KarenH.16388 (The Aspen Institute) asked a question.
Office 365 WS-Trust
We are using O365 Intune to manage mobile devices and our desktop engineer also wants to use Intune to manage Windows computers. Per Azure AD support team, they indicated we need to enable not only WS-Fed but WS-Trust protocols from Okta's end to work with federated accounts (even though WS-Trust will be deprecated from April, 2022 for existing environments). I don't see any option for enabling the WS-Trust protocol in Okta.
Is anyone else using Intune to manage Windows computers with O365 WS-Fed enabled? How did you get it to work?
Thanks, -Karen
Greetings Karen ,
This is Andrei on behalf of Okta's Customer Support.
Please review this documentation regarding WS-Fed : https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Configure_Okta%20Template_WS_Federation.htm . It will explain how to configure a WS-Fed app and how to enable the WS-Trust protocols.
For more information please consider opening a support ticket.
Hi Andrei, There isn't anything about WS-Trust protocol listed in the documentation. We are also using the "out-of-box" O365 app for WS-Fed.
So we have not been able to get Okta O365 WS-Fed app and O365/Intune to work for zero-touch deployment when setting up new Windows laptops. These are the instructions provided by Azure AD for what we are trying to do: https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-joined-devices-frx. The problem appears to be some sort of authentication error when enabling accounts on new Windows laptops and the instructions indicate WS-Trust is required, which Okta no longer supports. How have others set up their environment with Okta & O365 to enable zero-touch deployment of Windows laptops.
Did you find a solution to this yet? We are facing the exact same problem and Okta Support has been just as helpful with us as they were with you.
Hi Jason, unfortunately we have not gotten it to work. I'm working on Plan B -- configuring an O365 test environment and plan to enable / test the early release feature "O365 Pass Claim For MFA" - Passes an MFA claim to Office 365 when MFA is completed successfully. A little stuck right now, though, since I can't federate with a trial Azure AD P1 license. If you test the early release feature, please let me know if that resolves the issue.
Posting an update: We enabled the early access feature "O365 Pass Claim For MFA" but Windows 10 machines are still not able to log in and after reviewing our Okta logs and this PDF https://www.okta.com/sites/default/files/2020-09/Okta-for-Hybrid-AAD-Join.pdf, I understand why the "Deny user access due to app sign on policy" appears. Our Okta logs also shows ".../sso/wsfed/username13" for the Windows 10 Machine Logins, which only support Basic auth. I don't see a "custom" field indicated on page 8 of the PDF for adding "Windows-AzureAD-Authentication-Provider/1.0" and AutoPilot is still in beta, so what are our options?
Do you have the web sign-in credential provider enabled on your WIndows enpoints? I"m doing AutoPilot (standalone, not hubrid) deployments with Okta without much issue.