Configure Okta SharePoint People Picker agent

Installing the Okta SharePoint People Picker plugin allows you to fetch users and groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from Okta. The People Picker plugin is a Microsoft Windows executable that you can download from the Downloads page of your Okta Administrator Dashboard.

Prerequisites

  • User account that has permissions to modify the SharePoint farm
  • SharePoint Management Shell or SharePoint PowerShell snap-in to run PowerShell commands. Add the required snap-in to an existing PowerShell prompt by entering the following the command:

    Add-PSSnapIn Microsoft.Sharepoint.Powershell

Procedure

1. Set configuration values in SharePoint farm

You need to set several configuration values in the SharePoint farm to install the Okta People Picker. These values are used to configure People Picker functionality and define the Okta orgThe Okta container that represents a real-world organization. that you are integrating with this SharePoint environment.

Property Value
Okta API Key Read-only administrator API key generated during prerequisite steps
BaseUrl Your Okta org domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)., example: https://oktaorg.okta.com
OktaClaimProviderDisplayName Set to Okta by default. Can be set to a different value if you prefer a different display name for the Okta People Picker
MapUpnToWindowsUser Configuration flag to enable or disable C2WTS protocol translation
UniqueUserIdentifierClaimType

To define the unique user identifier claim. Identifier claim type on the Okta trusted token issuer must be unique and immutable, and must match the UniqueUserIdentifierClaimType. Set to Email or UserName, depending on what you want to use as identifier claim.

 

2. Run the appropriate commands

Replace the variables below with the appropriate values as defined above and enter the following commands.

Tip

Tip

Type in the commands rather than copy and paste.

 

  1. Enter the following command to update the farm properties.

    $farm = Get-SPFarm

    $farm.Properties["OktaApiKey"] = "OktaAPIKey"

    $farm.Properties["OktaBaseUrl"] = "https://oktaorg.okta.com""

    $farm.Properties["OktaLoginProviderName"] = "Okta"

    $farm.Properties["OktaClaimProviderDisplayName"] = "Okta"

  2.  

  3. Optional: If you are enabling C2WTS, execute the following command. If not, go to the next step.

    $farm.Properties["MapUpnToWindowsUser"] = $true

  4.  

  5. To specify UniqueUserIdentifierClaimType execute one of the following command.

    $farm.Properties["UniqueUserIdentifierClaimType"] = "Email"

    OR

    $farm.Properties["UniqueUserIdentifierClaimType"] = "UserName"

  6.  

  7. Enter the following command to update the farm values.

    $farm.Update()

 

3. Configure search scope values

You must also set several configuration values in the SharePoint web application for the Okta People Picker to use search scopeA scope is an indication by the client that it wants to access some resource..

 

$webApplication = Get-SPWebApplication

$ webApplication.Properties["UserSearchScope"] = "OKTA"

OR

$ webApplication.Properties["UserSearchScope"] = "APPAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in."

$ webApplication.Properties["UserSearchScopeAppId"] = "{AppID}" //app instance id in Okta org

$webApplication.Update();

 

Important Note

Important

  • When App ID is not provided or is invalid, UserSearchScope fallback to using OKTA (org level search) as search scope.
  • People Picker does not verify if the App ID specified belongs to an app instance WS-Federated with this SharePoint web application. The verification must be done manually.

 

When you have multiple web applications in the same farm, make sure to check the value of $webApplication before setting the properties, so that you can set value on the proper web application you need.

 

Example: Set UserSearchScope and UserSearchScopeAppId for $webApplication[1]

 

PS C:\Users\administrator.SP10> $w[1].properties

Name Value
------ ------

UserSearchScope

OKTA

UserSearchScopeAppID

0oalx5qLAHqqLVtNv0w4

PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScope"] = "APP"

 

PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScopeAppID"] = "0oalx5qLAHqqLVtNv0w4"

 

PS C:\Users\administrator.SP10> $w[1].properties

 

Name Value
------ ------

UserSearchScope

APP

UserSearchScopeAppID

0oalx5qLAHqqLVtNv0w4

 

PS C:\Users\administrator.SP10> $w[1].update()

 

4. Optional: Filter Active Directory imports

Okta People Picker shows users imported from Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. twice: as an Okta user and as an AD-domain user. You have the ability to see and manage only the original AD users. You can also specify that certain domains retain the original behavior. Enabling this feature requires setting certain $farm object properties in SharePoint.

If you import from Active Directory, you can take advantage of the People Picker Active Directory filtering option, which allows for filtering AD imports.

To enable this feature, use the following properties:

$farm = Get-SPFarm

$farm.Properties["FilterActiveDirectoryClaims"] = $true

$farm.Properties["AllowedActiveDirectoryDomains"] = "foo.com", "bar.com"

$farm.Update()

 

Info

Note

Active Directory domain filtering is only available with OKTA search scope.

Top