qmuam (qmuam) asked a question.
Currently, we are use PingFederate as the single sign-on solution when login to https://portal.azure.cn. We want to change to use Okta as the SSO solution when login to https://portal.azure.cn.
Seems that Office 365 application in Okta doesn't support Azure China by default. Then, how to configure Azure China application in Okta? and what configuration should be performed in Azure China?
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
Hi @qmuam (qmuam) , Thank you for reaching out to the Okta Community!
This is not currently supported. There might be plans for O365 China integration in the future but no ETA yet.
You can suggest this as a Feature Request on the Okta Community page by going to the Community→ Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented.
More details here:
https://support.okta.com/help/s/blog/a674z000001cj7YAAQ/okta-ideas-faq?language=en_US
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Like or Select as Best on responses. Try it today.
@qmuam (qmuam)
We are FreeLink(甫连信息,https://www.okta.com/partners/meet-our-partners/) as Okta Partner in China.
Many clients are interested in integrate Azure China with Okta, I have submitted Okta Feature Request(https://ideas.okta.com/app/#/case/150220), we are glad to hear that it has been passed on to Okta's product team for review and consideration in their product roadmap. Hope you will also help to vote for it.
I also create case with Okta Support before, they told Azure China may support SAML2.0. Maybe can try it. If you need our assistance in testing, we are happy to help.
We have integrated Azure China and Okta successfully. Azure China support SAML2.0 and we created an application in Okta using SAML template.
Then we follow below guide to configure the application in Okta and change the federation setting in Azure China:
https://docs.azure.cn/en-us/active-directory/hybrid/how-to-connect-fed-saml-idp
This solution works fine now.
@qmuam (qmuam) Oh, that's great news. I'll do a test later. Thanks for the document.
Hi Hengfeng,
When configure the application in Okta, ensure you select SHA-2 as below because Azure China doens't support SHA-1 now. In the guide provided by Microsoft, it mentioned that SHA-1 should be used. But the actual experience is that we should select SHA-2.
NameID:The value of this assertion must be the same as the Azure AD user’s ImmutableID. It can be up to 64 alpha numeric characters. Any non-html safe characters must be encoded, for example a “+” character is shown as “.2B”.
IDPEmail:The User Principal Name (UPN) is listed in the SAML response as an element with the name IDPEmail The user’s UserPrincipalName (UPN) in Azure AD/Microsoft 365. The UPN is in email address format. UPN value in Windows Microsoft 365 (Azure Active Directory).
Issuer:Required to be a URI of the identity provider. Do not reuse the Issuer from the sample messages. If you have multiple top-level domains in your Azure AD tenants the Issuer must match the specified URI setting configured per domain.
@qmuam (qmuam) Got it. Thank you for providing such detailed setup instructions.
@qmuam (qmuam) I test in my environemt succesful. but the user create by Azure AD without ImmutableID. Does your environment sync AD with Azure connect?
@a0n5s (a0n5s) , All user in our Azure clould are synchronized from AD using Azure AD connector except the root account. We don't create user directly in Azure Active Directory.
@qmuam (qmuam) I test in my customer's POC environment successful as your environment. Have you try sync user from Okta to Azure AD?
@a0n5s (a0n5s) , No. We didn't synchronize user from Okta to AzureAD. We only set which user can access the Okat application in Okta. But in Azure AD, we synchronize user from AD.