If your organization uses Okta as a unified identity authentication platform, SASE can integrate with it over the OpenID Connect (OIDC) protocol. Employees can then use their existing Okta credentials for single sign-on (SSO) to access internal applications protected by SASE—without a separate set of credentials managed in SASE.
Prerequisites
Before you begin, ensure that you have:
An Okta account with administrator access
The Okta application's Client ID and Client Secret
The Okta Issuer URL (OIDC discovery endpoint)
A SASE account with permission to manage identity sources
Limitations
Up to five identity sources can be enabled at the same time, but only one can be a custom identity source. If you have reached this limit, disable an existing identity source before enabling a new one.
Add an Okta identity source
Log on to the SASE console.SASE console
In the navigation pane on the left, choose Identity Authentication > Identity Access.
On the Identity synchronization tab, click Create IdP.
In the Create IdP panel, select Extended Identity Source, click Configure, and follow the configuration wizard.
On the Basic Configurations page, configure the settings described in the following sections.
IdP name and status
| Field | Description |
|---|---|
| IdP Name | Enter a name for the identity source. |
| IdP Status | Select Enabled to activate the identity source immediately after creation, or Closed to create it in a disabled state. Important Disabling an identity source prevents employees from using the SASE app to access internal applications. |
Attach identity — Create identity source
In Attach Identity, select Okta and complete the Create Identity Source and Field Mapping configurations.
Under Create Identity Source, configure the following settings:
| Field | Required | Description |
|---|---|---|
| Organization Name | Yes | Enter a name for the organization. All users synced from Okta are stored under this organization. |
| Logon Icon | No | Upload an icon to display on the login page. The file must be in PNG or JPG format, no larger than 1 MB. A square icon of 256×256 pixels is recommended. |
| Login Name | Yes | Enter the name shown on the login page. The first entry or any modification triggers an automatic review. The default or current name remains visible during review and updates automatically once approved. |
| Authentication Mode | Yes | Select client_secret_post. This mode attaches the client secret in the POST request body when calling the authorization endpoint. |
| Client ID | Yes | Enter the client identifier from your Okta application. |
| Client Secret | Yes | Enter the client secret from your Okta application. After you save, the secret is hidden and can only be reset. |
| Scopes | Yes | Enter the scopes to request from the authorization endpoint. Scopes define the permissions requested. |
| Issuer | Yes | Enter the OIDC Issuer discovery endpoint URL from Okta. Click Resolution to automatically retrieve the Authorization Endpoint, Token Endpoint, Public Key Endpoint, and UserInfo Endpoint. |
| Authorization Redirect URI | Yes | Copy this URI and add it to your Okta application's allowed redirect URIs. |
The four endpoints retrieved by Resolution are used as follows:
| Endpoint | Purpose |
|---|---|
| Authorization Endpoint | Obtain an authorization code |
| Token Endpoint | Exchange an authorization code for a token |
| Public Key Endpoint | JWKS endpoint used to verify the ID token |
| UserInfo Endpoint | Retrieve basic user information |
Attach identity — Field mapping
Under Field Mapping, configure the account identifier:
Account Name: Because Okta uses email as the unique user identifier, set Source Value to Email and Mapping Rule to Select a field.
All other Field Name entries are optional. Configure them as needed.
SAML metadata
After completing the Attach Identity configuration, the system automatically generates a SAML Metadata File for download.
| Field | Description |
|---|---|
| Download SAML Metadata File | Download the generated SAML metadata file and import it into the SAML Metadata File field below. |
| SAML Metadata File | Upload the SAML metadata file you downloaded. |
Synchronization settings
| Field | Description |
|---|---|
| Automatic Synchronization | When enabled, SASE automatically syncs organizational data from Okta. When disabled, you must trigger syncs manually. |
| Synchronize User Information | When enabled, SASE automatically syncs employee information based on the Automatic Synchronization Cycle. This setting only takes effect when Automatic Synchronization is enabled. |
| Automatic Synchronization Cycle | Set how often SASE syncs with Okta. The range is once every hour to once every 24 hours. |
View synchronization records
On the Identity synchronization tab, find the identity source and click Synchronize Records in the Actions column.
On the Synchronize Records page, view the synchronization history for the identity source.
In the Synchronization Task area on the left, click a task to view its details in the list on the right.
Click Details in the Actions column to view the synchronized field data from the Third-party Data Source and the SASE Data Source.
Sync manually
If Automatic Synchronization is disabled or the directory structure has changed, trigger a sync manually: click Create Synchronization Task, then click OK. After the task completes, the results appear in the synchronization records.
After a successful sync, view the synced organizational structure and employee information on the Identity Authentication > Identity Access > Employee Center tab. For details, see Employee Center.
More operations
| Operation | Steps |
|---|---|
| Disable automatic synchronization | On the Identity synchronization page, turn off the switch in the Automatic Synchronization column. Alternatively, open the Edit IdP panel and turn off the switch there. |
| Edit the Okta identity source | On the Identity synchronization page, find the Okta identity source and click Edit in the Actions column. |
| Add an Okta application | On the Identity synchronization page, find the Okta identity source, click Edit in the Actions column, and then click Attach Identity. |
| Edit or delete an Okta application | On the Identity synchronization page, find the Okta identity source, click Edit in the Actions column, locate the target application, and then edit or delete it. |
| Disable the Okta identity source | On the Identity synchronization page, find the Okta identity source and turn off the switch in the IdP Status column. |
| Delete the Okta identity source | On the Identity synchronization page, find the Okta identity source and click Delete in the Actions column. |
What's next
Use a custom identity source
If your organization does not use an external identity source, build an organization structure using the custom identity source built into SASE. For details, see Configure an SASE identity source.
Integrate other third-party identity sources
If your organization uses a different identity source—such as LDAP, DingTalk, WeCom, Lark, or IDaaS—to manage its organizational structure, integrate it with SASE:
Manage user groups
To create user groups outside your organization structure, see User group management.