Make Azure Active Directory an identity provider

To delegate authentication to Azure Active Directory, you need to configure it as an identity provider (IdP) in Okta.

  1. In the Admin Console, go to Security > Identity Providers.
  2. Click Add Identity Provider and select Add SAML 2.0 IdP.
  3. Enter AAD or your preferred name for the identity provider in the Name field.
  4. Complete these fields in the AUTHENTICATION SETTINGS area:
    • IdP Username: Enter
    • Filter: Optional. Select the Only allow usernames that match defined RegEx pattern check box and enter a regular expression pattern to filter IdP user names and prevent the IdP from authenticating unintended or privileged users.
    • Match against: Select Okta Username.
    • If no match is found: Optional. Select Create new user (JIT).
  5. Complete these fields in the JIT SETTINGS area:
    • Profile Master: Select the Update attributes for existing users check box.
    • Reactivation Settings: Optional. Select the Reactivate users who are deactivated in Okta and Unsuspend users who are suspended in Okta check boxes.
    • Group Assignments: Optional. Select an option to define the behavior of group assignments during provisioning.
  6. Complete these fields in the SAML PROTOCOL SETTINGS area:
    • IdP Issuer URI: Enter the value from the Azure Active Directory Azure AD Identifier field you recorded previously.
    • IdP Single Sign-On URL: Enter the value from the Azure Active Directory Login URL field you recorded previously.
    • IdP Signature Certificate: Click Browse files, browse to the location of the identity provider PEM or DER key certificate you downloaded previously, and click Open.

  7. Click Add Identity Provider.
  8. On the Identity Providers page, click the expand () icon for the AAD identity provider and record the values in these fields:
    • Assertion Consumer Service URL
    • Audience URI
  9. Sign in to the Microsoft Azure portal, click the portal menu icon in the top left, and select Azure Active Directory.
  10. Click Enterprise applications in the left menu and select Okta in the applications list.
  11. Click Single sign-on in the left menu and click SAML.
  12. Click Edit in the Basic SAML Configuration area and complete these fields:
    • Identifier (Entity ID): Enter the Audience URI value you recorded in step 8.
    • Reply URL (Assertion Consumer Service URL): Enter the Assertion Consumer Service URL value you recorded in step 8.
  13. Click Save and Close.

Next steps

Map Azure Active Directory attributes to Okta attributes