Login

Cisco Security Cloud Control Administration Guide

About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
Platform Services for all Products
- Manage Security Devices
- Manage Objects
- Global Search
  - Initiate Full Indexing
  - Perform a Global Search
- Preview and Deploy Configuration Changes for All Devices
- Additional Configuration Assistance
- Integrate Identity Services Engine with Security Cloud Control
- Organization Notification Settings
- Security Cloud Control Platform Navigator
- Give us your Feedback
Managing Organizations
- Setting a Region for an Organization
- Create an Organization
- Rename an organization
- Switch organizations
- Cisco Support Access to your Organization
  - Enable Cisco Support Access
  - Disable support access
Managing Products and Subscriptions
- Overview of Subscription Process
- Single Product Instance in an Organization
- Claim a Subscription
- Activate a Product Instance
  - Activate an Inactive Product Instance
  - Activate an Externally Managed Product Instance
  - Activation Code to Activate Externally Managed Product Instance
  - Activate a Product Instance with Further Inputs
- View Product Subscription Details
- Deactivate a Product Instance
Onboard Devices to Security Cloud Control
- Secure ASA Onboarding Methods
- Secure Firewall Threat Defense Onboarding Methods
- On-Premises Firewall Management Center Onboarding Methods
- Meraki Security Appliance Onboarding Methods
- Cisco IOS Device Onboarding Methods
- Secure Firewall Chassis Manager Onboarding Methods
- AWS Virtual Private Cloud Onboarding Methods
- Cisco Umbrella Organization Onboarding Methods
Managing Role-Based Access Control
- Role-Based Access Control in an Organization
  - Managing Users
  - Managing Groups
  - Managing Roles
- Invite a User
- Import Users
- View or Find Users
- Edit a User Name
- Assign Roles to a User
- Add a User to Groups
- Assign Roles to Existing Users
- Remove Role Assignments
- Create a Custom Role
- Edit a Custom Role
- Delete a Custom Role
- Custom Role for Cisco Secure Workload
- Reset Multifactor Authentication Settings
- Reset User Password
- Disable a User Account
- Restore a User Account
- Remove a User Account
- Create a New Group
- Edit a Group Name
- Add Users to a Group
- Assign Roles to Groups
- Remove users from a group
- Delete a Group
- Manage Role Delegation
- Logging the Events
  - View the Activity Log
Managing Domains
- Overview
- Claim and verify a domain
Managing Identity Provider Group Mapping
- Identity Provider Group Map
- Map Identity Provider Group
- Edit an identity provider group mapping
- Link an External Identity Provider
- Delink an External Identity Provider
Integrating Identity Providers
- Prerequisites
- SAML Response Requirements
- Step 1: Initial setup
- Step 2: Provide Security Cloud SAML metadata to your identity provider
- Step 3: Provide SAML metadata from your IdP to Security Cloud
- Step 4: Test your SAML integration
- Step 5: Activate the integration
- Troubleshooting SAML errors
Identity Service Provider Instructions
- Integrating Auth0 with Security Cloud Sign On
- Integrating Microsoft Entra ID with Security Cloud Sign On
- Integrating Duo with Security Cloud Sign On
- Integrating Google Identity with Security Cloud Sign On
- Integrating Okta with Security Cloud Sign On
- Integrating Ping Identity with Security Cloud Sign On

Platform Secure Firewall Threat Defense Virtual

Activity Manage

Identity Service Provider Instructions Integrating Okta with Security Cloud Sign On

Last updated: Jul 17, 2025

Integrating Okta with Security Cloud Sign On

This guide explains how to integrate an Okta SAML application in Security Cloud Control.

Before you begin

Before you begin, read the Integrating Identity Providers to understand the overall process. These instructions supplement that guide with details specific to Okta SAML integrations, specifically Step 2: Provide Security Cloud SAML metadata to your identity provider and Step 3: Provide SAML metadata from your IdP to Security Cloud.

Procedure

1

Sign in to Security Cloud Control with the organization that you want to integrate with Okta.

Create a new identity provider and decide whether to opt out of Duo MFA, as explained in Step 1: Initial setup.
On Step 2: Provide Security Cloud SAML metadata to your identity provider, download the Public certificate, and copy the values for Entity ID and Single Sign-On Service URL for use in the next steps.

2

In a new browser tab, sign in to your Okta organization as an administrator. Keep the Security Cloud Control tab open as you'll return to it shortly.

From the Applications menu, choose Applications.
Click Create App Integration.
Select SAML 2.0 and click Next.
In the General Settings tab, enter a name for your integration (Security Cloud Sign On, for example) and optionally upload a logo.
Click Next to go to the Configure SAML page.
In the Single sign-on URL field, enter the Single Sign-On Service URL provided by Security Cloud Control.
In the Audience URI field, enter the Entity ID provided by Security Cloud Control.
For Name ID format, select either Unspecified or EmailAddress.
For Application username, select Okta username.
In the Attribute Statements (optional) section, add the following mappings of names in SAML attributes to Okta user profile values:

Name (in SAML assertion)

Value (in Okta profile)

email

user.email

firstName

user.firstName

lastName

user.lastName
Click Show Advanced Settings.
Click Next.
For Signature Certificate, click Browse files... and upload the public signing certificate that you previously downloaded from Security Cloud Control.

The response and assertion must be signed with the RSA-SHA256 algorithm.
Under Sign On > Settings > Sign on method, click Show details.
Click Next and provide feedback to Okta, then click Finish.
Copy the values of Sign on URL and Issuer and download the Signing Certificate to provide to Security Cloud Control next.

3

Return to Security Cloud Control and click Next. You should be on Step 3: Provide SAML metadata from your IdP to Security Cloud.

Select the Manual Configuration option.
In the Single Sign-on Service URL (Assertion Consumer Service URL) field, enter the Sign on URL value provided by Okta.
In the Entity ID (Audience URI) field, enter the Issuer value provided by Okta
Upload the Signing Certificate provided by Okta.

What to do next

Next, follow the instructions in Step 4: Test your SAML integration and Step 5: Activate the integration to test and activate your integration.

Previous topic Integrating Google Identity with Security Cloud Sign On Next topic Integrating Ping Identity with Security Cloud Sign On