Okta as IDP Azure AD
has anyone successfully configured OKTA as Identity provider (IDP) in Azure Active Directory so that token recieved from OKTA can be leveraged by apps in Azure. I have gone thru several stackoverflow queries but none has any step by step guidance on how to add it in Azure AD as an external IDP.
any help?
thank you
• Yes, you can configure Okta as an IDP in Azure as a federated identity provider but please ensure that it supports SAML 2.0 or WS-Fed protocol for direct federation to work. Therefore, to proceed further, ensure that organization using Okta as an IDP has its DNS records correctly configured and updated for the domain to be matched with the target domain or a host within the target domain in case of a passive authentication URL.
Once, the DNS records are setup correctly for an IDP’s domain name, then configure the partner IDP with the required claims and relying party trusts such that their SAML metadata file or URL is retrieved and uploaded for adding the Okta using IDP as an external identity as shown below in the snapshot: -
• Once, you have configured the SAML/WS-Fed supporting Okta IDP as a partner/external identity provider in the Azure AD tenant, ensure to configure specific attributes and claims to be configured at the third-party IDP such that these attributes are received in the SAML 2.0 response from the IDP itself when any user tries to login to the Azure AD using Okta identity.
Ensure that the below attributes and claims are received as information in the SAML token from the configured Okta IDP: -
AssertionConsumerService, Audience, Issuer, NameID and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
From the above snapshot, ensure to fill the following details for configuring the Okta IDP as an external identity provider: -
a) Issuer URI - The issuer URI of the partner's IdP.
b) Passive authentication endpoint - The partner IdP's passive requestor endpoint.
c) Certificate - The signing certificate ID.
d) Metadata URL - The location of the IdP's metadata for automatic renewal of the signing certificate.
Thus, in this way, you can add an Okta based IDP in Azure through federated external identity. For more details regarding this, I would suggest you to please refer to the below links for more details: -
- Get all user properties from Microsoft graph
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms
- ASP.NET Core app running on IIS gives Http Error 401.2-Unauthorize
- Azure Active Directory skip account selection on logout
- Azure active directory - Get access token using Azure CLI
- Azure B2C / WPF - Handling a failed MFA verification flow
- How do I display Job Title in my Next Auth app
- Login failed for user identified principal
- What does "grant admin consent" button do in azure Azure Active Directory application?
- Azure AD Graph API or Powershell Graph: Gathering all the assigned roles that are associated to a group
- Azure AD user unable to connect to Azure SQL Error: 18456,State:1,Class:14
- Is there a way to add the sam_account_name of a user in the id_token claims?
- No users to select from the list in Azure Role assignments using Resource Group Owner
- Azure pipelines cannot connect to Azure SQL via AD/Entra using a custom console application
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?