Configure the Secure Access Monitor plugin

Early Access release

Configuring the Secure Access Monitor (SAM) plugin as a managed Chrome extension allows it to monitor for unmanaged OAuth grants and securely transfer the collected data to Okta Identity Security Posture Management (ISPM).

Before you begin

  • You have the super admin role.

  • You have access to the Google Admin Console.

  • You have an active Okta ISPM tenant (ISPM or Okta AI license).

  • Your security policies don't block OAuth grants.

  • Your browser policies don't pin the browser to a specific client certificate. This prevents users from authenticating through Device Trust.

  • You're aware that the SAM plugin client certificate interferes with manual certificate selection flows (Smart Card, PIV, and Legacy Device Trust).

  • If you use a SASE solution, you've configured it to exempt the Okta URL (https://<org>.mtls.okta.com) from TLS inspection.

Configure the Chrome browser

Configure the certificate to be sent automatically to the Okta data endpoint.

  1. Sign in to the Google Admin Console with an admin account.

  2. Follow the steps in Configure Chrome browser to provision its own client certificate.

    1. Provision the Google Certificate Authority and download it.

    2. Configure the client certificates setting:
      AutoSelectCertificateForUrls : {"pattern": "https://<org>.mtls.okta.com", "filter": {"ISSUER": {"CN":"Chrome Enterprise CA"}}}.
      Replace <org> with your Okta org subdomain.

Upload the Certificate Authority to the Okta Admin Console

Upload the CA that you got from the Google Admin Console into the Okta Admin Console. This certificate is required for the client certificate authentication process.

  1. In the Okta Admin Console, go to Security > Device Integrations.

  2. Click the Certificate authority tab.

  3. Click Add certificate authority.

  4. For Issue certificate to, select Secure Access Monitor plugin.

  5. Upload the CA certificate chain. The file type must be .pem.

Install the plugin

  1. Sign in to the Google Admin Console.

  2. Follow the steps in Automatically install apps and extensions to install the plugin using the following extension ID: galipinbbdandeicdicjbalcbpdbljjj.

  3. Open the SAM plugin settings and in the Policy for extensions field, enter the following JSON:
    { "orgUrl": { "Value": "https://<org>.okta.com" } }.
    Replace <org> with your Okta org subdomain.

Sign in users to managed Chrome profiles

For the configuration to take effect, your users need to sign in to their managed Chrome profiles and their Okta End-User Dashboard using your Okta org URL.

Verify the configuration

Once you've configured and deployed the SAM plugin, data flows from the users' browsers to Okta.

To verify the configuration, verify that the data is flowing to Okta by checking the ISPM dashboard. It may take up to seven days for the data to appear in the ISPM console. For more information, see Identify shadow AI agents using OAuth grants.