Make Azure Active Directory an Identity Provider

To delegate authentication to Azure Active Directory (AAD), you need to configure it as an identity provider (IdP) in Okta.

Before you begin

Complete Create the Okta enterprise app in Azure Active Directory and make note of the following:

  • Login URL

  • AAD Identifier

  • Downloaded certificate (Base64)

Start this procedure

This procedure involves the following tasks:

  1. Add Azure AD as Identity Provider

  2. Update Okta app in Microsoft Azure portal

This procedure provides steps for using SAML to set up AAD as an Identity Provider. To use OpenID Connect, see Create an Identity Provider in Okta. After you create an IdP using OpenID Connect, you can set up a routing rule for Azure. See Configure identity provider routing rules.

Add Azure AD as Identity Provider

  1. In the Admin Console, go to SecurityIdentity Providers.

  2. Click Add Identity Provider and select Add SAML 2.0 IdP.
  3. Enter AAD or your preferred name for the identity provider in the Name field.
  4. Complete the following fields in the Authentication Settings section:

    Field Value
    IdP Username

    Enter idpuser.email.

    Filter Optional.

    Select the Only allow usernames that match defined RegEx pattern checkbox and enter a regular expression pattern. This pattern filters IdP usernames and prevents the IdP from authenticating unintended or privileged users.

    Match against Select an Okta user attribute from the dropdown list. For example, Okta Username.

    This Okta user attribute matches against the IdP username to find existing users.

    Account Link Policy

    Select Automatic to automatically link incoming IdP users to existing users in Okta.

    Select Disabled if you want to manually link users or don't want to link users.

    Auto-link Restrictions

    Optional.

    You can restrict automatic account-linking to certain specified groups.

    Select Specific Groups from the dropdown list and enter group names. The IdP user is automatically linked only if the matching user belongs to any of the specified groups.

    If no match is found Optional. Select Create new user (JIT) to create a new account for an unmatched user.

  5. Complete the following fields in the JIT Settings area:

    Field Value
    Profile Source Select the Update attributes for existing users checkbox.
    Reactivation Settings Optional.

    Select the Reactivate users who are deactivated in Okta and Unsuspend users who are suspended in Okta checkboxes.

    Group Assignments Optional.

    Select an option to define the behavior of group assignments during provisioning.

    You can assign the user to specific groups, add them to missing groups based on a SAML attribute name and group filter, or do a full sync of groups.

  6. Complete the following fields in the SAML Protocol Settings area:

    Field Value
    IdP Issuer URI Enter the value from the Azure AD Identifier field that you recorded previously.
    IdP Single Sign-On URL Enter the value from the Azure AD Login URL field that you recorded previously.
    IdP Signature Certificate Click Browse files, browse to the location of the identity provider PEM or DER key certificate you downloaded previously, and click Open.

  7. Click Add Identity Provider.
  8. On the Identity Providers page, click the expand () icon for the AAD identity provider and record the values in these fields:
    • Assertion Consumer Service URL
    • Audience URI

After you add Azure as an IdP, configure a routing rule for it. Routing rules let you to direct users to an IdP based on things like their device, email domain, or the app they're trying to access. See Configure identity provider routing rules.

Update Okta app in Microsoft Azure portal

  1. Sign in to the Microsoft Azure portal, click the portal menu icon in the top left, and select Azure Active Directory.
  2. Click Enterprise applications in the left menu and select Okta in the applications list.
  3. Click Single sign-on in the left menu and click SAML.
  4. Click Edit in the Basic SAML Configuration area and complete the following fields:

    Field Value
    Identifier (Entity ID) Enter the Audience URI value that you recorded in step 8.
    Reply URL (Assertion Consumer Service URL) Enter the Assertion Consumer Service URL value that you recorded in step 8.

  5. Click Save and Close.

Next steps

Map Azure Active Directory attributes to Okta attributes