Updated on January 10, 2024

Configure Okta for the Next Generation API Data Protection

Configure Okta for the Next Generation API Data Protection

To configure Okta for the Next Generation API Data Protection, follow the instructions below.

Prerequisite

Before configuring Okta for the Next Generation API Data Protection, review the prerequisites.

  • The API Access Management Admin role is required to create an application in Okta and grant access to Netskope.
  • The Super Admin role is required to grant Okta API scopes.

Create an Application in Okta

Okta authenticates users by a specific authorization URL, and not a centralized authorization endpoint. The user should create the application and provide the client ID, client secret, and Okta domain values. This ensures Okta will connect to your application and retrieve audit log entries through the API.

To create an application in Okta, follow the instructions below:

  1. Log in to your Okta admin console at https://{your–domain}.okta.com with an API Access Management Admin role.
  2. On the left navigation, navigate to Applications > Applications and click Create App Integration.
    Figure 26. Okta Create App Integration
    Okta Create App Integration

  3. For the Sign-in method, select OIDC – OpenID Connect and for Application type, select Web Application.
    Figure 27. Okta Create a New App Integration
    Okta Create a New App Integration

  4. Click Next.
  5. In App integration name, enter the name of the web app.
    Figure 28. Okta New Web App Integration
    Okta New Web App Integration

  6. Under Grant type, select the Refresh Token checkbox.
  7. In Sign-in redirect URIs, enter https://nso.goskope.com/common/oauthorize.
  8. Under Assignments, select the Allow everyone in your organization to access option.
  9. Click Save.

    You will be redirected to a page displaying information related to the new application.

  10. Note down the Client ID, Client secret, and Okta domain values.
    Figure 29. Okta Client Credentials and Domain
    Okta Client Credentials and Domain

    These values will be required when you configure the Okta instance in the Netskope UI.

  11. Log off from your Okta admin console.

Grant Okta API Scope

Once you have created the application in Okta, you should grant the required Okta API scopes to the application. To do so, follow the steps below:

Important

Only the Super Admin role has permissions to grant scopes to an app.

  1. Log in to your Okta admin console at https://{your–domain}.okta.com with a Super Admin role.
  2. On the left navigation, navigate to Applications > Applications.
  3. Under Browse App Catalog, identify the new application you created and click on it.
    Figure 30. Okta Browse App Catalog
    Okta Browse App Catalog

  4. Under the General tab, scroll down to the General Settings section. Click Edit and then select the Use persistent token option for Refresh token behavior and click Save.
    Figure 31. Okta Refresh Token Behavior
    Okta Refresh Token Behavior

  5. Under Okta API Scopes tab, grant the okta.logs.read and okta.users.read scopes.
    Figure 32. Okta API Scopes
    Okta API Scopes

  6. (Optional) If your Okta configuration has any third-party Identity Providers (IdP) other than Okta, for example, Google, Microsoft, etc., navigate to Security > Identity Providers, click an existing IdP entry and note down the IdP ID, or create a specific IdP for granting access to Netskope.
    Figure 33. Okta Identity Providers
    Okta Identity Providers

    For additional IdP information: Add an external Identity Provider

Configure Okta Instance in Netskope UI

To authorize Netskope to access your Okta instance, follow the steps below:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.

  2. Under Apps, select Okta and click Setup CASB API Instance.

    The Setup Instance window opens.

  3. Enter the following information as noted in step 10 and 6 from the earlier procedures:

    1. Domain: Enter the Okta domain name without the web protocol. Example: {your–domain}.okta.com

    2. Client ID: Enter the client ID.

    3. Client Secret: Enter the client secret.

    4. (Optional) External Identity Provider ID: Enter the IdP ID from step 6 (from Grant Okta API Scope). If this field is left empty, Netskope uses the default Okta IdP.

  4. Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  5. Click Grant Access.

    You will be redirected either to the Okta or 3rd party SSO login page based on the value you entered in step 3.4 above.

  6. Enter the Okta or 3rd party SSO login credentials.

    For Okta login page, log in using the API Access Management Admin role.

  7. After logging in, you will be redirected to the successful result page. Click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

In the current release, you can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Share this Doc

Configure Okta for the Next Generation API Data Protection

Or copy link

In this topic ...