icon-zpa.svg
Secure Private Access (ZPA)

Configuration Guide for Okta

This guide provides information on how to set up Okta as a IdP for ZPA.

Zscaler and Okta are technology partners. To learn more about integrating Zscaler and Okta, see the Zscaler and Okta Deployment Guide.

Prerequisites

Ensure that you have the following:

  • An Okta account with admin privileges
  • A ZPA account with an administrator role that allows you to add an IdP Configuration

Configuring Okta for SSO

To configure Okta as the IdP for ZPA user and admin SSO:

  1. Log in to the Okta portal as an administrator.
  2. Within the top banner, make sure that Classic UI is selected from the drop-down menu.

You may only see the Classic UI if you are in the Okta developer dashboard.

  1. Go to Applications from the top menu.
  2. Click Add Application.
  3. In the search toolbar, search for Zscaler Private Access 2.0. When the application appears, click Add.
  4. On the General Settings page that appears:
    1. For Application label, make sure that Zscaler Private Access 2.0 is entered.
    2. Click Done.
  5. On the Assignments page that appears:
    1. Select Assign > Assign to People or Assign to Groups.
    2. In the window that appears, click Assign for the user or group you want to select, then click Save and Go Back.
    3. Repeat step b for all users and groups you want to assign to the ZPA application, then click Done.
  6. Go to the Sign On page, click Edit, and complete the following fields. You must use the SAML 2.0 sign-on option for this application:
    1. (Optional) If you want to pass Okta group information as part of the SAML response:
      1. From the GroupName drop-down menu, select your preferred group filter (e.g., Matches Regex).
      2. Type in the applicable value for the group filter in the text field.

For example, selecting Matches Regex and entering .* sends information for all Okta groups to ZPA within the SAML response.

  1. Click the Identity Provider metadata hyperlink to download the IdP's metadata file. You will need this file later in order to complete the configuration within the ZPA Admin Portal.
  2. For Service Provider URL, the URL that is provided for you when you configure a new IdP configuration in ZPA Admin Portal. This URL is specific to your IdP.
  3. For Service Provider Entity ID, enter the ID that is provided for you when you configure a new IdP configuration in ZPA Admin Portal. This ID is specific to your IdP.
  4. Click Save.
  5. Go to the ZPA Admin Portal and complete the IdP configuration set up.
  6. (Optional) If you are configuring Okta for user SSO and want to use SCIM, proceed to the SCIM Configuration Guide for Okta.

After configuring your IdP, be sure to verify the configuration.

Related Articles
Configuration Guide for Gemalto SafeNet Authentication ManagerConfiguration Guide for Microsoft ADFS 2.0 and 3.0Configuration Guide for Microsoft Azure ADConfiguration Guide for OktaConfiguration Guide for OneloginConfiguration Guide for Ping Identity PingOne