Configure Okta SharePoint People Picker agent

Installing the Okta SharePoint People Picker plugin allows you to fetch users and groups from Okta. The People Picker plugin is a Microsoft Windows executable that you can download from the Downloads page of your Okta Administrator Dashboard.

Before you begin

  • Ensure that the user account that has permissions to modify the SharePoint farm.

  • Ensure that you have SharePoint Management Shell or SharePoint PowerShell snap-in so you can run PowerShell commands on your SharePoint Server. Add the required snap-in to an existing PowerShell prompt by entering the following command:

    Add-PSSnapIn Microsoft.Sharepoint.Powershell

Start this procedure

This procedure includes the following tasks:

1. Set configuration values in SharePoint farm

2. Run the appropriate commands

3. Configure search scope values

4. Optional: Filter Active Directory imports

1. Set configuration values in SharePoint farm

You must set several configuration values in the SharePoint farm to install the Okta People Picker. These values are used to configure People Picker functionality and define the Okta org that you're integrating with this SharePoint environment.

Property Value
Okta API Key Read-only administrator API key generated during prerequisite steps
BaseUrl Your Okta org domain, example: https://oktaorg.okta.com
OktaClaimProviderDisplayName Set to Okta by default. Can be set to a different value if you prefer a different display name for the Okta People Picker
MapUpnToWindowsUser Configuration flag to enable or disable C2WTS protocol translation
UniqueUserIdentifierClaimType

To define the unique user identifier claim. Identifier claim type on the Okta trusted token issuer must be unique and immutable, and must match the UniqueUserIdentifierClaimType. Set to Email or UserName, depending on what you want to use as an identifier claim.

2. Run the appropriate commands

Enter the following commands, replacing the variables with the appropriate values as defined in the preceding section.

Type in the commands rather than copy and paste.

  1. Enter the following command to update the farm properties.

    Copy 
    $farm = Get-SPFarm
    $farm.Properties["OktaApiKey"] = "OktaAPIKey"
    $farm.Properties["OktaBaseUrl"] = "https://oktaorg.okta.com""
    $farm.Properties["OktaLoginProviderName"] = "Okta"
    $farm.Properties["OktaClaimProviderDisplayName"] = "Okta"

  2. Optional: If you're enabling C2WTS, execute the following command. If not, go to the next step.

    Copy 
    $farm.Properties["MapUpnToWindowsUser"] = $true

  3. To specify UniqueUserIdentifierClaimType execute one of the following commands.

    Copy 
    $farm.Properties["UniqueUserIdentifierClaimType"] = "Email"

    OR

    Copy 
    $farm.Properties["UniqueUserIdentifierClaimType"] = "UserName"

  4. Enter the following command to update the farm values.

    Copy 
    $farm.Update()

3. Configure search scope values

You must set several configuration values in the SharePoint web application for the Okta People Picker to use the search scope.

Copy 
$webApplication = Get-SPWebApplication
$ webApplication.Properties["UserSearchScope"] = "OKTA"

OR

Copy 
$ webApplication.Properties["UserSearchScope"] = "APP"
$ webApplication.Properties["UserSearchScopeAppId"] = "{AppID}"  //app instance id in Okta org
$webApplication.Update();
  • When App ID isn't provided or is invalid, UserSearchScope fallback to using OKTA (org level search) as search scope.
  • People Picker doesn't verify if the App ID specified belongs to an app instance WS-Federated with this SharePoint web application. The verification must be done manually.

When you have multiple web applications in the same farm, check the value of $webApplication before setting the properties. This ensures that you're setting the values for the correct web application.

Example: Set UserSearchScope and UserSearchScopeAppId for $webApplication[1]

Copy 
PS C:\Users\administrator.SP10> $w[1].properties
Name                                    Value
------                                    ------
UserSearchScope                           OKTA
UserSearchScopeAppID                    0oalx5qLAHqqLVtNv0w4

PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScope"] = "APP"
PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScopeAppID"] = "0oalx5qLAHqqLVtNv0w4"
PS C:\Users\administrator.SP10> $w[1].properties
 
Name                                    Value
------                                    ------
UserSearchScope                           APP
UserSearchScopeAppID                    0oalx5qLAHqqLVtNv0w4

PS C:\Users\administrator.SP10> $w[1].update()

4. Optional: Filter Active Directory imports

Okta People Picker shows users imported from Active Directory twice: as an Okta user and as an AD-domain user. You can see and manage only the original AD users. You can also specify that certain domains retain the original behavior. Enabling this feature requires setting certain $farm object properties in SharePoint.

If you import from Active Directory, you can take advantage of the People Picker Active Directory filtering option, which allows for filtering AD imports.

To enable this feature, use the following properties:

Copy 
$farm = Get-SPFarm
$farm.Properties["FilterActiveDirectoryClaims"] = $true
$farm.Properties["AllowedActiveDirectoryDomains"] = "foo.com", "bar.com"
$farm.Update()

Active Directory domain filtering is only available with the OKTA search scope.

Next steps

Troubleshooting: Microsoft SharePoint (On-Premises)