Configure an Identity Provider in Access Gateway

Before you can secure applications, you must configure an Identity Provider (IdP) for Access Gateway.

You can use Workforce Identity Cloud, powered by Okta, or Customer Identity Cloud, powered by Auth0, as the IdP. Access Gateway and your IdP integrate using SAML and REST APIs.

You must have app admin and org admin privileges to perform these tasks.

Use Workforce Identity Cloud as the IdP

Use Customer Identity Cloud as the IdP
  1. Create an Okta service account for Access Gateway.
  2. Create an Okta API token.
  3. Use Workforce Identity Cloud as the IdP for Access Gateway.
  1. Create an Auth0 Client ID and Client Secret.
  2. Use Customer Identity Cloud as the IdP for Access Gateway.

Create an Okta service account for Access Gateway

Okta recommends that you create and use a dedicated service account to create the Access Gateway API key. Okta logs every action performed by an API key under the user account that created the key.

  1. In the Admin Console, go to DirectoryPeople.
  2. Click Add person.
  3. Enter a name for the service account.
  4. Enter a placeholder email for the Username and Primary email. For example, service.admin@domain.com.

    Use placeholder values for the Username and Primary email to avoid interference between the service account and your account. Enter your email address as the Secondary email. Then, if you need to request a password reset, you're able to activate and maintain the service account.

  5. For the Secondary email, enter your administrator email address.
  6. Select Send user activation email now, and then click Save. The account is created and has a status of Pending user action.
  7. In the Admin Console, go to SecurityAdministrators.
  8. Click Add administrator.
  9. Select your service account from the Select admin dropdown.
  10. Select Application Administrator from the Role dropdown.
  11. Click Edit to configure the applications that the account can manage. Choose Constrain this role to the entire organization. This allows the account to manage all applications or to create a resource set of the applications that the account can manage. See Edit resources for a standard role assignment.
  12. Click Save resource set.
  13. Click Add assignment.
  14. Select Organization Administrator from the Role dropdown.
  15. Click Save.
  16. Sign out of your Okta admin account.
  17. Open the activation email that you received from Okta and click the activation link.
  18. Enter a password and a security question for the account.
  19. Sign in with the new service account credentials.

Create an Okta API token

  1. In the Admin Console, go to SecurityAPI.
  2. Click Create token.
  3. Enter a token name that identifies the token's purpose.
  4. Click Create token.
  5. Copy the Token Value and store it in a secure location, such as a password manager. After you close this window, you can no longer view the token value.
  6. Click Ok, got it.
  7. Continue with the Use Workforce Identity Cloud as the IdP for Access Gateway procedure.

Create an Auth0 Client ID and Client Secret

  1. Perform the procedure in the Customer Identity Cloud documentation.
  2. Continue with the Use Customer Identity Cloud as the IdP for Access Gateway procedure.

Configure the IdP in Access Gateway

You can use either Workforce Identity Cloud or the Customer Identity Cloud as the IdP for Access Gateway.

Use Workforce Identity Cloud as the IdP for Access Gateway

  1. In your browser, go to the Access Gateway Admin UI console and sign in as an administrator.
  2. Select the Settings tab.
  3. Click the Identity Providers pane.
  4. Click + and then select Workforce Identity Cloud.
  5. Enter the following information:
    • Name: Enter a meaningful name for the IdP.
    • Okta Org: Enter your org name (for example, orgname.oktapreview.com, orgname.okta.com, or similar) or custom domain. Don't use the admin interface URL of your org (for example, orgname-admin.okta.com.)
    • Okta API Token: Paste the token value that you copied from your Okta org when you created the Okta API token.
  6. Click Not Validated. This label changes to Validated when the Okta API token is successfully validated.
  7. Click Okay. The Settings tab displays your IdP status, which should be Valid.
  8. Click the Topology tab. An icon appears for your IdP, labeled with the name that you entered.
  9. Click the icon for your IdP.

Use Customer Identity Cloud as the IdP for Access Gateway

  1. In your browser, go to the Access Gateway Admin UI console and sign in as an administrator.
  2. Select the Settings tab.
  3. Click the Identity Providers pane.
  4. Click + and then select Customer Identity Cloud.
  5. Enter the following information:
    • Name: Enter a meaningful name for the IdP.
    • Host: Enter your Auth0 host name (for example, https://orgname.sus.auth0.com).
    • Tenant: Enter your Auth0 tenant name (for example, orgname.sus.auth0.com)
  6. In the OAuth Configuration section, enter the following information:
    • In the Client ID field, paste the Auth0 Client ID.
    • In the Client Secret field, paste the Client Secret.
  7. Delete the Client ID and Client Secret information from the text editor app where you temporarily stored it.
  8. Click Not Validated. This label changes to Validated when the Client ID and Client Secret values are validated.
  9. Click Okay. The Settings tab displays your IdP status, which should be Valid.
  10. Click the Topology tab. An icon appears for your IdP, labeled with the name that you entered.
  11. Click the icon for your IdP.