PAN-OS LDAP Integration with Okta for Group Mapping

Okta can be queried for group mapping information using LDAP. At the time of writing, the Okta documentation is here: Connecting to Okta using the LDAP Interface​. Configuration settings in this post were all tested and working with PAN-OS 9.0.2 and Okta's production admin GUI on 8th July 2019.

The Okta "LDAP Interface" is enabled in the Okta admin GUI from Directory -> Directory Integrations -> Add LDAP Interface. Once enabled, connection settings are presented to the administrator.

Server/Host: <org-subdomain>.ldap.okta.com

Port: tcp/636 using LDAPS

Base DN: dc=<org-subdomain>, dc=okta, dc=com

User Base DN: ou=users, dc=<org-subdomain>, dc=okta, dc=com

Group Base DN: ou=groups, dc=<org-subdomain>, dc=okta, dc=com

Bind DN: uid=<read-only-admin-account>, dc=<org-subdomain>, dc=okta, dc=com

Bind Password: Password for <read-only-admin-account>

The <org-subdomain> comes from your tenant (if you connect to example.okta.com then your LDAP host is example.ldap.okta.com). Note that your tenant may not be on okta.com, but instead be on another domain such as oktapreview.com or okta-emea.com, so amend accordingly.

The <read-only-admin-account> is an account which must be designated at least "Read Only Administrator" privileges in order to perform an LDAP bind. Go to Security -> Administrators in the Okta admin GUI to manage account administrative privileges.

When configuring an LDAP Server Profile in PAN-OS, the following configuration gives direction to your Okta tenant, using the settings listed above:

When configuring User-ID Group Mapping in PAN-OS, using the LDAP Server Profile configured in the previous step, the following configuration will retrieve group membership from Okta:

Group Objects -> Object Class: groupofUniqueNames

User Objects -> Object Class: inetOrgPerson

User Attributes -> Primary Username: uid

User Attributes -> Email: mail

Group Attributes -> Group Member: uniqueMember

The following PAN-OS CLI commands are useful during testing.

Refresh the group mapping, after making changes to PAN-OS config or after amending users and group membership in the directory:

debug user-id refresh group-mapping all

debug user-id refresh group-mapping group-mapping-name "cn=<group-name>,ou=groups,dc=<org-subdomain>,dc=okta,dc=com"

List all the groups ingested by PAN-OS:

show user group list

List the members of a group

show user group name "cn=<group-name>,ou=groups,dc=<org-subdomain>,dc=okta,dc=com"