Configure OKTA SSO External Authentication for Advanced Phishing Protection

Available Languages

Download Options

  • PDF     (403.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (460.1 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (311.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 29, 2022
Document ID:218226

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure OKTA SSO External Authentication for login to Cisco Advanced Phishing Protection.

    Prerequisites

    Administrator access to Cisco Advanced Phishing Protection portal.

    Administrator access to Okta idP. 

    Self-Signed or CA Signed (optional) X.509 SSL certificates in PKCS #12 or PEM format.

    Background Infrormation

    • Cisco Advanced Phishing Protection allows to enable SSO login for administrators using SAML. 
    • OKTA is an identity manager that provides authentication and authorization services to your applications. 
    • Cisco Advanced Phishing Protection can be set as an application which is connected to OKTA for authentication and authorization.
    • SAML is an XML-based open standard data format that enables administrators to access a defined set of applications seamlessly after signing into one of those applications.
    • To learn more about SAML you can access the next link: SAML General Information

    Requirements

    • Cisco Advanced Phishing Protection portal.
    • OKTA administrator account. 

    Configure

    Under Cisco Advanced Phishing Protection Portal:

    1. Log in to your organization portal, then select Manage > Organizations, as shown in the image:

    josedav_0-1664389780846

    2. Select your Organization name, Edit Organization, as shown in the image:

    josedav_1-1664389831147

    3. On the Administrative tab, scroll down to User Account Settings and select Enable under SSO, as shown in the image:

    josedav_2-1664389891689

    4. The next window provides you with the information to be entered under the OKTA SSO configuration. Paste to a notepad the following information, use it to configure OKTA settings:

         - Entity ID: apcc.cisco.com

         - Assertion Consumer Service: this data is tailored to your organization. 

        Select the named format e-mail to use an e-mail address for login, shown in the image:

    josedav_3-1664390079525

    5. Minimize Cisco Advanced Phishing Protection configuration at this moment, as you need to set first the Application in OKTA before moving to the next steps. 

    Under Okta. 

    1. Navigate to Applications portal and select Create App Integration, as shown in the image:

    josedav_0-1664315790823

    2. Select SAML 2.0 as the application type, as shown in the image:

    josedav_1-1664315833813

    3. Enter the App name Advanced Phishing Protection and select Next, as shown in the image:

    josedav_0-1664391515572

    4. Under the SAML settings, fill in the gaps, as shown in the image:

        - Single sign on URL: This is the Assertion Consumer Service obtained from Cisco Advanced Phishing Protection. 

        - Recipient URL: This is the Entity ID obtained from Cisco Advanced Phishing Protection. 

        - Name ID format: keep it as Unspecified.

        - Application username: Email, that prompts user to enter their e-mail address in the authentication process.

        - Update application username on: Create and update. 

    josedav_1-1664391566377

        Scroll down to Group Attibute Statements (optional), as shown in the image:

        Enter the next attribute statement:

           - Name: group

           - Name format: Unspecified.

           - Filter: "Equals" and "OKTA"

    josedav_0-1664322550779

        Select Next.

    5. When asked to Help Okta to understand how you configured this application, please enter the applciable reason to the current environment, as shown in the image:

    josedav_1-1664322614742

    Select Finish to proceed to the next step.

    6. Select Assignments tab and then select Assign > Assign to Groups, as shown in the image:

    josedav_2-1664322771611

    7. Select the OKTA group, which is the group with the authorized users to access the environment

    8. Select Sign On, as shown in the image:

    josedav_3-1664322839620

    9. Scroll down and to the right corner, enter the View SAML setup instructions option, as shown in the image:

    josedav_4-1664322884319

    9. Save to a notepad the next information, that is necessary to put into the Cisco Advanced Phishing Protection portal, as shown in the image:

        - Identity Provider Single Sing-On URL.

        - Identify Provider Issuer (not required for Cisco Advanced Phishing Protection , but mandatory for other applications).

        - X.509 Certificate. 

    josedav_0-1664474359342

    10. Once you complete the OKTA configuration, you can go back to Cisco Advanced Phishing Protection

    Under Cisco Advanced Phishing Protection Portal:

    1. With the Name identifier Format, enter the next information:

        - SAML 2.0 Endpoint (HTTP Redirect): The Identify Provider Single Sign-On URL provided by Okta.

        - Public Certificate: Enter the X.509 Certificate provided by Okta. 

    2. Select Test Settings to verify the configuration is correct

        If there are no errors in the configuration, you see a Test Successful entry and can now save your settings, as shown in the image:

    josedav_2-1664392098430

    3. Save settings

    Verify

    1. For any existing administrators not using SSO, they are notified via e-mail that the authentication policy is changed for the organization and the administrators are asked to activate their account using an external link, as shown in the image:

    josedav_3-1664392950765

    2. Once the account is activated, enter your e-mail address and then it redirects you to the OKTA login website for login, as shown in the image:

    josedav_5-1664393183984josedav_6-1664393291858

    3. Once the OKTA Login process completes, log into the Cisco Advanced Phishing Protection portal, as shown in the image:

    josedav_8-1664393942037

    Related Information

    Cisco Advanced Phishing Protection - Product Information

    Cisco Advanced Phishing Protection - End User Guide

    OKTA Support

    Revision History

    Revision Publish Date Comments
    2.0
    29-Sep-2022
    Initial Release
    1.0
    28-Sep-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jose Davila
      Cisco TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products