app.

  2. Navigate to Settings, and then click To App.

  3. Navigate to Provisioning to App, and then click the Create Users, Update User Attributes, and Deactivate Users options.
    Note: You must select these options to provision users or groups.

  4. Verify that you selected these attributes for synchronization to Secure Access.
    Note: Other attributes are not required.
    Secure Access does not list the Given name and Family name attributes for users. Secure Access only lists the Display name and Username attributes.

    • Username
    • Given name
    • Family name 
    • Display name
    • Primary email

  5. Click Save.

Step 4 – (Optional) Add a New Attribute

For more information, see (Optional) Add an objectGUID Attribute and Create the User Profile Mapping.

Step 5 – (Optional) Provision Custom Attribute to Authenticate Users

For more information, see (Optional) Provision Custom Attribute to Authenticate Users

Step 6 – Assign Users or Groups in the App

After you add users and groups in Okta, you can assign these users and groups of users in the Cisco User Management Connector app.

  1. Click the Assignments tab in the app.
  2. Assign users and groups in the app.
    Important: Assigning groups to the app does not provision these groups to Secure Access. Okta only provisions users that are members of the assigned groups.  Do not manually change the value of the nativeObjectId field when assigning any groups and users.

a. Navigate to People, and then click Assign.
(Optional) To assign all users, assign the Everyone group to the app.

b. Navigate to Groups, and then click Assign.

Important: Once users and groups are assigned, the app begins to provision the selected users to Secure Access. Wait for all users to show up in Secure Access before starting to push groups. The amount of time that syncing groups and provisioning users with Secure Access depends upon the number of users provisioned. We recommend that you confirm that all users selected provision from Okta to Secure Access.

Step 7 – Push Users or Groups from the App to Secure Access

  1. Click the Push Groups tab in the app.

  2. Sync users or specific groups from the app to Secure Access.

  3. Provision groups and group membership to Secure Access.
    Pushing a group does not sync any users and only provisions the group to Secure Access.
    Note: Okta does not recommend pushing groups that are assigned to the app. If you have assigned the Everyone group to the app, you should not push the same group.

  4. Click Save or Save & Add Another.

Step 8 – View Logs in the App

From the Cisco User Management Connector app in your instance of Okta, view the provisioning logs.

  1. Navigate to View Logs on the Cisco User Management Connector app in Okta.
    The app displays the progress of the provisioning.

(Optional) Add an objectGUID Attribute and Create the User Profile Mapping

If you need to import the objectGUID attribute for users, add a new attribute and map the attributes in the profile mapping.

Note: Before setting up the import of the objectGUID, review and meet the prerequisites. For more information, see Prerequisites.

The on-premises Secure Access AD Connector and the Cisco Secure Client rely on the objectGUID attribute for user and group identification. Ensure that the objectGUID attribute of users is synchronized from Okta to Secure Access only if either of the following conditions are true:

  • You have previously imported AD users to Secure Access using the on-premises Secure Access AD connector, are now importing the same user identities from Okta, and want the previously imported identities to be persisted for policy or reporting purposes.
  • You have endpoints that authenticate against on-premises AD and run the Cisco Secure Client.

Note: The Okta Active Directory agent does not synchronize the  objectGUID attribute of users from on-premises  AD to Okta by default.

Add the objectGUID Attribute

  1. In Okta, navigate to the Provisioning tab on the Cisco User Management Connector app.

  2. From Settings > To App, navigate to Profile Editor.


  3. For Okta Attribute Mappings, click Add Attribute to create a custom attribute of string type called objectGUID.

    • Set Display name, Variable name, and External name to native.ObjectId.
    • For Scope, click User personal.
    • Set External namespace to urn:ietf:params:scim:schemas:extension:ciscoumbrella:2.0:user

  4. Click Save.

Create the User Profile Mappings

  1. In Okta, navigate to the Provisioning tab on the Cisco User Management Connector app.

  2. From Settings > To App, navigate to Profile Editor.

  3. For Cisco User Management Connector User Profile Mappings, create a new Okta User Profile that maps the Okta user to the Cisco User Management Connector user. The profile must map the user.objectGUID to nativeObjectId.

  4. Click Save Mappings.

  5. Select the option to Apply the Mappings to All Users with this Profile.

(Optional) Provision authName Attribute to Authenticate Users

To use an attribute to authenticate users in addition to the user principal name (UPN) attribute, customize the authName attribute and map it to a user profile (such as employee email or ID).

Prerequisites

Authorize the use of the authName attribute. For more information, see Set Up Authentication Preferences for Identity Providers.

Customize the authName Attribute

  1. In Okta, open the Cisco User Management for Secure Access app.
  2. Navigate to the Provisioning tab.
  3. Navigate to Cisco User Management Connector for Secure Access - Attribute Mappings.
  4. Click Go to Profile Editor.
  1. On the Profile Editor page, scroll down to the Cisco User Management for Secure Access section.
  2. In the Attributes section, click Add Attribute.
  1. In the Custom attribute window, complete the following fields:
    • Data type—Choose string.
    • Display name—Type Custom authentication attribute.
    • Variable name—Type authName.
    • External name—Type authName
    • External namespace—Selecturn:ietf:params:scim:schemas:extension:ciscoumbrella:2.0:User.
    • Description—(Optional) Enter a description for your unique authentication attribute.
    • Enum—Leave Define enumerated list of values unchecked.
    • Attribute length—Choose Greater than.
    • Min value—Enter a number of characters for the unique authentication attribute.
    • Attribute required—Click Yes if you want all users to be authenticated with the unique authName attribute.
    • Attribute type—Click the Personal radio button.
  1. Click Save.

Map the Custom authName Attribute to a User Profile

  1. In the left pane, select Profile Editor.

  2. In the Attributes section, click Mappings.

  3. On the Cisco User Management for Secure Access - User Profile Mappings page, click Okta User to Cisco Umbrella User Management Connector.

  1. In the left pane for the user profile, click the yellow arrow and select Apply mapping on user create and update.
  1. Click Save Mappings.

(Optional) Force-Sync Existing Users

Sync the existing users with the authName attribute. New users sync automatically.

  1. In the Cisco User Management for Secure Access app, navigate to Applications.
  2. Select the Provisioning tab.
  3. Click Force Sync.

Note: Based on your directory size, expect a delay for users to sync with the authName attribute.

View Provisioned Users and Groups in Secure Access

  1. Navigate to Connect > Users and Groups to view the users and groups provisioned from Okta.

Refresh SCIM Token

We recommend that you refresh the SCIM token at least once every 180 days. Refresh the token in Secure Access and immediately copy the new token to the Secure Access app on Okta so that provisioning is not impacted. Refreshing the SCIM token is the responsibility of the administrator. Secure Access does not perform this action.

Configure Identity Providers < Provision Users and Groups from Okta > Provision Users and Groups from Microsoft Entra ID

Updated about 1 hour ago