Provision Users and Groups from Okta

Secure Access supports the provisioning of users and groups from Okta. With your Secure Access System for Cross-domain Identity Management (SCIM) token, configure the Cisco User Management Connector app on the Okta portal. Once you add users and groups in the app, Okta begins to exchange the user and group information with Secure Access.

Table of Contents

• Prerequisites
• Limitations
• Supported Features
• Configure the App in Okta
• View Provisioned Users and Groups in Secure Access
• Refresh SCIM Token

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• A valid Okta subscription.
• A valid SCIM token generated in Secure Access. For more information, see Provision Token for Identity Provider.
• No concurrent provisioning of the same users or groups from on-premises AD and Okta. If you are using the on-premises AD Connector to import users and groups and choose to import the same users and groups from Okta, ensure that the on-premises AD Connector is switched off or that the Connector service on the connector machine is stopped.

Limitations

• Secure Access supports provisioning a maximum of 200 groups from Okta. Any groups beyond this number that are in scope are not provisioned. Secure Access does not restrict the number of users that you can provision from Okta.
• To ensure that all users are provisioned, assign the Everyone group to the Cisco User Management Connector app. You can push other additional groups for group-based Secure Access policy enforcement. 
• Okta does not support nested groups.
• If you previously imported groups from the on-premises AD and push the same groups from Okta, the groups from Okta do not overwrite the groups imported from the on-premises AD. You must reassign any group-based Secure Access policy rules to the groups imported from Okta.
• Provisioning large numbers of users and groups to Secure Access may take several hours.
• After the initial provisioning of users and groups, it can take up to one hour for subsequent changes to users and groups to reflect in Secure Access.
• Concurrent synchronization of the same users and groups from the on-premises AD and the Cisco User Management Connector app is not supported and leads to inconsistent policy enforcement.
• For IP-to-user mapping deployments, you must use an on-premises AD Connector. Okta does not store the private IP to AD user mappings.

Supported Features

The following Okta provisioning features are supported:

• Create Users—New users created in Okta are also created in Secure Access.
• Update User Attributes—Updates to a user's profile through Okta are pushed to Secure Access.
• Deactivate Users—Deactivating a user through Okta deactivates the user in Secure Access.
• Group Push—Groups in Okta are pushed to Secure Access.

Configure the App in Okta

Configure the Cisco User Management Connector app on the Okta portal.

Note: The To Okta setting is not supported on the Cisco User Management Connector app.

Step 1 – Add the App to Okta

1. Sign in to Okta and add the Cisco User Management Connector app to your instance of Okta.

Step 2 – Add the Secure Access SCIM Token to the App

1. Navigate to the Provisioning tab on the Cisco User Management Connector app in Okta.

2. From Settings > Integration, select Enable API Integration, and then add the Secure Access SCIM API token.

3. Click Test API credentials, to confirm that you can use your Secure Access SCIM token to connect the Secure Access API with Okta, and then click Save.

   

Step 3 – Configure the Required User Options

1. Navigate to the Provisioning tab on the Cisco User Management Connector app in Okta.

2. From Settings > To App, enable the Create Users, Update User Attributes, and Deactivate Users options. You must select these options to provision users or groups.

   

3. Verify that the following attributes are chosen for synchronization to Secure Access. Other attributes are not required. Secure Access does not list the Given name and Family name attributes for users. Secure Access only lists the Display name and Username attributes.

   • Username 
   • Given name 
   • Family name 
   • Display name
   • Primary email

Step 4 – (Optional) Add a New Attribute and Create the User Profile Mapping

• (Optional) Add an objectGUID Attribute and Create the User Profile Mapping.

• (Optional) Provision Custom Attribute to Authenticate Users and Create the User Profile Mapping

Step 5 – Assign Users and Groups in the App

After you complete the provisioning configuration, assign users in the Cisco User Management Connector app.

1. Navigate to the Assignments tab on the Cisco User Management Connector app in Okta.
   You can assign individual users or specific groups to the app. To assign all users, assign the Everyone group to the app. 
   Note: Assigning groups to the app does not provision these groups to Secure Access. Okta only provisions users that are members of the assigned groups.  Do not manually change the value of the nativeObjectId field when assigning any groups and users.
2. Once users and groups are assigned, these users automatically begin to provision to Secure Access. Wait for all users to show up in Secure Access before starting to push groups. This can take time depending on the number of users provisioned. Confirm that all users are provisioned to Secure Access.
3. Navigate to the Push Groups tab on the Cisco User Management Connector app in Okta.
4. Provision groups and group membership to Secure Access.
   Pushing a group does not sync any users and only provisions the group to Secure Access.
   Note: Okta does not recommend pushing groups that are assigned to the app. If you have assigned the Everyone group to the app, you should not push the same group.

Step 6 – View Logs in the App

1. Navigate to View Logs on the Cisco User Management Connector app in Okta.
   The app displays the progress of the provisioning.

   

(Optional) Add an objectGUID Attribute and Create the User Profile Mapping

If you need to import the objectGUID attribute for users, add a new attribute and map the attributes in the profile mapping.

Note: Before setting up the import of the objectGUID, review and meet the prerequisites. For more information, see Prerequisites.

The on-premises Secure Access AD Connector and the Cisco Secure Client rely on the objectGUID attribute for user and group identification. Ensure that the objectGUID attribute of users is synchronized from Okta to Secure Access only if either of the following conditions are true:

• You have previously imported AD users to Secure Access using the on-premises Secure Access AD connector, are now importing the same user identities from Okta, and want the previously imported identities to be persisted for policy or reporting purposes.
• You have endpoints that authenticate against on-premises AD and run the Cisco Secure Client.

Note: The Okta Active Directory agent does not synchronize the  objectGUID attribute of users from on-premises  AD to Okta by default.

Add the objectGUID Attribute

1. In Okta, navigate to the Provisioning tab on the Cisco User Management Connector app.
2. From Settings > To App, navigate to Profile Editor.
3. For Okta Attribute Mappings, click Add Attribute to create a custom attribute of string type called objectGUID.
   • Set Display name, Variable name, and External name to native.ObjectId.
   • For Scope, click User personal.
   • Set External namespace to urn:ietf:params:scim:schemas:extension:ciscoumbrella:2.0:user
4. Click Save.

Create the new user-profile mapping

1. In Okta, navigate to the Provisioning tab on the Cisco User Management Connector app.

2. From Settings > To App, navigate to Profile Editor.

3. For Cisco User Management Connector User Profile Mappings, create a new Okta User Profile that maps the Okta user to the Cisco User Management Connector user. The profile must map the user.objectGUID to nativeObjectId.

4. Click Save Mappings.

5. Select the option to Apply the Mappings to All Users with this Profile.

   

(Optional) Provision authName Attribute to Authenticate Users

To use an attribute to authenticate users in addition to the user principle name (UPN) attribute, customize the authName attribute and map it to a user profile (such as employee email or ID).

Prerequisite

• Authorize the use of the authName attribute in Secure Access. For information, see Authorize Use of authName Attribute to Authenticate Users.

5a. Customize the authName Attribute

1. In Okta, open the Cisco User Management for Secure Access app.
2. Navigate to the Provisioning tab.
3. On the Cisco User Management Connector for Secure Access - Attribute Mappings page, click Go to Profile Editor.

4. On the Profile Editor page, scroll down to the Cisco User Management for Secure Access section.
5. In the Attributes section, click Add Attribute.

6. In the Custom attribute window, complete the following fields:

• Data type—Choose string
• Display name—Type Custom authentication attribute
• Variable name—Type authName
• External name—Type authName
• External namespace—Selecturn:ietf:params:scim:schemas:extension:ciscoumbrella:2.0:User
• Description—(Optional) Enter a description for your unique authentication attribute.
• Enum—Leave Define enumerated list of values unchecked.
• Attribute length—Choose Greater than
• Min value—Enter a number of characters for the unique authentication attribute.
• Attribute required—Click Yes if you want all users to be authenticated with the unique authName attribute.
• Attribute type—Click the Personal radio button.

7. Click Save.

5b. Map the custom authName attribute to a user profile

1. In the left pane, select Profile Editor.
2. In the Attributes section, click Mappings.

3. On the Cisco User Management for Secure Access - User Profile Mappings page, click Okta User to Cisco Umbrella User Management Connector.

4. In the left pane, for the user profile that you want to map to the authName attribute, click the yellow arrow and select Apply mapping on user create and update.

5. Click Save Mappings.

The final step is to sync existing users with the authName attribute (new users sync automatically).

1. In the Cisco User Management for Secure Access app, navigate to Applications.
2. Select the Provisioning tab.
3. Click Force Sync.

• Note: Based on your directory size, expect delay for users to sync with the authName attribute.

View Provisioned Users and Groups in Secure Access

1. Navigate to Connect > Users and Groups to view the users and groups provisioned from Okta.
   • For more information, see View User Details.
   • For more information, see View Group Details.

Refresh SCIM Token

We recommend that you refresh the SCIM token at least once every 180 days. Refresh the token in Secure Access and immediately copy the new token to the Secure Access app on Okta so that provisioning is not impacted. Refreshing the SCIM token is the responsibility of the administrator. Secure Access does not perform this action.

---

Provision Token for Identity Provider < Provision Users and Groups from Okta > Provision Users and Groups from Azure AD