Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12226
Views
10
Helpful
8
Replies

ISE with OKTA as Identity Store

Go to solution
timhowar
Cisco Employee
Cisco Employee

‎05-11-2020 10:00 AM

Is their any guidance or documentation on using ISE with OKTA as the identity source? Can ISE use groups created in OKTA to do fine grained access control?

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-11-2020 06:05 PM - edited ‎05-11-2020 06:07 PM

http://cs.co/ise-guides#Okta ?

BTW, SAML Identity Stores are only valid for web portal based authentication and not 802.1X.

View solution in original post

8 Replies 8

Go to solution
thomas
Cisco Employee
Cisco Employee

‎05-11-2020 06:05 PM - edited ‎05-11-2020 06:07 PM

http://cs.co/ise-guides#Okta ?

BTW, SAML Identity Stores are only valid for web portal based authentication and not 802.1X.

Go to solution
paul
Level 10
Level 10

‎05-12-2020 02:40 PM

With all MFA vendors, I prefer to have them do a single role which is perform the MFA process and simply give me a accept or reject back indicating the MFA process passed or failed.  Then I have ISE do all the necessary AD look-ups in the authorization phase to provide granular control.  To that end, I always setup my MFA vendors as RADIUS Token servers and use that definition in then authentication section of my policy sets requiring MFA.  After the users passes MFA their username can be checked against AD to provide the granular control you want.

Go to solution
timhowar
Cisco Employee
Cisco Employee
In response to paul

‎05-13-2020 05:25 AM

What if the customer is replacing AD with Okta Universal Directory or never implemented AD in the first place? In that case, is ISE currently unable to do any kind of fine grained user control using groups? 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to timhowar

‎05-13-2020 06:47 AM

All of my installs the customers have used AD as their source of truth. I haven't worked with OKTA universal directory but I think you would have three options:

 

  1. Setup an LDAP connector in ISE to OKTA universal directory and do group lookups via LDAP in the authorization phase.
  2. If you use a RADIUS token definition for OKTA you can define a RADIUS attribute on the advanced tab that OKTA will pass back to ISE.  So your OKTA would do all the group checking and then set the RADIUS attribute accordingly.  You can then use that RADIUS attribute in your authorization rules.
  3. You can define the OKTA servers as an external RADIUS server then ISE basically just acts a proxy between the NAD and OKTA and all attributes sent from OKTA flow back to the NAD.  I don't use this setup at all but you could play around with it.

 

0 Helpful

Go to solution
karunanithi
Level 1
Level 1

‎01-03-2023 05:27 AM

Thanks Paul, i have a similar requirement to use Okta as an Identity source ( UD) I would prefer to use option 1. Do we have any successful usecase and document around this on how to do the integration? 

  1. Setup an LDAP connector in ISE to OKTA universal directory and do group lookups via LDAP in the authorization phase.

 

0 Helpful

Go to solution
karunanithi
Level 1
Level 1
In response to karunanithi

‎01-12-2023 11:10 PM

hi, Anyone can help ?

0 Helpful

Go to solution
gavinherbert
Level 1
Level 1
In response to karunanithi

‎04-13-2023 02:27 AM

Similarly we have a use case to connect ISE to Okta using SAML - is this on the roadmap for direct API relationship and ecosystem enablement?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to gavinherbert

‎04-13-2023 03:57 PM

Roadmap is not discussed on this public forum. You can suggest feature enhancements at https://cs.co/ise-wish

0 Helpful
Customers Also Viewed These Support Documents