Install and configure Microsoft ADFS in Okta

Before installing the Okta Multifactor Authentication (MFA) provider for Active Directory Federation Services (ADFS), you must do the following:

  • Select authentication factors
  • Define which groups use the Microsoft ADFS (MFA) app for authentication
  • Add the Microsoft ADFS (MFA) app
  • Enable Cross-Origin Resource Sharing

Okta orgs that aren't configured to support OpenID Connect and Single Sign-On can still install and configure Microsoft ADFS, but must use MFA as a service.

  1. Select authentication factors:
    1. In the Admin Console, go to SecurityAuthenticators.
    2. Click Add authenticator.
    3. Click Add on the authenticator that you want to add. At a minimum, add Okta Verify.
    4. Configure the authenticator and then click Add.
    5. In the Actions menu, choose Edit to configure more settings.

  2. Define which groups to authenticate using the Microsoft ADFS (MFA) app:

    1. In the Admin Console, go to DirectoryGroups.
    2. Click Add Group.
    3. Complete the fields and then click Save.
    4. Add people to the group. See Users, groups, and profiles.

  3. Add the Microsoft ADFS (MFA) app:

    1. Sign in to your Okta org as an admin.
    2. In the Admin Console, go to ApplicationsApplications.
    3. Click Browse App Catalog.
    4. Search for and select Microsoft ADFS (MFA), and then click Add Integration.
    5. Enter a unique app label.
    6. Click Next.

    7. For Okta orgs that are enabled for OpenID Connect and Single Sign-On:

      1. On the Sign-On Options page, select OpenID Connect and enter an appropriate Redirect URI. Click Done.

        Ensure that the redirect URI ends with a forward slash. For example, https://yourdomain.com/

      For Okta orgs that aren't enabled for OpenID Connect and Single Sign-On:

      1. Go to the Sign On tab and ensure that MFA as a service is selected.
    8. Go to the General tab and note the values of the Client ID and Client secret. These values are required during the Install the Okta ADFS Plugin on your ADFS Server task.
    9. Follow steps to modify the configuration and confirm or configure useOIDC as false. You need to restart the agent after making an configuration changes.

  4. Enable Cross-Origin Resource Sharing (CORS)

    For more information about CORS, see CORS Overview.

    1. In the Admin Console, go to SecurityAPI.
    2. Select the Trusted Origins tab, and then click CORS.
    3. Click Add Origin.
    4. Enter the following information:
      • Name
      • Origin URL: This can be your ADFS service name.
      • Select the CORS checkbox, and then click Save.