Configuring Okta Workforce Identity Cloud

This section describes the steps to be performed in the Okta Workforce Identity Cloud administration to register the Cloud Auth Cloud Authentication and Policy allows you to configure user and client access policies that provide a secured, cloud-based network access control (NAC). application and provide access to the Okta Workforce Identity Cloud instance.

To configure Okta Workforce Identity Cloud as an identity provider, you must install the following applications:

Cloud Auth OIDC

To install the Cloud Auth OIDC application, complete the following steps:

  1. Log in to the Okta Workforce Identity Cloud administration console.
  2. Navigate to the Applications tab and click Applications.
  3. Click Browse App Catalog.
  4. Select OIDC in the Functionality section.
  5. Search for Cloud Auth OIDC and select the Cloud Auth OIDC application.
  6. Select Add Integration and click Done.
  7. Select Sign On.

  8. In the Settings section select Edit.

  9. Scroll down to the Advanced Sign-on Settings.

  10. Copy the Redirect URI Uniform Resource Identifier. URI identifies the name and the location of a resource in a uniform format. obtained from the user access policy and paste it in the Redirect URI field which is located above the help text. For more information, see Copy Redirect URI.

  11. In the Credentials Details section, for Application username format, select Email.

  12. Click Save.

For the Cloud Auth OIDC application to authenticate a user, the user must be assigned the application. For more information about how users are assigned to applications, see https://help.okta.com/en-us/content/topics/users-groups-profiles/usgp-assign-apps.htm.

Cloud Auth API Service

To install the Cloud Auth API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Service application, complete the following steps:

  1. Log in to the Okta Workforce Identity Cloud administration console.
  2. Navigate to the Applications tab and click Applications.
  3. Click Browse App Catalog.
  4. Select API in the Functionality section.

  5. Search for Cloud Auth API Service and select the Cloud Auth API Service application.

  6. Select Add Integration.
  7. Select Install & Authorize.

    The Client Secret is displayed. Copy this as the Service Client Secret.

  8. Click Done.

    The Client ID is displayed.

APIs for Okta Workforce Identity Cloud

The following Okta core APIs are used by Cloud Auth to authorize users in Okta Workforce Identity Cloud:

Rate Limiting

The Okta Core APIs are subject to rate limiting set by Okta, which is of consequence for two of the above APIs used in the Cloud Auth authorization flow:

As a result of rate limiting, Cloud Auth restricts the authorization rate to match the Okta rate limits so that user authentications do not fail because a rate limit has been exceeded.

To communicate when user authentications may be affected by rate limits, Cloud Auth provides the following audit trail entries:

  • Rate Limit Information: Indicates the rate limit for a particular API. For example, 1000 requests per minute for the GET /api/v1/users/${userId}. This audit entry does not mean that a rate limit has been exceeded.

  • Rate Limit Almost Exceeded: Indicates that 95% of the rate limit for a particular API has been used.

  • Rate Limit Exceeded: Indicates that the rate limit for a particular API has been exceeded.

The following are examples of each of the above audit entries that can be seen in the Central Audit Trail:

Occurred On

IP Address

Username

Target

Category

Description

Mar 1, 2024, 16:55

 

System

Okta Identity Client

Authentication & Policy

Rate Limit Exceeded

Mar 1, 2024, 16:53

 

System

Okta Identity Client

Authentication & Policy

Rate Limit Almost Exceeded

Mar 1, 2024, 16:38

 

System

Okta Identity Client

Authentication & Policy

Rate Limit Information

If the “Rate Limit Almost Exceeded” or “Rate Limit Exceeded” audits are seen frequently, HPE Aruba Networking recommends that your Okta Organization Administrator contact Okta support or sales about requesting a rate limit exception for the APIs listed in the above audit entries. For more information about rate limit exceptions, see https://developer.okta.com/docs/reference/rl-best-practices/#request-rate-limit-exceptions.

Figure 1  Audit Trail

Okta Rate Limits

In general, the rate limit for a particular API is measured in the number of API requests per minute. If, for example, within a minute the number of requests exceeds the rate limit, no more requests are allowed until the rate limit is reset at the end of the minute. For more information about Okta rate limits, see https://developer.okta.com/docs/reference/rate-limits/.

Monitoring Okta Rate Limit Usage

The audit trail entries mentioned above helps monitor the rate limit usage by the Cloud Auth API Service application, which is the endpoint for the Okta Core APIs used by Cloud Auth. However, rate limit usage by all applications across an Okta organization can be monitored from the Okta Administration Console, including usage by both the Cloud Auth API Service and Cloud Auth OIDC applications. For more information about monitoring rate limits, see https://developer.okta.com/docs/reference/rl-dashboard/.