Install and configure Microsoft ADFS in Okta
Before installing the Okta Multifactor Authentication (MFA) provider for Active Directory Federation Services (ADFS), you must:
- Select authentication factors
- Define the groups that will be authenticated by the Microsoft ADFS (MFA) application
- Add the Microsoft ADFS (MFA) application
- Enable Cross-Origin Resource Sharing
Okta orgs which are not configured to support OpenID Connect and Single Sign-On can still install and configure Microsoft ADFS but must use MFA as a service.
- Select authentication factors:
- In the Admin Console, go to Security > Multifactor.
- Select the Factor Types tab.
- Activate factors by selecting a factor and clicking Inactive > Activate.
See also MFA.
Define the groups that will be authenticated by the Microsoft ADFS (MFA) application:
- Sign in to your Okta tenant as an administrator.
- In the Admin Console, go to Directory > Groups.
- Click Add Group.
- Complete the fields in the Add group dialog and click Save.
- Add people to the group. See Users, groups, and profiles.
Add the Microsoft ADFS (MFA) application:
- Sign in to your Okta org as an administrator.
- In the Admin console go to Applications > Applications > Add Application, search for Microsoft ADFS (MFA).
- Click Add Application.
- Enter a unique name.
For Okta orgs enabled for OpenID Connect and Single Sign-On:
On the Sign-On options page, ensure that OpenID Connect is selected and enter an appropriate Redirect URI, then click Done.
Ensure that the Redirect URI ends with a forward slash. For example, https://yourdomain.com/
Select the Sign on tab of the newly created Microsoft ADFS application and confirm that the sign-on mode is OpenID Connect.
For Okta orgs not enabled for OpenID Connect and Single Sign-On.
- Select the General tab and note the values of the Client ID and Client secret. These values are required during the Install the Okta ADFS Plugin on your ADFS Server task.
- Follow steps to modify the configuration and confirm or configure useOIDC as false.
After changing configuration you must restart the agent.
Enable Cross-Origin Resource Sharing (CORS)
For more information about CORS, see CORS Overview.