Make Azure Active Directory an identity provider
To delegate authentication to Azure Active Directory (AAD), you need to configure it as an identity provider (IdP) in Okta.
Before you begin
Complete Create the Okta enterprise app in Azure Active Directory and make note of the following:
Downloaded certificate (Base64)
Start this procedure
This procedure involves the following tasks:
This procedure provides steps for using SAML to set up AAD as an Identity Provider. To use OpenID Connect, see Create an Identity Provider in Okta.
In the Admin Console, go to Security > Identity Providers.
- Click Add Identity Provider and select Add SAML 2.0 IdP.
- Enter AAD or your preferred name for the identity provider in the Name field.
Complete the following fields in the AUTHENTICATION SETTINGS section:
Field Value IdP Username Enter idpuser.email. Filter
Select the Only allow usernames that match defined RegEx pattern checkbox and enter a regular expression pattern. This pattern filters IdP usernames and prevents the IdP from authenticating unintended or privileged users.
Select an Okta user attribute from the dropdown list. For example, Okta Username.
This Okta user attribute matches against the IdP username to find existing users.
Account Link Policy
Select Automatic to automatically link incoming IdP users to existing users in Okta.
Select Disabled if you want to manually link users or don't want to link users.
You can restrict automatic account-linking to certain specified groups.
Select Specific Groups from the dropdown list and enter group names. The IdP user is automatically linked only if the matching user belongs to any of the specified groups.
If no match is found Optional. Select Create new user (JIT) to create a new account for an unmatched user.
Complete the following fields in the JIT SETTINGS area:
Field Value Profile Source
Select the Update attributes for existing users checkbox.
Select the Reactivate users who are deactivated in Okta and Unsuspend users who are suspended in Okta checkboxes.
Select an option to define the behavior of group assignments during provisioning.
You can assign the user to specific groups, add them to missing groups based on a SAML attribute name and group filter, or do a full sync of groups.
Complete the following fields in the SAML PROTOCOL SETTINGS area:
Field Value IdP Issuer URI
Enter the value from the Azure AD Identifier field you recorded previously.
IdP Single Sign-On URL
Enter the value from the Azure AD Login URL field you recorded previously.
IdP Signature Certificate Click Browse files, browse to the location of the identity provider PEM or DER key certificate you downloaded previously, and click Open.
- Click Add Identity Provider.
- On the Identity Providers page, click the expand () icon for the AAD identity provider and record the values in these fields:
- Assertion Consumer Service URL
- Audience URI
- Sign in to the Microsoft Azure portal, click the portal menu icon in the top left, and select Azure Active Directory.
- Click Enterprise applications in the left menu and select Okta in the applications list.
- Click Single sign-on in the left menu and click SAML.
Click Edit in the Basic SAML Configuration area and complete the following fields:
Field Value Identifier (Entity ID) Enter the Audience URI value that you recorded in step 8. Reply URL (Assertion Consumer Service URL) Enter the Assertion Consumer Service URL value that you recorded in step 8.
- Click Save and Close.