Okta as IDP Azure AD - azure-active-directory
has anyone successfully configured OKTA as Identity provider (IDP) in Azure Active Directory so that token recieved from OKTA can be leveraged by apps in Azure.
I have gone thru several stackoverflow queries but none has any step by step guidance on how to add it in Azure AD as an external IDP.
any help?
thank you
• Yes, you can configure Okta as an IDP in Azure as a federated identity provider but please ensure that it supports SAML 2.0 or WS-Fed protocol for direct federation to work. Therefore, to proceed further, ensure that organization using Okta as an IDP has its DNS records correctly configured and updated for the domain to be matched with the target domain or a host within the target domain in case of a passive authentication URL.
Once, the DNS records are setup correctly for an IDP’s domain name, then configure the partner IDP with the required claims and relying party trusts such that their SAML metadata file or URL is retrieved and uploaded for adding the Okta using IDP as an external identity as shown below in the snapshot: -
• Once, you have configured the SAML/WS-Fed supporting Okta IDP as a partner/external identity provider in the Azure AD tenant, ensure to configure specific attributes and claims to be configured at the third-party IDP such that these attributes are received in the SAML 2.0 response from the IDP itself when any user tries to login to the Azure AD using Okta identity.
Ensure that the below attributes and claims are received as information in the SAML token from the configured Okta IDP: -
AssertionConsumerService, Audience, Issuer, NameID and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
From the above snapshot, ensure to fill the following details for configuring the Okta IDP as an external identity provider: -
a) Issuer URI - The issuer URI of the partner's IdP.
b) Passive authentication endpoint - The partner IdP's passive requestor endpoint.
c) Certificate - The signing certificate ID.
d) Metadata URL - The location of the IdP's metadata for automatic renewal of the signing certificate.
Thus, in this way, you can add an Okta based IDP in Azure through federated external identity. For more details regarding this, I would suggest you to please refer to the below links for more details: -
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation#step-1-determine-if-the-partner-needs-to-update-their-dns-text-records
Okta as IDP in Azure AD
Related
How to implement AAD B2C and OKTA Integration?
We have a requirement to integrate ADB2C with OKTA as an external Identity Provider. OKTA will hold the External users and these users needs to access the applications hosted on Azure. How do I implement the Integration between AAD B2C and OKTA ?
Thanks for posting your query. In order to integrate OKTA as IDP, kindly follow: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy. It has to be added as a SAML IDP You can configure Azure AD B2C to allow users to sign in to your application with credentials from external social or enterprise SAML identity providers (IdP). When Azure AD B2C federates with a SAML identity provider, it acts as a service provider initiating a SAML request to the SAML identity provider, and waiting for a SAML response. In the following diagram: The application initiates an authorization request to Azure AD B2C. The application can be an OAuth 2.0 or OpenId Connect application, or a SAML service provider. In the Azure AD B2C sign-in page, the user chooses to sign-in with a SAML identity provider account (for example, Contoso). Azure AD B2C initiates a SAML authorization request and takes the user to the SAML identity provider to complete the sign-in. The SAML identity provider returns a SAML response. Azure AD B2C validates the SAML token, extracts claims, issues its own token, and takes the user back to the application. Yes, Azure Active Directory B2C has a free tier for your first 50,000 active users per month (MAU), which you can use for testing purposes. https://azure.microsoft.com/en-in/trial/get-started-active-directory-b2c/ Log in to the Azure portal by using your existing Azure subscription or by starting a free trial. On the left side, click on the New button and search for B2C. Click Create. Click Create a new Azure AD B2C tenant and fill in all the fields. Once you are ready click Create and wait for creation of your directory to finish. Once your directory is created, a prompt will appear notifying you your new directory is ready. Click on the link in the prompt to access your new directory. The B2C settings blade appears, where you configure and manage your Azure Active Directory B2C directory. Thanks
Troubleshooting header based single sign on in Azure AD Proxy
I have configured header based single sign on through Azure AD Proxy. Post authentication, headers are received by integrated applications. I am checking if I can also trace SSO headers passed from Azure AD proxy?
Required information for configure application with Azure AD SSO
We required to configure our application SSO with azure AD. Developer asking below information for configure SSO, could your please tell me where i find these information in Azure AD. What we will need from the SSO Provider are the following details: Issuer URL Sign in URL X.509 Certificate Thanks in advance, Rocky
Aws Cognito fail to achieve uniqueness in pool for Oidc Microsoft Azure federated users
Aws Cognito cannot translate correctly incoming Oidc Microsoft Azure generated user_id (microsoft_). Some chars in the part are treated as capitals and other as lower case with no rule so fails in achieving uniqueness (based on email) when I am calling AdminLinkProviderForUser function. With Saml connection is working correctly BUT saml doesn't work with accounts out of the current Azure active directory.
Is it possible to add onprem_sid claim to AAD Identity Token obtained via AAD v2 endpoint?
I've got a SPA application that uses MSAL to obtain an identity token for a user authenticating against our AAD. We have a one-way sync from our on-prem AD to our AAD and the on-prem SID is stored in the AAD. When I was using ADAL to obtain a token, I actually received the on-prem SID as part of the identity token; however, that changed when switching to MSAL. I'm curious if there is some way to add the on-prem SID claim to the token returned from the v2 endpoint?
AFAIK , Azure AD V2.0 doesn't support to issue the custom claim at present. You can send feature request to Azure AD Feedback Forum .