Install and configure Microsoft ADFS in Okta

This topic describes how to install and configure the Okta Multifactor Authentication (MFA) provider for Active Directory Federation Services (ADFS).

Okta orgs that aren't configured to support OpenID Connect and single sign-on can install and configure Microsoft ADFS, but they must use MFA as a service.

Add MFA factors

  1. In the Admin Console, go to SecurityMultifactor.

  2. Select the Factor Types tab.
  3. Select a factor and then select Activate from the dropdown menu. See Multifactor Authentication.

Define groups that authenticate with the Microsoft ADFS (MFA) app

  1. In the Admin Console, go to DirectoryGroups.

  2. Click Add Group.
  3. Complete the fields and then click Save.
  4. Add people to the group. See User management.

Add the Microsoft ADFS (MFA) app

  1. Sign in to your Okta org as an admin.

  2. In the Admin Console, go to ApplicationsApplications.

  3. Click Browse App Catalog.
  4. Search for and select Microsoft ADFS (MFA), and then click Add Integration.
  5. Enter a unique name.

  6. For Okta orgs that are enabled for OIDC and SSO, do these steps:

    1. On the Sign-On Options page, select OpenID Connect. Enter an appropriate Redirect URI, and then click Done. Ensure that the redirect URI ends with a forward slash.
    2. Go to the Sign on tab of the new Microsoft ADFS app instance and confirm that the sign-on mode is OpenID Connect.

    For Okta orgs that aren't enabled for OIDC and SSO, do these steps:

    1. Go to the Sign On tab and select MFA as a service.
  7. Go to the General tab and note the values of the Client ID and Client secret. These values are required during the Install the Okta ADFS Plugin on your ADFS Server task.
  8. Follow the steps in Configure MFA for Active Directory Federation Services (ADFS). Configure the useOIDC property as false and then restart the agent.

Enable Cross-Origin Resource Sharing (CORS)

See CORS Overview.

  1. In the Admin Console, go to SecurityAPI.

  2. Select the Trusted Origins tab, and then click CORS.
  3. Click Add Origin.
  4. Enter the following information:
    • Origin name: Enter a name for this origin.
    • Origin URL: Enter the origin URL. This can be your ADFS service name.
    • Cross-Origin Resource Sharing (CORS): Enable the origin URL to access Okta APIs from JavaScript.
    • Redirect: Allow the browser to redirect to the origin URL after signing in or out.
    • iFrame embed: Allow Okta sign-in pages and SSO URLs to be embedded in iFrames.
    • Allows iFrame embedding of Okta End User Dashboard: Select this option to allow the End-User Dashboard to be embedded in iFrames.
  5. Click Save.