CASB Configuration Guide

About CASB

A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure. (

CASB and the Okta OIN

To simplify integrating with in path/reverse proxy CASBs, Okta has developed functionality that allows admins to override various default settings associated with our published OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. apps that use SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. for federation. The settings can also be applied to Microsoft Office 365 appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

The values that can be overridden are:

  • Assertion Consumer Service URL (ACS)
  • Audience
  • Recipient
  • Destination

To override these settings admins must use our API to populate the $app.settings.signOn object with the appropriate override values which are:

SAML Property SignOn Example Value
Assertion Consumer Service URL ssoAcsUrlOverride
Audience audienceOverride
Destination destinationOverride
Recipient recipientOverride

Configure CASB for a Specific App

Here is an example of how to configure CASB for a specific app:

You can use an iframe to embed an end-user home page into your existing portal.

  1. This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. Contact support to enable it ( SAML2_CASB_SUPPORT).

  2. In Okta, navigate to Security > API, then create a new API Token.

  3. Get the app details by making an API call as follows:

    curl -X GET \
      https://{{Okta host}}/api/v1/apps/{{App ID}} \
      -H 'Authorization: SSWS {{ API Key }}' \
      -H 'Accept: application/json'

    Where API ID can be obtained from you app's URL, as shown here: 

  4. Copy the API response into a text editor.

  5. Update the app data by means of an API call as shown in the example below.

    Notes: The attributes displayed are the minimum required ones. Replace the actual values with your saved data (see the signOn section in your API response).


    curl -X PUT \
      https://{{Okta host}}/api/v1/apps/{{App ID}} \
      -H 'Authorization: SSWS {{ API Key }}' \
      -H 'Accept: application/json' \
      -H 'Content-Type: application/json' \
      -d '{ 
        "label": "Amazon Web Services",
        "name": "amazon_aws",
        "signOnMode": "SAML_2_0",
        "settings": {
          "app": {
            "appFilter": null,
            "awsEnvironmentType": "",
            "groupFilter": "aws_(?{{accountid}}\\d+)_(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)",
            "secretKey": null,
            "accessKey": null,
            "loginURL": "",
            "identityProviderArn": "arn:aws:iam::456272127071:saml-provider/OktaRainVladDobrikov2,arn:aws:iam::456272127071:role/RoleOktaRainVladDobrikov",
            "overrideAcsURL": null,
            "sessionDuration": 3600,
            "secretKeyEnc": null,
            "roleValuePattern": "arn:aws:iam::${accountid}:saml-provider/OKTA,arn:aws:iam::${accountid}:role/${role}"
          "signOn": {
            "defaultRelayState": "defaultRelayStateOverride",
            "ssoAcsUrlOverride": "",
            "audienceOverride": "",
            "recipientOverride": "",
            "destinationOverride": ""
  6. Perform a SAML login from Okta for the application you just updated.