cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12224
Views
10
Helpful
8
Replies

ISE with OKTA as Identity Store

timhowar
Cisco Employee
Cisco Employee

Is their any guidance or documentation on using ISE with OKTA as the identity source? Can ISE use groups created in OKTA to do fine grained access control?

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

http://cs.co/ise-guides#Okta ?

BTW, SAML Identity Stores are only valid for web portal based authentication and not 802.1X.

View solution in original post

8 Replies 8

thomas
Cisco Employee
Cisco Employee

http://cs.co/ise-guides#Okta ?

BTW, SAML Identity Stores are only valid for web portal based authentication and not 802.1X.

paul
Level 10
Level 10

With all MFA vendors, I prefer to have them do a single role which is perform the MFA process and simply give me a accept or reject back indicating the MFA process passed or failed.  Then I have ISE do all the necessary AD look-ups in the authorization phase to provide granular control.  To that end, I always setup my MFA vendors as RADIUS Token servers and use that definition in then authentication section of my policy sets requiring MFA.  After the users passes MFA their username can be checked against AD to provide the granular control you want.

timhowar
Cisco Employee
Cisco Employee

What if the customer is replacing AD with Okta Universal Directory or never implemented AD in the first place? In that case, is ISE currently unable to do any kind of fine grained user control using groups? 

All of my installs the customers have used AD as their source of truth. I haven't worked with OKTA universal directory but I think you would have three options:

 

  1. Setup an LDAP connector in ISE to OKTA universal directory and do group lookups via LDAP in the authorization phase.
  2. If you use a RADIUS token definition for OKTA you can define a RADIUS attribute on the advanced tab that OKTA will pass back to ISE.  So your OKTA would do all the group checking and then set the RADIUS attribute accordingly.  You can then use that RADIUS attribute in your authorization rules.
  3. You can define the OKTA servers as an external RADIUS server then ISE basically just acts a proxy between the NAD and OKTA and all attributes sent from OKTA flow back to the NAD.  I don't use this setup at all but you could play around with it.

 

karunanithi
Level 1
Level 1

Thanks Paul, i have a similar requirement to use Okta as an Identity source ( UD) I would prefer to use option 1. Do we have any successful usecase and document around this on how to do the integration? 

  1. Setup an LDAP connector in ISE to OKTA universal directory and do group lookups via LDAP in the authorization phase.

 

hi, Anyone can help ?

Similarly we have a use case to connect ISE to Okta using SAML - is this on the roadmap for direct API relationship and ecosystem enablement?

Roadmap is not discussed on this public forum. You can suggest feature enhancements at https://cs.co/ise-wish