Add SharePoint (On-Premise) in Okta

Important Note


Okta Group Push is not currently supported with the SharePoint On-Premise application.

We recommend you use only AD groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. or only Okta groups in order to configure authorization to your SharePoint server. Configuring Push Groups to your Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. and attempting to use these groups for SharePoint authorization will result in problems accessing the application.


  1. Add the SharePoint (On-Premise) appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in..

    Go to Applications > Applications > Add Application and search for the app.

  2. On the General tab > App Settings, fill in the appropriate fields. These fields are used to connect and send information as part of the SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. assertion to SharePoint:

    • SharePoint Web Application URL: This points to the web application that is running on SharePoint. For example, https://app1. There can be multiple apps running on SharePoint, each of which needs a SharePoint app within Okta.
    • Application attributes: Admins can send information about Okta user profile attributes to SharePoint for auditing or logging purposes. Sending any custom Okta attributes is also supported. This information is not used for authentication or authorizing apps in SharePoint. Okta typically sends UPN and email data as part of the assertion.

      Acceptable formats for application attributes are:

      • Okta User Profile Attribute: For example, firstName|${user.firstName}|
      • Imported Attribute: For example, lastName|<appId>:${user.lastName}|

        You can obtain your app ID from your app's URL, as shown below:

    • Group filter: This field is sent as part of a SAML assertion. This is used for checking permissions in SharePoint.
  3. Go to SharePoint (On-Premise) app > Sign On > View Setup Instructions to install and configure SharePoint People Picker