Configure Okta SharePoint People Picker agent
Installing the Okta SharePoint People Picker plugin allows you to fetch users and groups from Okta. The People Picker plugin is a Microsoft Windows executable that you can download from the Downloads page of your Okta Administrator Dashboard.
Before you begin
- Ensure that the user account that has permissions to modify the SharePoint farm.
-
Ensure that you have the SharePoint Management Shell or SharePoint PowerShell snap-in so that you can run PowerShell commands on your SharePoint Server. Add the required snap-in to an existing PowerShell prompt by entering the following command:
Add-PSSnapIn Microsoft.Sharepoint.Powershell
Start this procedure
This procedure includes the following tasks:
1. Set configuration values in SharePoint farm
2. Run the appropriate commands
3. Configure search scope values
4. Optional: Filter Active Directory imports
1. Set configuration values in SharePoint farm
You must set several configuration values in the SharePoint farm to install the Okta People Picker. These values are used to configure People Picker functionality and define the Okta org that you're integrating with this SharePoint environment.
Property | Value |
---|---|
Okta API Key | Read-only administrator API key generated during prerequisite steps |
BaseUrl | Your Okta org domain, example: https://oktaorg.okta.com |
OktaClaimProviderDisplayName | Set to Okta by default. Can be set to a different value if you prefer a different display name for the Okta People Picker |
MapUpnToWindowsUser | Configuration flag to enable or disable C2WTS protocol translation |
UniqueUserIdentifierClaimType |
To define the unique user identifier claim. Identifier claim type on the Okta trusted token issuer must be unique and immutable, and must match the UniqueUserIdentifierClaimType. Set to Email or UserName, depending on what you want to use as an identifier claim. |
2. Run the appropriate commands
Enter the following commands, replacing the variables with the appropriate values as defined in the preceding section.
Type in the commands rather than copy and paste.
-
Enter the following command to update the farm properties.
Copy$farm = Get-SPFarm
$farm.Properties["OktaApiKey"] = "OktaAPIKey"
$farm.Properties["OktaBaseUrl"] = "https://oktaorg.okta.com""
$farm.Properties["OktaLoginProviderName"] = "Okta"
$farm.Properties["OktaClaimProviderDisplayName"] = "Okta" -
Optional: If you're enabling C2WTS, execute the following command. If not, go to the next step.
Copy$farm.Properties["MapUpnToWindowsUser"] = $true
-
To specify
UniqueUserIdentifierClaimType
execute one of the following commands.Copy$farm.Properties["UniqueUserIdentifierClaimType"] = "Email"
OR
Copy$farm.Properties["UniqueUserIdentifierClaimType"] = "UserName"
-
Enter the following command to update the farm values.
Copy$farm.Update()
3. Configure search scope values
You must set several configuration values in the SharePoint web application for the Okta People Picker to use the search scope.
$webApplication = Get-SPWebApplication
$ webApplication.Properties["UserSearchScope"] = "OKTA"
OR
$ webApplication.Properties["UserSearchScope"] = "APP"
$ webApplication.Properties["UserSearchScopeAppId"] = "{AppID}" //app instance id in Okta org
$webApplication.Update();
- When App ID isn't provided or is invalid,
UserSearchScope
fallback to using OKTA (org level search) as search scope. - People Picker doesn't verify if the App ID specified belongs to an app instance WS-Federated with this SharePoint web application. The verification must be done manually.
When you have multiple web applications in the same farm, check the value of $webApplication before setting the properties. This ensures that you're setting the values for the correct web application.
Example: Set UserSearchScope
and UserSearchScopeAppId
for $webApplication[1]
PS C:\Users\administrator.SP10> $w[1].properties
Name Value
------ ------
UserSearchScope OKTA
UserSearchScopeAppID 0oalx5qLAHqqLVtNv0w4
PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScope"] = "APP"
PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScopeAppID"] = "0oalx5qLAHqqLVtNv0w4"
PS C:\Users\administrator.SP10> $w[1].properties
Name Value
------ ------
UserSearchScope APP
UserSearchScopeAppID 0oalx5qLAHqqLVtNv0w4
PS C:\Users\administrator.SP10> $w[1].update()
4. Optional: Filter Active Directory imports
Okta People Picker shows users imported from Active Directory twice: as an Okta user and as an AD-domain user. You can see and manage only the original AD users. You can also specify that certain domains retain the original behavior. Enabling this feature requires setting certain $farm
object properties in SharePoint.
If you import from Active Directory, you can take advantage of the People Picker Active Directory filtering option, which allows for filtering AD imports.
To enable this feature, use the following properties:
$farm = Get-SPFarm
$farm.Properties["FilterActiveDirectoryClaims"] = $true
$farm.Properties["AllowedActiveDirectoryDomains"] = "foo.com", "bar.com"
$farm.Update()
Active Directory domain filtering is only available with the OKTA search scope.