Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Integrate Okta as an Identity Provider

To integrate Okta with Juniper Mist, create an Okta app integration and then add it as an Identity Provider in your Juniper Mist organization.

Preparations in Okta

Before you can integrate Okta with Juniper Mist, you need to create an app integration in Okta for Juniper Mist Access Assurance connector. Use the following tips to configure your app integration with the appropriate settings.

Note:

As an Okta developer, refer to Okta resources if you need step-by-step help. For example, consider using this Okta help topic: https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm. (This Okta link is provided as a suggestion only. Search and browse through your Okta documentation as needed.)

Tips for Your Okta App Integration

  • When naming your app integration, consider using a descriptive name that you can also use to identify this app in your Juniper Mist configuration.

  • You can set up your app integration to use either OIDC Native Application or API Services, as detailed below.

  • OIDC Native Application—With this approach, your integration uses OAuth 2.0 authentication for Single Sign-On. If you're using this approach, create an app integration with these settings:

    • Sign-In Method—OICD-OpenID Connect

    • Application Type—Native Application

    • Grant Type—Resource Owner Password

    • Controlled Access—Allow everyone in your organization to access

    • General Settings:

      • Client Authentication—Client Secret

      • Proof Key for Code Exchange—Require PKCE as Additional Verification

    • Okta API Scopes:

      • okta.roles.read—Granted

      • okta.users.read—Granted

      • okta.users.read.self—Granted

  • API Services—With this approach, your integration uses scoped OAuth 2.0 access tokens for machine-to-machine authentication. If you're using this approach, create an app integration with these settings:

    • Sign-In Method—API Services)

    • General Settings:

      • Client Authentication—Public key / Private key

      • Configuration—Save Keys in Okta

      • Proof of Possession—Require Demonstrating Proof of Possession (DPoP) header in token requests

      • Grant Type—Client Credentials

    • Public Key—Add a key. Copy the key in PEM format for later reference.

    • Okta API Scopes:

      • okta.roles.read—Granted

      • okta.users.read—Granted

      • okta.users.read.self—Granted

    • Admin Roles—Read-only administrator

  • After saving your app integration, you'll need information for the Juniper Mist setup.

    • If you created an OIDC Native Application, copy the Client ID and Client Secret.

    • If created an API Services integration, copy the Client ID and Public Key (PEM format).

  • You'll also need your Okta tenant ID. When you're signed in to the Okta dashboard, you should be able to see your tenant ID as part of your account credentials, such as: {username@domain}-okta-dev-{tentantID#}.okta.com. If you need help finding this ID, consult your Okta documentation or your Okta support team.

Add Your Okta App Integration as an Identity Provider in Juniper Mist

Before You Begin

You must have an Juniper Mist admin account with the Super User role.

You'll need the following information from Okta:

  • Okta tenant ID

  • Client ID and Client Secret for your OIDC Native Application app integration

    OR

    Client ID and Private Key (PEM format) for your API Services app integration

To add your Okta app integration as an Identity Provider in Juniper Mist:

  1. From the left menu of the Juniper Mist portal, select Organization > Access > Identity Providers.
    The Identity Providers page displays any configured identity providers.
  2. Click Add IDP, near the top-right corner of the page.
  3. On the New Identity Provider page, enter the following settings.
    Table 1: Settings for Okta IdP in Juniper Mist
    Field Description
    Name Enter a descriptive name to identify this IdP. You might find it helpful to incorporate the word Okta and the name that you used as the name of the app integration in Okta. Example: Okta-MyMistAppIntegration
    IDP Type Select OAuth.

    OAuth Type

    		 Select Okta.

    OAuth Tenant ID

    Enter your Okta tenant ID.

    Domain Names

    Enter your Okta users domain name. Example: abc.com

    Default IDP

    Select this option if user domain name is not specified.

    API Services

    OAuth Client Credential (CC) Client Id

    and

    OAuth Client Credential (CC) Client Private Key

    		 If your Okta app integration uses the API Services sign-in method, enter the Client ID and the Private Key (PEM format) that you copied from your Okta app integration.

    OIDC Native Application

    OAuth Resource Owner Password Credential (ROPC) Client Id

    and

    OAuth Resource Owner Password Credential (ROPC) Client Secret

    		 If your Okta app integration uses the OIDC - OpenID Connect sign-in method, enter the Client ID and the Client Secret that you copied from your Okta app integration.
  4. Click Create at the top-right corner of the page.
After setting up a new integration, you should make some test connections and verify that everything is working as expected. See Verify a New Integration.