Make Azure Active Directory an identity provider
To delegate authentication to Azure Active Directory, you need to configure it as an identity provider (IdP) in Okta.
Before you begin
Complete Create the Okta enterprise app in Azure Active Directory and make note of the following:
Azure AD Identifier
Downloaded certificate (Base64)
Start this procedure
This procedure involves the following tasks:
- In the Admin Console, go to Security > Identity Providers.
- Click Add Identity Provider and select Add SAML 2.0 IdP.
- Enter AAD or your preferred name for the identity provider in the Name field.
Complete the following fields in the AUTHENTICATION SETTINGS area:
Field Value IdP Username Enter idpuser.email. Filter
Select the Only allow usernames that match defined RegEx pattern check box and enter a regular expression pattern. This pattern will filter IdP user names and prevent the IdP from authenticating unintended or privileged users.
Select an Okta user attribute from the drop down list. For example, Okta Username.
This Okta user attribute will be matched against the IdP username to find existing users.
Account Link Policy
Select Automatic to automatically link incoming IdP users to existing users in Okta.
Select Disabled if you want to manually link users or don't want to link users.
You can restrict automatic account-linking to certain specified groups.
Select Specific Groups from the drop down list and enter group names. The IdP user will be automatically linked only if the matching user belongs to any of the specified groups.
If no match is found Optional. Select Create new user (JIT) to create a new account for an unmatched user.
Complete the following fields in the JIT SETTINGS area:
Field Value Profile Source
Select the Update attributes for existing users check box.
Select the Reactivate users who are deactivated in Okta and Unsuspend users who are suspended in Okta check boxes.
Select an option to define the behavior of group assignments during provisioning.
You can assign the user to specific groups, add them to missing groups based on SAML attribute name and group filter, or do a full sync of groups.
Complete the following fields in the SAML PROTOCOL SETTINGS area:
Field Value IdP Issuer URI
Enter the value from the Azure AD Azure AD Identifier field you recorded previously.
IdP Single Sign-On URL
Enter the value from the Azure AD Login URL field you recorded previously.
IdP Signature Certificate Click Browse files, browse to the location of the identity provider PEM or DER key certificate you downloaded previously, and click Open.
- Click Add Identity Provider.
- On the Identity Providers page, click the expand () icon for the AAD identity provider and record the values in these fields:
- Assertion Consumer Service URL
- Audience URI
- Sign in to the Microsoft Azure portal, click the portal menu icon in the top left, and select Azure Active Directory.
- Click Enterprise applications in the left menu and select Okta in the applications list.
- Click Single sign-on in the left menu and click SAML.
Click Edit in the Basic SAML Configuration area and complete the following fields:
Field Value Identifier (Entity ID) Enter the Audience URI value you recorded in step 8. Reply URL (Assertion Consumer Service URL) Enter the Assertion Consumer Service URL value you recorded in step 8.
- Click Save and Close.