diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index 5bc8dd4d9021697..22bc0e9e5e33076 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -10,7 +10,66 @@ Okta provides cloud software that helps companies manage and secure user authent Additionally, you can configure Okta to use risk information from Zero Trust [user risk scores](/cloudflare-one/insights/risk-score/) to create SSO-level policies. For more information, refer to [Send risk score to Okta](/cloudflare-one/insights/risk-score/#send-risk-score-to-okta). -## Set up Okta as an OIDC provider +## Prerequisites + +1. You must have Zero Trust write or administrator access. + +2. A Cloudflare Zero Trust organization with any subscription tier (including Free) must be created. To set up a Cloudflare Zero Trust organization, refer to Create a Cloudflare Zero Trust organization. + +## Supported Features + +* SP-initiated SSO (Single Sign-On) + +## Set up Okta as an OIDC provider (Okta Application Catalog) + +1. Log in to your Okta admin dashboard. + +2. Navigate to Applications > Applications. + +3. Click Browse App Catalog. + +4. Search for "Cloudflare One" and select the official Cloudflare application (OIDC). + +5. Click Add. + +6. Add an application label and Team domain: + + ```txt + .cloudflareaccess.com + ``` + You can find your team name in Zero Trust under **Settings** > **Custom Pages**. + + +7. In the **Sign On** tab, copy the **Client ID** and **Client secret**. + +8. Scroll down to the **OpenID ConnectID Token** and select **Edit**. + + ![Configuring the Groups claim filter in Okta](~/assets/images/cloudflare-one/identity/okta/okta-2.png) + +9. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`. + +10. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. + +11. Under **Login methods**, select **Add new**. Select **Okta** as your identity provider. + +12. Fill in the following information: + - **Name**: Name your identity provider. + - **App ID**: Enter your Okta client ID. + - **Client secret**: Enter your Okta client secret. + - **Okta account URL**: Enter your [Okta domain](https://developer.okta.com/docs/guides/find-your-domain/main/), for example `https://my-company.okta.com`. + +13. (Optional) Create an Okta API token and enter it in Zero Trust (the token can be read-only). This will prevent your Okta groups from failing if you have more than 100 groups. + +14. (Optional) To configure [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#custom-oidc-claims): + 1. In Okta, create a [custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/) and ensure that the `groups` scope is enabled. + 2. In Zero Trust, enter the **Authorization Server ID** obtained from Okta. + 3. Under **Optional configurations**, enter the claims that you wish to add to your users' identity. + +15. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/). PKCE will be performed on all login attempts. + +16. Select **Save**. + +## Set up Okta as an OIDC provider (Custom OIDC Application) 1. On your Okta admin dashboard, go to **Applications** > **Applications**.