Integrating Azure Active Directory With Okta
Updated: Dec 17, 2020
I've been working with Okta lately and I wanted to share a more detail guide on how to integrate Okta with Azure Active Directory by adding it as an identity provider within the Okta platform. Okta provides a fairly detailed guide that I'll be referencing throughout this post (linked at the bottom of this post).
However, there are a few specific steps their documentation misses that I'd like to share.
Step 1: Create Azure AD Enterprise Application
Start by navigating to Azure Active Directory within the Azure Portal
Click "Enterprise applications" on the left menu
Choose "+ New application" in the top menu
Click "+ Create your own application" on the top menu of the "Browse Azure AD Gallery" page
Name your new enterprise application "Okta"
Choose "Integrate any other application you don't find in the gallery"
Step 2: Configure Your Enterprise Application
This step is the core of the issue I found within the Okta documentation. Follow them very closely, or you'll see exceptions when you first attempt to log in after the configuration.
On your enterprise application's page, click "Single sign-on" on the left menu
Within the SAML configuration, on step 2 (User Attributes & Claims), choose Edit
Update it with claims that match the screenshot below (Claims Settings)
Go back to the "Single sign-on" page within your Azure Active Directory enterprise application
On step 3 (SAML Signing Certificate) click Add a certificate
Choose "+ New Certificate"
Step 3: Create Okta Identity Provider
Okta provides excellent documentation on this part of the configuration. To get the Okta side of things configured, follow these two guides they've published:
Step 4: Let's Test It
Head back to your Azure Active directory SAML-based Sign-on page
Scroll to the bottom of the page and click "Test" in step 5
Choose Sign in as current user
If you land on the home page of your Okta tenant, you're all done! If not, see my troubleshooting guide below
So, you very well may run into issues setting this up. If that's the case, you'll want to:
Head to the system logs within your Okta tenant under Reports > System Log
Look for Authenticate user via IDP logs
If you see "Unknown Profile Attribute" or "Unable to transform email to username" check to make sure you've configured the claims outlined in Step 2 of this guide. That means that Okta can't find the claims it needs within your SAML token.
Okta: Integrate Active Directory With Okta: https://help.okta.com/en/prod/Content/Topics/Provisioning/azure/azure-integrate-main.htm