Install and configure Microsoft ADFS in Okta

Before installing the Okta Multifactor Authentication (MFA) provider for Active Directory Federation Services (ADFS), you must:

  • Select authentication factors
  • Define the groups that will be authenticated by the Microsoft ADFS (MFA) application
  • Add the Microsoft ADFS (MFA) application
  • Enable Cross-Origin Resource Sharing

Okta orgs which are not configured to support OpenID Connect and Single Sign-On can still install and configure Microsoft ADFS but must use MFA as a service.

  1. Select authentication factors:
    1. Goto Security > Authenticators.
    2. From the Add Authenticator dialog, select an authenticator. For example Okta Verify.
    3. Configure factor specific settings as appropriate.
    4. Note: Okta recommends that at a Minimum Okta Verify be specified.

    5. Once added, some Authenticators may be further configured from the list of added Authenticators by clicking Actions > Edit.
  2. Define the groups that will be authenticated by the Microsoft ADFS (MFA) application:

    1. Sign in to your Okta tenant as an administrator.
    2. In the Admin Console, go to Directory >Groups.
    3. Click Add Group.
    4. Complete the fields in the Add group dialog and click Save.
    5. Add people to the group. See Users, groups, and profiles.
  3. Add the Microsoft ADFS(MFA) application:

    1. Sign on to your Okta org as an administrator.
    2. In Okta, navigate to Applications > Applications > Add Application, search for Microsoft ADFS (MFA), and then click Add.
    3. Enter a unique Application label.
    4. Click Next.
    5. For Okta orgs enabled for OpenID Connect and Single Sign-On:

      1. On the Sign-On options page, ensure the OpenID Connect is selected and enter an appropriate Redirect URI, then click Done.

        Ensure that the Redirect URI ends with a training forward slash.  For example>.

      For Okta orgs not enabled for OpenID Connect and Single Sign-On.

      1. Select the Sign-On tab, and ensure that MFA as a service is selected.
    6. Select the General tab and note the values of the Client ID and Client secret. These values are required during the Install the Okta ADFS Plugin on your ADFS Server task.
      General options of the Microsoft ADFS applicaton showing the Client ID and Client secret fields.  The values of these two fields are required for configuring MFA as a service.
    7. Follow steps to modify the configuration and confirm or configure useOIDC as false.
      After changing configuration you must restart the agent.
  4. Enable Cross-Origin Resource Sharing (CORS)

    For more information about CORS, see CORS Overview.

    1. Sign on to your Okta org as an administrator.
    2. Navigate to Security > API.
    3. Select the Trusted Origins tab, then click CORS.
    4. Click Add Origin.
    5. Enter the following information:
      • Name
      • Origin URL: This can be your ADFS service name.
      • Check the box for CORS Type, then click Save.