Provide Okta as an IDP on a Azure AD to access application authenticated through the AAD Skip to main content
https://support.okta.com/help/answers?id=9062a000000quwrqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Jawad AhmedJawad Ahmed 

Provide Okta as an IDP on a Azure AD to access application authenticated through the AAD

Hi,

We are wanting to integrate Okta as an IDP for Azure AD and would like to enable users from Okta to have federated access to applications that are managed in an Azure Active Directory.

This will entail having okta added as a Identity Provider (IDP) to enable access and authenticate with our applications hosted in Azure and are managed by the AAD.
I have looked at the comparability and Okta is supported to be added as an IDP in Azure (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-compatibility#okta).
However, I couldn't find any documentation on how to add that as an IDP.

I Have a few questions regarding this;
Can we use Okta and add it as an IDP in our Azure B2B AD.?
Will this be achieved by implementing SSO (Single Sign on), what is the preferred protocol to be used in this scenario for Authentication? 'SAML' or OAuth and OpenID Connect. 

If there is an alternative or easier way, such that, users from OKTA are able to sign in to an Identity provided by Azure AD. 
Is MFA supported in OKTA for the said users?
It seems if we go down the SAML route, we would have to change our AD to a custom domain which we currently don't have (we are using the Microsoft default for our AD "onmicrosoft.com").

I have skimmed over these links but couldn't find any straightforward answer;
  • https://support.okta.com/help/answers?id=9062A000000XaGLQA0&feedtype=SINGLE_QUESTION_DETAIL&dc=Okta_Application_Network&criteria=OPENQUESTIONS& * https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
  • https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp#azure-ad-saml-20-protocol-requirements * https://social.msdn.microsoft.com/Forums/en-US/ee6bfd3f-3c4a-4201-9800-8189e67b4dea/how-can-we-integrate-okta-as-idp-in-azure-ad?forum=WindowsAzureAD
  • https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom
  • https://stackoverflow.com/questions/34297152/azure-ad-as-federation-provider-for-okta%E2%80%8B
Nate QuesadaNate Quesada (Okta, Inc.)
Hi Jawad,

Azure App Service only supports five IDPs out of the box and Okta is not one of them. To configure Okta as the IDP for this particular scenario, you will need to configure the Template WS Federation Application in Okta and set up custom authentication for Azure.

Here's some helpful articles from Microsoft on the related topic (you may have already reviewed this but just FYI).

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b

https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-overview

Best,
Nate