How To Configure WPA2-Enterprise With Okta

How To Configure WPA2-Enterprise With Okta

The iron-clad security of certificate-based authentication doesn’t have to be a trade-off for an efficient user experience. By combining Okta identity management and SecureW2’s EAP-TLS certificate solutions, network users can be easily equipped with certificates for authentication. Credential-based security has been historically weak in protecting against data theft, so many have turned to certificate-based authentication as a superior solution.

As users enroll for a certificate through SecureW2’s onboarding software, they enter Okta credentials and are confirmed for network use. The certificate is then imprinted with the user’s identity and the device identity and can be automatically authenticated by the network for all future authentication requests.

Additionally, as they enroll for a certificate, the organization can distribute custom attributes and network policies. Based on these settings, administrators can regulate access to files, applications, websites, and much more based on the user’s role in the organization.

The identity context and rapid authentication of certificates creates a network environment that is well-organized and better protected against over-the-air attacks.

Integration Process Overview

  1. Add an Identity Provider in SecureW2’s Management Portal
    • The Identity Provider provides context that tells the Cloud Connector system how to connect to the Okta user database, verify users, and issue certificates.
  2. Create a SAML Application in Okta to connect SecureW2 certificate issuance services with the IDP
    • When users enter their Okta credentials during the certificate enrollment process, the IDP verifies the user and sends user attributes to SecureW2 via SAML application. Once the attributes have been sent to SecureW2, the user can be issued a customized certificate that is tied to their identity and the identity of their device.
  3. Configure Attribute Mapping and Upload Okta Metadata
    • Administration can customize the attribute mapping in order to segment network users into alike groups. For example, a university would want seperate user groups for students and professors, so they configure the attributes to automatically sort users into either of these groups. After mapping attributes, the Okta metadata is uploaded to segment the network.
  4. Update Role and Enrollment Policies
    • With users organized into user groups, you can begin to customize policies that dictate the network user experience. Admins can begin determining which applications, files, websites, and more that each user group should have access to.

Ready to set it up? Here’s what you need to get started:

  • An active SecureW2 account
  • An active Cloud Connector subscription

 

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select OKTA.
  7. Click Save.

Okta IDP info

Now, SecureW2 Cloud Connector knows how to exchange information with your Okta user database.

 

Create a SAML Application in Okta

Your SAML application is a crucial connection between your IDP and SecureW2.

Your SAML application allows a user to enter their Okta credentials, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application to use with SecureW2:

  1. From your Okta dashboard,  go to the Dashboard page.
  2. Under Shortcuts, click Add Applications.
  3. Click Create New App.
  4. In the Create a New Application Integration prompt:
    1. Click the Platform dropdown and select Web.
    2. For Sign on method, select the radio button for SAML 2.0.

Create New Application Integration

  1. Click Create.
  2. On the 1 General Settings step, for App name, enter a name.
  3. Click Next.
  4. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
  5. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  6. Select the Configuration tab.
  7. Copy and paste as follows:
    1. From SecureW2, copy the information for ACS URL and EntityId, and
    2. Paste respectively into Okta (2 Configure SAML step) for Single sign on URL and Audience URI (SP Entity ID).
  8. Click Next.
  9. On the 3 Feedback step, for Are you a customer or partner?, select the appropriate radio button.
  10. Click Finish.

 

Update the Profile Policy in SecureW2

To update the profile policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Profile.
  2. Click Edit for the profile policy.
  3. Select the Settings tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

 

Update the User Role Policy in SecureW2

To update the user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. For DEFAULT ROLE POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

 

Configure Attribute Mapping in Okta

To configure attribute mapping in Okta:

  1. From your Okta dashboard, go to the Applications page.
  2. Click the SAML application you created in the section “Create a SAML Application in Okta”.
  3. Select the General tab.
  4. In the SAML Settings section, click Edit.
  5. On the 1 General Settings step, click Next.
  6. On the 2 Configure SAML step, in the ATTRIBUTE STATEMENTS (OPTIONAL) section, configure attributes:
    1. For Name, enter ‘email‘, and for Value, select ‘user.email‘.
    2. Click Add Another.
    3. For Name, enter ‘firstName‘, and for Value, select ‘user.firstName‘.
    4. Click Add Another.
    5. For Name, enter ‘lastName‘, and for Value, select ‘user.lastName‘.
  7. Click Preview the SAML Assertion.
  8. Copy the .xml data that appears.
  9. Open a text file and paste the .xml data into the file.
  10. Save the file using the .xml extension.

attribute statements

 

Upload the Okta Metadata to SecureW2

To upload the Okta metadata to SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Configuration tab.
  4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  5. In the window that appears, select the Okta metadata file (.xml) you saved to your computer in the previous section.
  6. Click Upload.
  7. Click Update.

 

Configure Attribute Mapping in SecureW2

To configure attribute mapping in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ‘upn‘.
  6. Click the Remote Attribute dropdown and select USER_DEFINED.
  7. In the field that appears, enter ‘email‘.
  8. Click Next.
  9. Click Add.
  10. For Local Attribute, enter ‘email‘.
  11. Click the Remote Attribute dropdown and select USER_DEFINED.
  12. In the field that appears, enter ‘email‘.
  13. Click Next.
  14. Click Add.
  15. For Local Attribute, enter ‘displayName‘.
  16. Click the Remote Attribute dropdown and select USER_DEFINED.
  17. In the field that appears, enter ‘firstName‘.
  18. Click Next.

 

Update the Enrollment and Role Policies in SecureW2

To update the enrollment policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. For DEFAULT ENROLLMENT POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. In the User Role list, select DEFAULT ROLE POLICY 1.
  5. In the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.
  6. Click Update.

 

Conclusion

SAML authentication with Okta and SecureW2 is easy. Simply set up your IDP and SAML application, configure the attributes to be encoded on user certificates, and configure policies in SecureW2. In no time, you can take advantage of the security that comes with SecureW2’s Cloud Connector solution. Click here for a pricing estimate that tailors our cost effective solution to your organization’s needs.

Okta is a registered trademark of Okta, Inc. in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.