Configure Okta Instance for SaaS Security Posture Management

Configure Okta Instance for SaaS Security Posture Management

Prerequisites

The following two Okta roles are required:

• The API Access Management Admin role to create an application in Okta and grant Netskope access to it.
• The Super Admin role to grant Okta API scopes.

To configure Okta Instance for SaaS Security Posture Management, you have to:

1. Create an Application in Okta
2. Grant Okta API Skope Access to Okta Application
3. Configure Okta Instance in Netskope UI

Create an Application in Okta

You need to create an application and provide the client ID, client secret, and Okta domain values in the Netskope UI to ensure that SSPM will connect to your Okta application and retrieve resources through the API.

To create an application in Okta, follow the instructions below:

1. Log in to your Okta admin console at https://{your–domain}.okta.com with an API Access Management Admin role.

2. On the left navigation, navigate to Applications > Applications and click Create App Integration.’

   

3. Choose OIDC – OpenID Connectas your Sign-in method and Web Application as Application type in the Create a New App Integration window.

   

4. Click Next.

5. The New Web App Integration window appears

   • Enter the name of the web application in the App integration name field.
   • Select the Grant type as Refresh Token.
   • Enter https://nso.goskope.com/common/oauthorize as the Sign-in redirect URIs.
   • Select the Assignments Control Access as Allow everyone in your organization to access.
   • Click Save.
     You will be redirected to the new application summary page.

6. Note the Client ID, Client secret, and Okta domain values to provide in the Netskope UI.

   

7. Log off from your Okta admin console.

Grant Okta API Skope Access to Okta Application

Once the application is created in Okta, you need to grant the required Okta API scopes to the application. Follow the steps below:

1. Log in to your Okta admin console at https://{your–domain}.okta.com with a Super Admin role.

2. On the left navigation, navigate to Applications > Applications.

3. In the Browse App Catalog tab, identify the new application you created and click on it.

   

4. In the General tab, select the General Settings section. Click Edit 

   

5. In the Okta API Scopes tab, grant the following scopes:

   Scope	Usage	Tradeoff if scope not provided
   okta.appGrants.read	Read grants in your Okta organization.	SSPM cannot list all scope consent grants for the application in Okta organization.
   okta.apps.read	Read information about apps in your Okta organization.	SSPM cannot list the apps added to your organization.
   okta.apiTokens.read	Read information about API tokens in your Okta organization.	SSPM cannot list all refresh tokens for the application in Okta organization.
   okta.factors.read	Read org factors information.	SSPM cannot list enrolled factors.
   okta.groups.read	Read information about groups and their members in your Okta organization.	SSPM cannot list the groups of the Okta organization.
   okta.idps.read	Read information about Identity Providers in your Okta organization.	SSPM cannot list the identity providers of the Okta organization.
   okta.logs.read	Read information about System Log entries in your Okta organization	SSPM cannot detect the continuous changes made to resources in the Okta organization.
   okta.roles.read	Read administrative role assignments for users in your Okta organization.	SSPM cannot list the administrative role assignments and customer roles.
   okta.users.read	Read the existing users’ profiles and credentials	SSPM cannot list the users of the Okta organization.
   okta.userTypes.read	Read user types in your Okta organization.	SSPM cannot populate the type attribute of the User resource type.

6. Optionally: If your Okta configuration has any third-party Identity Providers (IdP) other than Okta, for example, Google, Microsoft, etc., navigate to Security > Identity Providers, click an existing IdP entry and note down the IdP ID, or create a specific IdP for granting access to Netskope.

   

Configure Okta Instance in Netskope UI

To authorize Netskope to access your Okta instance, follow the steps below:

1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > Security Posture.

2. In the Applications list, select Okta and click the Setup Security Posture Instance button.

3. The Setup Instance window opens.

   • Domain: Enter the Okta domain name without the web protocol. Example: {your–domain}.okta.com
   • Client ID: Enter the client ID.
   • Client secret: Enter the client secret.
   • (Optional) External Identity Provider ID: Enter the IdP ID. If the field is left empty, Netskope uses the default Okta IdP.
   • Okta Administrator email: The security posture management emails will be sent on the mentioned email id.
   • Security Scan Interval: Frequency of security posture scans

4. Click Grant Access.
   You will be redirected either to the Okta or 3rd party SSO login page.

5. Enter the Okta or 3rd party SSO login credentials.

   For Okta login page, log in using the API Access Management Admin role.

6. After logging in, you will be redirected to the successful result page. Click Close.

7. Refresh your browser, and you should see a green check icon next to the instance name.

   Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.

   References

   • Identity providers
   • Why your company needs an identity provider ?
   • API access management
   • Administrators super admin
   • Okta resources supported by Netskope