3g115 (3g115) asked a question.
How do i migrate users from multiple different identity providers(azure AD, other OKTA organization) to OKTA in order to setup SSO ? without changing user experience.
Hello There,
we have 2 clients and both are using different identity providers client1 is using Azure AD and client2 using OKTA and they have implemented SSO.
Now we need to give one common application(let's call it CommanApp) access to both clients using SSO.
what our client want is when their employees login to their own identity providers using SSO (in client1 case AzureAD and client2 case OKTA) and redirect to CommanApp they have to able to access CommanApp without login to CommanApp.
we are thinking about providing central OKTA user identity provisioning on top of all the clients to access CommanApp.
but,
- is that possible if client1 organization employee login into AzureAD and get access to CommanApp which has OKTA as user identity provider ?
- can we automate user provisioning into OKTA from Azure AD and other OKTA organizations ?
Yes. First you need to setup SSO with CommanApp with Okta (central org) then setup Inbound SAML IDP at Okta (central) with Azure and other org Okta as a IDP with JIT provisioning.
Yes, refer - https://help.okta.com/en/prod/Content/Topics/Provisioning/azure/azure-identify-identity-provider.htm
Hello @00ufvw0mxOJZpbKrv351.5548183538928567E12 (Customer) Thank You for the reply.
I have followed it and setup Azure AD as IDP into OKTA and created OktaOpenID demo (CommanApp) now can you please suggest how to redirect user to Azure AD login when user click on CommanApp login and when Azure AD grant the access user need to again redirected to CommanApp dashboard
You can also use the IDP discovery to manage both the clients. Let OKTA choose the IDP to redirect to based on the LoginID or email.
For the users which are in Azure AD, OKTA will be the SP & for the internal users which are present in OKTA as IDP, they can access via Inbound SAML.
User provisioning can be automated from Azure AD & other OKTA Org as well.
can you please provide some reference ?
@3g115 (3g115) Once you setup an IDP app, there is two ways Azure users can access CommanApp dashboard.
First Build a URL :-
Go to Okta-> select IDP created for Azure -> copy Authorize URL and build a URL response_mode=fragment&scope=openid%20profile%20email&redirect_uri=https://commonapp_embaded_url_from_okta&state=any random string&nonce=random string
2] Create App in Azure and use above url. user can to to https://myapplications.microsoft.com/ and access app as a IDP initiated journey.
3] for SP initiated journey, you can create IDP discovery by creating Routing Rules. use Domain based routing so when user access common app dashboard they are prompted to enter user id and based on user id they are redirect to use Azure IDP.
I cannot explain step by step in this comments but shoot any question if you stuck anywhere.
Hello @00ufvw0mxOJZpbKrv351.5548183538928567E12 (Customer) ,
Can you please give me some advise on following use case that i'm implementing.
so,
i have created OKTA open id demo (CommanApp ) and assign Everyone group to that OKTA app
note : EveryOne group has all the users profile those are created from Azure AD (IDP)
Now when i click login from CommanApp
i's getting me to the OKTA login page
and after success login user getting redirected to CommanApp dashboard which is expected.
But,
if user logged in into Azure AD (into other tab into browser) and then click on CommanApp login button i want user to redirect directly to CommanApp dashboard
(note : in short don't want user to be redirected to OKTA login page for login user should directly get access to dashboard)
is it possible ?
as All the Azure AD users profiles are exist into OKTA and assign to OKTA(open id) application too.
let me know is it possible to do and appreciate some reference too
open for suggestion
Thank You.
i got solution for this use case by setting up routing rule but i have multiple IDP and when i define user attributes rule in routing rule it's redirecting to the OKTA login and ask me for user id/email but then ask me for password that i don't want. i'm expecting to redirect on AAD based on email regular expresión match
Thank You.
Hello @00ufvw0mxOJZpbKrv351.5548183538928567E12 (Customer),
Thank you for you kind help.
i'm facing issue while testing AAD SAML connection to OKTA
what i mean is,
when i click on "Test single sign-on with <my application name>" (step 5 in Azure AD )
i'm getting redirected to https://login.microsoftonline.com/<id>/saml2?SAMLRequest=<token>
then when i select my profile to login
i'm getting redirected to okta https://itoneclickjigi.okta.com/sso/saml2/<id> (which is OKTA Assertion Consumer Service URL)
but getting error "404 Error Code: GENERAL_NONSUCCESS"
can you please help me to establish this connection
Thank You.
Please follow this link and setup from scratch. https://developer.okta.com/docs/guides/add-an-external-idp/azure/before-you-begin/
okay let me go through it
Thank You.