Error "Cannot fetch login url: Invalid Client Secret for given Client ID" when adding Okta Directory on CIE.

Error "Cannot fetch login url: Invalid Client Secret for given Client ID" when adding Okta Directory on CIE.

1543
Created On 02/13/24 01:54 AM - Last Modified 07/12/24 02:39 AM


Symptom


  • An administrator is trying to integrate Palo Alto Networks CIE (Cloud Identity Engine) with Okta Directory .
  • The admin is trying to use Client Credential flow to integrate the Okta. 
  • Test connection throws this error on the top right side of the page and the integration fails.Cannot fetch login url: Invalid Client Secret for given Client ID
  • The same client ID and secret can be used to Integrate Okta Directory using Auth code flow but the requirement is to use Client Credential flow to avoid the requirement where Sign In with Okta is required.

Environment


  • Cloud Identify Engine (CIE) App on Hub (Apps.paloaltonetworks.com)
  • Okta Directory

Cause


This is caused by a configuration issue. Okta integration using Client Credential flow needs to follow the this document exactly as it is. 

Resolution


  1. The app should not be a custom one but the Pre-defined Palo Alto Networks CIE which would have enough privilege.
  2. If using a custom application, Work with the Okta support to make sure required access as noted in Step 3 of the document are provided.
  3. If that does not help, Use the pre-defined application under API service integration on the Okta portal as shown in the document and that should work.
  4. If another Prisma Access tenant needs to be integrated with the same Okta directory, Create a new app integration on Okta to obtain a new client ID/secret as the existing one will work only for one integration.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008X7tCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail