Configure Okta for the Next Generation API Data Protection
Configure Okta for the Next Generation API Data Protection
To configure Okta for the Next Generation API Data Protection, follow the instructions below.
Prerequisite
Before configuring Okta for the Next Generation API Data Protection, review the prerequisite.
-
The Read Only Admin role or above is required.
Netskope recommends to create a dedicated service account for this integration. You cannot delete this service account till the integration is in use.
Create an API token in Okta
The following procedure creates an API token for Netskope to integrate with Okta.
-
Log in to your Okta admin console at https://{your–domain}.okta.com with an read only admin role or above.
-
There are two ways to set up the API token i.e., API calls made with this token must originate either from “Any IP” or a custom “IP Zone”.
Steps for “Any IP”
-
On the left navigation bar, navigate to Security > API and click the Tokens tab.
-
Under the Tokens tab, click Create token.
-
Enter a name for this token.
-
Under the API calls made with this token must originate from drop-down, select Any IP and click Create Token.
-
Copy the token value. This will be required when you set up the Okta instance in the Netskope tenant.
Please note this token, as this will be your only opportunity to view it. Afterward, it will be securely stored as a hash for your protection.
Steps for custom “IP Zone”
-
On the left navigation bar, navigate to Security > Networks.
-
Click the Add zone drop-down and select IP Zone.
-
Under the Add IP Zone pop-up, enter the following details:
-
Enter the name of the IP zone.
-
Under Gateway IPs, enter the the management plane IP address of your tenant. Refer this support article to know the management plane IP addresses. The article requires a login credential.
If you are not sure of the management plane location/IP address of your tenant, get in touch with your Netskope sales representative or support. -
Keep the rest of the fields unchanged and click Save.
-
-
Navigate to Security > API and click the Tokens tab.
-
Under the Tokens tab, click Create token.
-
Enter a name for this token.
-
Under the API calls made with this token must originate from drop-down, select In any of the following zones, select the custom IP zone you created earlier and click Create Token.
-
Copy the token value. This will be required when you set up the Okta instance in the Netskope tenant.
Please note this token, as this will be your only opportunity to view it. Afterward, it will be securely stored as a hash for your protection.
-
Configure Okta Instance in Netskope UI
To authorize Netskope to access your Okta instance, follow the steps below:
-
Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
-
Under Apps, select Okta and click Setup CASB API Instance.
The Setup Instance window opens.
-
Enter the following details:
-
Domain: Enter the Okta domain name without the web protocol. Example: {your–domain}.okta.com
-
API Token: Enter the token value you copied from the earlier procedure.
-
-
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access.
You should see a successful message notification on the page.
Refresh your browser, and you should see a green check icon next to the instance name.
In the current release, you can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.