Make Azure Active Directory an identity provider
To delegate authentication to Azure Active Directory, you need to configure it as an identity provider (IdP) in Okta.
- In the Admin Console, go to Security > Identity Providers.
- Click Add Identity Provider and select Add SAML 2.0 IdP.
- Enter AAD or your preferred name for the identity provider in the Name field.
- Complete these fields in the AUTHENTICATION SETTINGS area:
- IdP Username: Enter idpuser.email.
- Filter: Optional. Select the Only allow usernames that match defined RegEx pattern check box and enter a regular expression pattern to filter IdP user names and prevent the IdP from authenticating unintended or privileged users.
- Match against: Select Okta Username.
- If no match is found: Optional. Select Create new user (JIT).
- Complete these fields in the JIT SETTINGS area:
- Profile Master: Select the Update attributes for existing users check box.
- Reactivation Settings: Optional. Select the Reactivate users who are deactivated in Okta and Unsuspend users who are suspended in Okta check boxes.
- Group Assignments: Optional. Select an option to define the behavior of group assignments during provisioning.
- Complete these fields in the SAML PROTOCOL SETTINGS area:
- IdP Issuer URI: Enter the value from the Azure Active Directory Azure AD Identifier field you recorded previously.
- IdP Single Sign-On URL: Enter the value from the Azure Active Directory Login URL field you recorded previously.
IdP Signature Certificate: Click Browse files, browse to the location of the identity provider PEM or DER key certificate you downloaded previously, and click Open.
- Click Add Identity Provider.
- On the Identity Providers page, click the expand () icon for the AAD identity provider and record the values in these fields:
- Assertion Consumer Service URL
- Audience URI
- Sign in to the Microsoft Azure portal, click the portal menu icon in the top left, and select Azure Active Directory.
- Click Enterprise applications in the left menu and select Okta in the applications list.
- Click Single sign-on in the left menu and click SAML.
- Click Edit in the Basic SAML Configuration area and complete these fields:
- Identifier (Entity ID): Enter the Audience URI value you recorded in step 8.
- Reply URL (Assertion Consumer Service URL): Enter the Assertion Consumer Service URL value you recorded in step 8.
- Click Save and Close.