Okta (OIDC) - CWP

This guide provides configuration instructions for integrating Okta with Genian ZTNA, a network access control system, for authentication functionality.

Overview

Through OIDC APP integration between Genian ZTNA and Okta solutions, user authentication can be performed via Okta without the need to manage a separate Genian ZTNA user database.

For user authentication, the Genian ZTNA CWP page calls Okta authentication using the OIDC (OpenID Connect) protocol, Okta verifies user authentication status, and proper SSO is achieved.

Recommended Versions

Product Name (Component)	Version	Notes
Genian ZTNA (Policy Server)	V6.0 or higher	Release version after 2025.10
Okta APP	OIDC 2.0	Integratable as of 2025.10

Purpose of Integration

Genian ZTNA and Okta integration provides the following benefits:

• No need to manage separate user databases for ZTNA and Okta authentication.
• Users can authenticate to ZTNA using SSO with their Okta accounts.
• Provides secure user authentication through the OIDC standard protocol.

Supported Features

Okta OIDC App integration supports the following features:

• Authorization Code Flow (standard OIDC authentication flow)
• PKCE (Proof Key for Code Exchange) security enhancement
• JIT (Just-In-Time) Provisioning
• Access Token and ID Token validation
• User information retrieval through UserInfo Endpoint

Integration Setup Method

The Genian ZTNA and Okta configuration method covered in this guide provides only the essential items for integration. It is automatically applied after the initial one-time setup.

Step 1: Okta Account Registration for Integration

1. Access https://www.okta.com/free-trial/ to apply for a trial account.

   • Select user information and country.

2. Check the authentication confirmation email received at the applied email address.

   • An account information confirmation email with the subject 'Activate your Okta account' will be sent to the applied email address.

3. Click the 'Activate Okta Account' button in the email to activate the account.

   • Perform initial password change for authentication and configure two-factor authentication.
   • Okta console access requires OTP 2-factor authentication and requires iPhone/Android OTP app installation and OTP registration.
   • Once OTP registration and login are complete, OIDC APP configuration for integration begins.

Step 2: Adding and Configuring OIDC APP for Authentication Integration

1. Go to Applications > Applications in the menu.

2. Click the Create App Integration button.

3. Select OIDC - OpenID Connect in Sign-in method.

4. Select Web Application in Application type.

5. Click the Next button.

6. Enter "Genian ZTNA CWP" in App integration name.

7. Verify that Authorization Code is selected in Grant type.

8. Enter the ZTNA Policy Server's CWP OIDC callback URL in Sign-in redirect URIs as shown in the example below:

   • e.g., https://test.genians.net/cwp2/faces/oidc/oidcCallback.xhtml

9. Enter the ZTNA Policy Server's CWP main page URL in Sign-out redirect URIs:

   • e.g., https://test.genians.net/cwp2

10. Select an appropriate assignment method in Controlled access section:

    • Select Allow everyone in your organization to access or specify specific groups.

11. Click the Save button to create the app.

12. Check and note the Client ID and Client secret from the General tab of the created app.

    • Client ID example: 0oa1a2b3c4d5e6f7g8h9
    • Client secret can be viewed by clicking the eye icon next to Client secret.

13. In Genian ZTNA Web Console > Preferences > User Authentication > Authentication Integration > OIDC Authentication Integration, copy and enter the following values from Okta:

    • Provider Name - Enter "Okta"

    • Issuer - Okta's Org URL (e.g., https://your-domain.okta.com).

    • Client ID - Okta's Client ID.

    • Client Secret - Okta's Client secret.

    • Use Discovery - Select "Off" (automatic endpoint discovery does not work)

      {
          "provider_name": "Okta",
          "issuer": "https://your-domain.okta.com",
          "redirect_uri_mc": "https://test.genians.net/mc2/faces/oidc/oidcCallback.xhtml",
          "redirect_uri_cwp": "https://test.genians.net/cwp2/faces/oidc/oidcCallback.xhtml",
          "scopes": "openid,profile,email",
          "authorization_endpoint": "https://your-domain.okta.com/oauth2/v1/authorize",
          "token_endpoint": "https://your-domain.okta.com/oauth2/v1/token",
          "userinfo_endpoint": "https://your-domain.okta.com/oauth2/v1/userinfo",
          "jwks_uri": "https://your-domain.okta.com/oauth2/v1/keys",
          "end_session_endpoint": "https://your-domain.okta.com/oauth2/v1/logout"
      }
      

    • Additional Parameters (Optional) - You can enter Okta-specific parameters in JSON format.

      {
          "idp": "0oa1a2b3c4d5e6f7g8h9",
          "sessionToken": "...",
          "prompt": "login"
      }
      

      Note

      Additional Parameters configures custom parameters to be included in the OIDC Authorization Request.

      Okta Recommended Parameters:

      • idp: "0oa1a2b3c4d5e6f7g8h9" - Redirect to specific Identity Provider (when using Okta Federation)
      • sessionToken: "..." - Authentication using session token (when using Okta Authentication API)
      • prompt: "login" - Force re-authentication
      • prompt: "none" - Attempt authentication without user interaction (SSO)
      • login_hint: "user@example.com" - User email hint

      OIDC Standard Parameters:

      • ui_locales: "ko-KR" - UI language setting
      • max_age: "3600" - Maximum authentication validity time (seconds)
      • acr_values: "urn:okta:loa:2fa:any" - Authentication Context Class Reference (require MFA)

      For more details, refer to https://developer.okta.com/docs/reference/api/oidc/#authorize.

14. To use JIT provisioning functionality, change JIT provisioning to 'On' in ZTNA.

    • In ZTNA UI's JIT provisioning > Additional Information, click the add button to set the user account's name and email.

      • Enter {given_name} {family_name} for the name.

      • Enter email for the email.

        • OIDC Claims (given_name, family_name, email) items are already defined as standard in Okta.
        • Attributes other than standard claims can also be added using the Custom Claims menu.

    • Set the basic permissions for users created through JIT provisioning.

      • In ZTNA UI's JIT provisioning > Permission Settings, select the basic permissions to assign to new users.
      • Different permissions per user can also be set through Okta Groups.

15. Enter the text to display on the Okta authentication button in Login Button Text that will be shown on the Genian ZTNA CWP authentication screen.

16. Click the Update button at the bottom of the Genian ZTNA Web Console configuration screen.

Note

Please ensure that the Client ID and Client Secret are entered correctly. Using incorrect values will prevent authentication to ZTNA CWP through OIDC.

Step 3: OIDC Discovery and Advanced Configuration (Optional)

1. PKCE (Proof Key for Code Exchange) security configuration is enabled by default.

   • This is a security feature that prevents Authorization Code hijacking.
   • Okta supports PKCE by default, so no additional configuration is required.

Step 4: Adding and Assigning Accounts for Okta Authentication Integration

1. Go to Directory > People in the Okta console menu.
2. Click the Add Person button in the middle of the screen to add a user.

Note

The Password field allows you to choose whether the administrator specifies the password during creation or whether the user changes it during their first login.

1. Go to Application > Application in the Okta console menu.
2. Click the gear icon to the right of the "Genian ZTNA CWP" APP registered above and click Assign to Users.
3. In the popup screen, click the Assign button to the right of the account to be used for authentication integration through the APP to assign it to the APP.

Authentication Integration Testing Method

Testing from Genian ZTNA Web Console (SP-initiated SSO)

1. Access the Web Console and click the Test button in Preferences > User Authentication > Authentication Integration > Authentication Test.
2. In the popup window, select OIDC as the authentication information store.
3. Select "Okta" Provider.
4. An Okta authentication page will be displayed in a new popup window where you enter username and password to authenticate.
5. If the 'Authentication successful' message is displayed, the authentication integration was successful.

Testing from Genian ZTNA CWP Page (SP-initiated SSO)

1. Set the authentication method of the node policy's authentication policy to OIDC.
2. Access the Genian ZTNA CWP page.
3. Click the Authentication button on the CWP page.
4. On the authentication screen, click the authentication button ("Sign in with Okta") configured in Step 2 above.
5. An Okta authentication page will be displayed in a new popup window where you enter username and password to authenticate.
6. Upon successful authentication, JWT ID Token and Access Token are received, user information is extracted, and you are logged into ZTNA CWP.

Note

After setting up authentication integration, you must add the Okta IdP domain to the Enforcement Policy permissions so that the authentication integration window is displayed even in a blocked state.

1. How to add permissions
2. Policy > Objects > Network
3. Select Tasks > Create
4. Enter General
5. Network Address > Select FQDN > Enter IdP domain (e.g. your-domain.okta.com)
6. Click Create
7. Go to Permissions menu
8. Create permission using the created network object
9. Assign the created permission to the Enforcement Policy that controls endpoint networks