SAML Configuration Example: Okta


SAML Configuration Example: Okta

This example illustrates how to configure the Zscaler service as an application in Okta. It also describes how to integrate Active Directory with Okta. Refer to the Okta documentation for additional information about the steps in the example.

Prerequisites

Ensure that you have the following before you start configuration:

  • Okta account with admin privileges
  • Windows Server 2003 R2 or later

Configuring the Zscaler Service in Okta

To configure the Zscaler service in Okta:

  1. Add the Zscaler service as an application and do the following.
    • Define the settings.
    • Choose sign-on options.
    • Assign the Zscaler service to users. 
  2. Integrate Active Directory with Okta.
  3. Import user information to Okta.
  4. Test the Configuration.

See below for instructions on each task.

Adding the Zscaler Service

Adding the Zscaler service as an application includes defining its settings, choosing SAML 2.0 as the single sign-on option and assigning the service to users.

To add the Zscaler service as an application:mm

  1. Log in to Okta. 
    See image.
  2. Go the Applications tab and click Add Application.
    See image.
  3. Enter Zscaler in the Search field, and then click + beside Zscaler on the list of results.
    See image.
  4. In the General Settings tab, complete the following and click Next:
    • Application Label: Specify the display name for the service.
    • Your Zscaler Domain: Specify the domain in the URL you use to log in to the service. For example, if you log into https://admin.zscaler.net/, enter zscaler.net.
    • If you are enabling SAML auto-provisioning, complete the User Display Name, Department Name, and Group Name fields.
    • Group Filter: Optionally, enter an expression to be used to filter groups. For example, zscaler.* includes all groups prefixed with the string “zscaler_”.
      See image.
  5. In the Sign-On Options tab, do the following, and then click Next:
    • Choose SAML 2.0.
    • From the Default user name format menu, choose Okta username.
      See image.
  6. In the Assign to People tab, select users who will log in to the Zscaler service.
    See image.
  7. After selecting users, review and confirm your assignments, and then click Next.
  8. Okta displays a confirmation message.

Integrating Active Directory

To integrate Active Directory with Okta:

  1. In Okta, click My Applications.
  2. In the My Applications window, click Edit.
  3. Cick Administration to go to the My Applications Dashboard.
  4. Go to People > Directories, and then click Add Directory > Add Active Directory.
    See image.
  5. From the Set Up Active Directory window, click Set Up Active Directory.
    See image.
  6. Download the Okta Active Directory agent. 
    See image.
  7. After you download the Okta AD agent, double-click the OktaADAgentSetup.exe file to start the Okta AD Agent Setup wizard.
  8. Select the installation folder and click Next.
  9. Select Create or use the Okta Service account, and click Next.
    See image.
  10. Provide your Okta user credentials to register the Okta AD Agent.
  11. When Okta confirms the integration, click Done.

Importing Users

To define the import settings and import users:

  1. In Okta, go to People > Directories and click the directory you created.
  2. Click the Settings tab.
  3. Define the import settings and click Save Settings.
    See image.
  4. Go to People > Directories and click the directory you created.
  5. Go to the Import tab and click Import Now.
  6. Since this is the first time you’re importing users, choose Full Import, and then click Import. On subsequent imports, you can choose Incremental Import
    See image.

Testing the Configuration

After you configure Okta and the Zscaler service, you can then test the configuration.

If you are already logged in to the Zscaler service, browse to https://login.zscaler.net/zscaler.portal (or replace zscaler.net with the cloud name you are using), and click Logout.

To learn how you can find your cloud name, see What is my cloud name?

Otherwise, ensure that your traffic is being forwarded to the Zscaler service and then browse to a web site. When prompted for authentication, provide your SAML login credentials to login. (If any error occurs, see SAML Troubleshooting Guidelines.)

1a 

2a

3a

4a

5a

6a

4b

5b

6b

9b

3c

6c