pcx edits

ranbel · ranbel · commit df479a990b5a · 2025-10-10T16:29:17.000-04:00
diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx
@@ -12,66 +12,44 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us
 
 ## Prerequisites
 
-1. You must have Zero Trust write or administrator access.
+- A Cloudflare [Zero Trust organization](/cloudflare-one/setup/) with any subscription tier (including Free)
+- A [Zero Trust administrator role](/cloudflare-one/roles-permissions/) with `Access Edit` permissions
 
-2. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to Create a Cloudflare Zero Trust organization.
+## Supported features
 
-## Supported Features
+- **SP-initiated SSO**: When a user goes to an Access application, Access redirects them to sign in with Okta.
+- **SCIM provisioning**: Synchronize Okta groups and automatically deprovision users. SCIM currently requires a separate [custom OIDC application](#synchronize-users-and-groups).
 
-* SP-initiated SSO (Single Sign-On)
+## Set up Okta as an OIDC provider (Okta App Catalog)
 
-## Set up Okta as an OIDC provider (Okta Application Catalog)
+To set up the Okta integration using the Okta Integration Network (OIN) App Catalog:
 
 1. Log in to your Okta admin dashboard.
-
-2. Navigate to Applications > Applications.
-
-3. Click Browse App Catalog.
-
-4. Search for "Cloudflare One" and select the official Cloudflare application (OIDC).
-
-5. Click Add.
-
-6. Add an application label and Team domain:
+2. Go to **Applications** > **Applications**.
+3. Select **Browse App Catalog**.
+4. Search for `Cloudflare` and select the **Cloudflare One** app.
+5. Select **Add integration**.
+6. In **Application label**, enter a name for the application (for example, `Cloudflare Access`).
+7. In **Team domain**, enter your Zero Trust team domain:
 
    ```txt
    <your-team-name>.cloudflareaccess.com
    ```
-	You can find your team name in Zero Trust under **Settings** > **Custom Pages**.
 
+   You can find your team domain in Zero Trust under **Settings** > **Custom Pages**.
 
-7. In the **Sign On** tab, copy the **Client ID** and **Client secret**.
-
-8. Scroll down to the **OpenID ConnectID Token** and select **Edit**.
+8. In the **Sign On** tab, copy the **Client ID** and **Client secret**.
+9. Scroll down to **OpenID ConnectID Token** and select **Edit**.
 
    ![Configuring the Groups claim filter in Okta](~/assets/images/cloudflare-one/identity/okta/okta-2.png)
 
-9. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`.
-
-10. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
-
-11. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider.
-
-12. Fill in the following information:
-    - **Name**: Name your identity provider.
-    - **App ID**: Enter your Okta client ID.
-    - **Client secret**: Enter your Okta client secret.
-    - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`.
+10. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`.
 
-13. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
+<Render file="access/okta-zt-steps" product="cloudflare-one" />
 
-14. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
-    1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
-    2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
-    3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
+## Set up Okta as an OIDC provider (Custom App Integration)
 
-15. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
-
-16. Select **Save**.
-
-## Set up Okta as an OIDC provider (Custom OIDC Application)
-
-1. On your Okta admin dashboard, go to **Applications** > **Applications**.
+1. Log in to your Okta admin dashboard and go to **Applications** > **Applications**.
 
 2. Select **Create App Integration**.
 
@@ -93,7 +71,7 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us
 
 7. From the application view, go to the **Sign On** tab.
 
-8. Scroll down to the **OpenID ConnectID Token** and select **Edit**.
+8. Scroll down to **OpenID ConnectID Token** and select **Edit**.
 
    ![Configuring the Groups claim filter in Okta](~/assets/images/cloudflare-one/identity/okta/okta-2.png)
 
@@ -107,37 +85,7 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us
 
     ![Finding your Client credentials in Okta](~/assets/images/cloudflare-one/identity/okta/okta-3.png)
 
-11. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
-
-12. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider.
-
-13. Fill in the following information:
-    - **Name**: Name your identity provider.
-    - **App ID**: Enter your Okta client ID.
-    - **Client secret**: Enter your Okta client secret.
-    - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`.
-
-14. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
-
-15. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
-    1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
-    2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
-    3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
-
-16. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
-
-17. Select **Save**.
-
-To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
-
-:::note
-
-If you see the error `Failed to fetch user/group information from the identity`, double-check your Okta configuration:
-
-- If you have more than 100 Okta groups, ensure you include the API token.
-- The request may be blocked by the [ThreatInsights feature](https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/ti-index.htm) within Okta.
-
-:::
+<Render file="access/okta-zt-steps" product="cloudflare-one" />
 
 ## Synchronize users and groups
 
@@ -218,3 +166,12 @@ To verify the integration, select **View Logs** in the Okta SCIM application.
 	"name": "my example idp"
 }
 ```
+
+## Troubleshooting
+
+### Failed to fetch user/group information from the identity
+
+If you see the error `Failed to fetch user/group information from the identity`, double-check your Okta configuration:
+
+- If you have more than 100 Okta groups, ensure you include the API token.
+- The request may be blocked by the [ThreatInsights feature](https://help.okta.com/en/prod/Content/Topics/Security/threat-insight/ti-index.htm) within Okta.
diff --git a/src/content/partials/cloudflare-one/access/okta-zt-steps.mdx b/src/content/partials/cloudflare-one/access/okta-zt-steps.mdx
@@ -0,0 +1,28 @@
+---
+{}
+---
+
+import {} from "~/components"
+
+11. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**.
+
+12. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider.
+
+13. Fill in the following information:
+    - **Name**: Name your identity provider.
+    - **App ID**: Enter your Okta client ID.
+    - **Client secret**: Enter your Okta client secret.
+    - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`.
+
+14. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups.
+
+15. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims):
+    1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled.
+    2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta.
+    3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity.
+
+16. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts.
+
+17. Select **Save**.
+
+To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) that your connection is working, select **Test**.
