Okta with SAML

Supported Features

Integrating Okta with Harmony SASE using SAML protocol supports these features:

• SP-initiated SSO (only supported for the Web Client login)

• IdP-initiated SSO (only supported for the Web Client and Agent login)

• JIT (Just In Time) Provisioning

Prerequisites

• Administrator access to the Harmony SASE Administrator Portal.

• Administrator account with the Identity Provider Management Portal.

High-Level Procedure

• Step 1 - Configure the Okta Management Portal

• Step 2 - Configure the Harmony SASE Administrator Portal

• Step 3 - Assign the App

• Step 4 - Verify SP-initiated SSO

Step 1 - Configure the Okta Management Portal

1. Log in to Okta Management Portal.

2. Go to Applications.

3. Click Browse App Catalog and search for Perimeter 81.

4. Click Add Integration.

   

5. Click Done.

   

   A Harmony SASE application is generated.

6. Go to the Sign On tab.

7. In the SAML 2.0 section, click More details and then copy the Sign on URL.

8. In the SAML Signing Certificates section, click Actions and then select Download certificate.

   

9. On the Sign On page, go to Settings and click Edit.

10. In the Workspace field, enter your Harmony SASE workspace name.

    

11. (Optional) If you want the group membership of your Okta account to sync with Harmony SASE, make sure that the Groups has the "Matches Regex" .* syntax.

    

    Note - You must create the group on Harmony SASE manually for this option to work.

Step 2 - Configure the Harmony SASE Administrator Portal

1. Log in to the Harmony SASE Administrator Portal with a administrator account.

2. Go to Settings > Identity Providers.

3. Click Add Provider.

   The Add identity provider pop-up appears.

4. Select SAML 2.0 Identity Providers and click Continue.

   

5. In the Sign in URL field, enter the Identity Provider Sign-in URL from your SAML Identity Provider.

   Identity Provider	Sign in URL
   Generic SAML	Identity Provider Sign in URL
   Active Directory Federation Services (AD FS)	https://{{Your ADFS Domain}}/adfs/ls
   Auth0	Auth0 login URL
   OneLogin	SAML 2.0 Endpoint (HTTP) value
   PingOne	https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid={{idpid}}
   PingFederate	https://sso.{{Your PingFederate Domain}}.com/idp/SSO.saml2
   Rippling	Rippling IdP Sign-in URL.
   JumpCloud	JumpCloud IDP URL
   Okta	Okta Sign on URL
   Google Applications	SSO URL

6. In the Domain Aliases field, enter the business domain names separated by commas or space.

7. In the X509 Signing Certificate field, enter the X.509 signing certificate for the application from the SAML Identity Provider.

   If you have the signing certificate as PEM/CERT file, click Upload PEM/CERT File and select the file.

8. Click Done.

Note - After the first successful authentication of a member with SAML, Harmony SASE does this: Assigns the member with the appropriate role. Adds the member to the groups related to Identity Provider. Applies the relevant configuration profiles to the member.

Step 3 - Assign the App

1. Log in to Okta Management Portal.

2. Go to Applications and select your SAML 2.0 Application.

3. Go to Assignments tab.

   

4. Assign the People or Groups you want to get synchronized with Harmony SASE.

5. Click Save and Go Back and then click Done.

Step 4 - Verify SP-initiated SSO

1. Log in to Harmony SASE workspace URL.

2. Click Sign in with Okta.

3. Verify you can successfully connect using your Okta credentials.

Supported SAML Attributes

Attribute Name	Value
given_name	user.firstName
family_name	user.lastName
email	user.email
groups	As configured in the app. Note - Local users not defined through Okta will not be automatically added or removed from any Okta-associated group to which they are assigned. You must manually add or remove them from the required groups.