Configure the Secure Access Monitor plugin

Early Access release. See Enable self-service features. Use of Okta for AI Agents is subject to the applicable Okta for AI Agents Terms (Early Access).

The Secure Access Monitor (SAM) plugin is a managed Chrome extension. Configure the SAM plugin to monitor for unmanaged OAuth grants and securely transfer the collected data to Okta Identity Security Posture Management (ISPM).

Before you begin

  • Your Okta org is connected to Google Chrome Enterprise. The SAM plugin only works on managed Chrome browsers. See Integrate Okta with Chrome Enterprise.

  • Your Chrome browsers are enrolled into Google Chrome Enterprise Core. If they aren't, follow the steps in Enroll cloud-managed Chrome browsers. This is required to provision the Google CA certificate. Third-party MDM solutions alone are insufficient. Windows devices require additional registry settings or MDM policy to complete the enrollment.

  • You have the super admin role.

  • You have access to the Google Admin Console.

  • You have an active Okta ISPM tenant (ISPM or Okta AI License).

  • Your security policies don't block OAuth grants.

  • You're aware that the SAM plugin client certificate interferes with manual certificate selection flows (Smart Card, PIV, Legacy Device Trust).

  • If you use a SASE solution, you've configured it to exempt the Okta URL (https://<org>.mtls.okta.com) from TLS inspection.

Configure the Chrome browser

Configure the certificate to be sent automatically to the Okta data endpoint. First, provision and download the Google Certificate Authority. Then, configure the client certificate settings.

Provision and download the Google Certificate Authority

Provision and download the Google Certificate Authority. For more information, see Configure Chrome browser to provision its own client certificate (Step 1: Provision a Google CA).

  1. Sign in to the Google Admin Console with an admin account.

  2. In the Google Admin Console, go to Chrome browser > Connectors.

  3. Select the organizational unit that you want to apply the Google Certificate Authority configuration to.

  4. On the Connectors page, click + New provider configuration.

    If you already have a provider configuration set up, like for Okta Device Trust, create the Google CA as an additional provider configuration. Both can be applied to the same organizational unit.

  5. In the Set up a provider panel, find Google Certificate Authority and click Set up.

  6. Click Provision.

  7. On the Connectors page, click Details for Google Certificate Authority.

  8. Download GoogleCertificateAuthority.pem.

Configure the client certificate setting

Configure the client certificates setting. For more information, see Configure Chrome browser to provision its own client certificate (Step 2: Configure the Client certificates setting).

  1. Sign in to the Google Admin Console with an admin account.

  2. In the Google Admin Console, go to Chrome browser > Settings.

  3. Select the appropriate organizational unit.

  4. On the User & browser settings tab, search for and click Client certificates.

  5. In the Automatically select for these sites field, enter the following and replace <org> with your Okta org subdomain: {"pattern": "https://<org>.mtls.okta.com", "filter": {"ISSUER": {"CN":"Chrome Enterprise CA"}}}.

    If your org is a preview org, replace <org>.mtls.okta.com with <org>.mtls.oktapreview.com.

  6. To verify that the policy was applied, use a managed Chrome browser and go to chrome://policy/. Locate AutoSelectCertificateForUrls in the policy list and confirm your entry appears there.

Upload the Certificate Authority to the Okta Admin Console

Upload the CA that you got from the Google Admin Console into the Okta Admin Console. This certificate is required for the client certificate authentication process.

  1. In the Okta Admin Console, go to Security > Device Integrations.

  2. Click the Certificate authority tab.

  3. Click Add certificate authority.

  4. For Issue certificate to, select Secure Access Monitor plugin.

  5. Upload the CA certificate chain. The file type must be .pem.

Install the plugin

  1. Sign in to the Google Admin Console.

  2. Go to Chrome browser > Apps & extensions.

  3. Click the Users & browsers tab.

  4. Select your Okta organizational unit.

    If you want to test the installation on a subset of users, create a group or organizational unit of select users and choose that instead. For more information, see Groups and Add an organizational unit.

  5. Click the + icon on the bottom right and select Add Chrome app or extension by ID.

  6. In the Extension ID field, enter the SAM plugin ID: galipinbbdandeicdicjbalcbpdbljjj.

  7. Click Save.

  8. Open the SAM plugin settings.

  9. Change Allow install to Force install.

  10. In the Policy for extensions field, enter the following JSON and replace <org> with your Okta org subdomain: { "orgUrl": { "Value": "https://<org>.okta.com" } }.

  11. Click SAVE.

For more information, see Automatically install apps and extensions.

Sign in users to managed Chrome profiles

For the configuration to take effect, your end users need to sign in to their managed Chrome profiles and their Okta End-User Dashboard using your Okta org URL.

Verify the configuration

Once you've configured and deployed the SAM plugin, data flows from the users' browsers to Okta.

To verify the configuration, verify that the data is flowing to Okta by checking the ISPM dashboard. It may take up to seven days for the data to appear in the ISPM console. For more information, see Identify shadow AI agents using OAuth grants.