Install and configure Microsoft ADFS in Okta

Before installing the Okta Multifactor Authentication (MFA) provider for Active Directory Federation Services (ADFS), you must:

  • Select authentication factors
  • Define the groups that will be authenticated by the Microsoft ADFS (MFA) application
  • Add the Microsoft ADFS (MFA) application
  • Enable Cross-Origin Resource Sharing

Okta orgs which are not configured to support OpenID Connect and Single Sign-On can still install and configure Microsoft ADFS but must use MFA as a service.

  1. Select authentication factors:
    1. In the Admin Console, go to SecurityMultifactor.
    2. Select the Factor Types tab.
    3. Select a factor and then select Activate from the dropdown.
    4. See also MFA.

  2. Define the groups that will be authenticated by the Microsoft ADFS (MFA) application:

    1. Sign in to your Okta tenant as an administrator.
    2. In the Admin Console, go to DirectoryGroups.
    3. Click Add Group.
    4. Complete the fields and then click Save.
    5. Add people to the group. See Users, groups, and profiles.
  3. Add the Microsoft ADFS (MFA) application:

    1. Sign in to your Okta org as an administrator.
    2. In the Admin console go to ApplicationsApplicationsAdd Application, search for Microsoft ADFS (MFA).
    3. Click Add Application.
    4. Enter a unique name.
    5. For Okta orgs enabled for OpenID Connect and Single Sign-On:

      1. On the Sign-On options page, ensure that OpenID Connect is selected and enter an appropriate Redirect URI, then click Done.

        Ensure that the Redirect URI ends with a forward slash. For example, https://yourdomain.com/

      2. Select the Sign on tab of the newly created Microsoft ADFS application and confirm that the sign-on mode is OpenID Connect.

      For Okta orgs not enabled for OpenID Connect and Single Sign-On.

      1. Select the Sign-On tab, and ensure that MFA as a service is selected.Sign On tab showing that MFA as a service is enabled.
    6. Select the General tab and note the values of the Client ID and Client secret. These values are required during the Install the Okta ADFS Plugin on your ADFS Server task.General options of the Microsoft ADFS applicaton showing the Client ID and Client secret fields.  The values of these two fields are required for configuring MFA as a service.
    7. Follow steps to modify the configuration and confirm or configure useOIDC as false.
      After changing configuration you must restart the agent.
  4. Enable Cross-Origin Resource Sharing (CORS)

    For more information about CORS, see CORS Overview.

    1. Sign on to your Okta org as an administrator.
    2. Navigate to SecurityAPI.
    3. Select the Trusted Origins tab, then click CORS.

    4. Click Add Origin.
    5. Enter the following information:
      • Name
      • Origin URL: This can be your ADFS service name.
      • Select the CORS checkbox, then click Save.