Cisco Secure Connect - IdP Okta SCIM Configuration

Prerequisites

• A valid Okta subscription.

• No concurrent provisioning from on-premise Active Directory and Okta .

• If you are using the on-premise Umbrella AD Connector to import user and group identities to Umbrella, and now wish to import the same identities from Okta, ensure that the on-premise Umbrella AD connector is switched off or that the OpenDNS Connector service on the connector machine is stopped.

Note: Concurrent synchronization of the same user and group identities from the Umbrella AD Connector and the Cisco Umbrella Okta application is not supported and will lead to inconsistent policy enforcement. 

Limitations

• A maximum of 200 groups can be provisioned from Okta to Cisco Umbrella. Any groups beyond this number that are in scope can not be provisioned. There is no restriction on the number of users that can be provisioned from Okta to Umbrella.

• To ensure that all users are provisioned, ensure that the ‘Everyone’ group is assigned to the Cisco Umbrella app.  You can push other additional groups as required for group-based Umbrella policy enforcement. 

• Okta does not support nested groups.

• If you have previously imported groups from on-premise Active Directory and are pushing the same groups from Okta, the groups from Okta will not overwrite the groups imported from on-premise Active Directory. You will need to re-assign any group-based Umbrella policies to the groups imported from Okta.

• Depending on the number of users and groups being provisioned, it can take several hours for these identities to be available on the Umbrella dashboard.

• After the initial provisioning of users and groups, it can take up to one hour for subsequent changes to users and groups to reflect on the Umbrella dashboard.

Supported Features

The following Okta provisioning features are supported:

• Create Users—New users created in Okta will also be created in Umbrella.
• Update User Attributes—Updates to a user's profile through Okta will be pushed to Umbrella.
• Deactivate Users—Deactivating a user through Okta deactivates the user in Umbrella.
• Group Push—Groups in Okta can be pushed to Umbrella.

Configure the Cisco User Management APP

1. On the Umbrella dashboard, navigate to  Deployments > Core Identities > Users and Groups.

2. Expand the Okta card and click API Keys.

3. Select Static Keys and expand Okta Provisioning. Click  Generate Token. 

The generated token will be displayed only once. Copy and save the token. These values will need to be entered in the Provisioning tab of the Cisco User Management for Secure Access application in the Okta portal.

4. Login to Okta, go to Applications -> Applications -> Catalog, click Add Integration to add the Cisco User Management for Secure Access app.

5. On the Provisioning -> Integration of this app, select Enable API integration and enter the API token. Test the API credentials and save it.

6. In the Provisioning -> To App section, enable the Create Users, Update User Attributes, and Deactivate Users options. Without these options checked, identities will not be provisioned.

7. Verify that the following attributes are chosen for synchronization to Umbrella; other attributes are not required:

• Username 
• Given name 
• Family name 
• Display name
• Primary email

Note: Umbrella does not list the Given name and Family name attributes for users. Umbrella only lists the Display name and Username attributes.

b. Navigate to the Profile Editor and create a new User Profile Mapping (Okta User to Cisco Umbrella User Management user) for user.objectGUID > nativeObjectId and save the mapping. Select the option to Apply the mappings to all users with this profile.

9. Once provisioning is configured, you will need to assign users (people) to this app. You can do this using the Assignments tab on the app.   You can assign individual users or specific groups to the app. To assign all users, you can assign the Everyone group to the app. 

Note: Assigning groups to the app will not provision these groups to Umbrella. Only users that are members of the assigned groups will be provisioned.  Do not manually enter any value for the nativeObjectId field when assigning any groups and users. To avoid provisioning errors, leave this field as-is.

Once users and groups are assigned, these users will automatically start getting provisioned to Umbrella. Wait for all users to show up on the Umbrella dashboard before starting to push groups. This can take time depending on the number of users provisioned.  

10. Once you have confirmed that all users have been provisioned to Umbrella, you can provision groups and group membership to Umbrella using the Push Groups tab of the Cisco Umbrella app on the Okta portal. Pushing a group does not sync any users and only provisions the group to Umbrella.

Note: Okta does not recommend pushing groups that are assigned to the application. So if you have assigned the ‘Everyone’ group to the application, you should not push the same group.

Cisco Umbrella supports provisioning of maximum 200 groups. It is recommended to push only those groups that you wish to configure Umbrella policy on.

11. You can view the provisioning logs from the Cisco Umbrella app to analyze the progress of provisioning. 

12. You can view the users and groups provisioned from Okta on the Users and Groups page.

Note: Cisco Umbrella recommends refreshing the SCIM token at least once every 180 days for security reasons. You can refresh the token on the API Keys page of the Umbrella dashboard. Ensure that you immediately copy the new token to the Cisco Umbrella app on Okta so that provisioning is not impacted. Refreshing the SCIM token is the full responsibility of the user; Umbrella does not perform this action.

For more information about provision identities from Okta, please refer to this link.