User17144780020881967175 (Customer) asked a question.
I am testing the Microsoft Federated Identity configuration, which should allow the invitation of OKTA users as Guests to the M365 / Entra environment. This has been set up to use SAML 2.0 SSO and I therefore have configured a SAML Integration application within my OKTA Developer environment and gone through the process of setting up the SAML/WS-Fed identity provider within the MS Entra environment. Both set ups appear to be complete, but I've obviously missed something.
When I invite a user, within the OKTA environment, as a Guest to the M365/Entra environment an invitation link is generated. Following that link takes me to the OKTA authentication page, but when I sign in to OKTA using the invited user credentials, Microsoft returns an Invitation Redemption error.
Is there anyone out there who may have experience with this configuration who can suggest what I need to adjust to resolve this issue?
Hi @User17144780020881967175 (Customer) , Thank you for reaching out to the Okta Community!
I've reviewed the available resources on the Okta side and I didn't find any indication that this use case is supported.
As of now, the supported use cases are for Okta as the IDP for MSFT or vice versa. Guest accounts seems to be a fringe case.
I tried looking on the MSFT side for clarification on the feature to see if there might be a not-out-of-the-box solution for this and if reading this right, the guest access is based on their "External ID" feature. https://learn.microsoft.com/en-us/entra/external-id/customers/overview-customers-ciam
For sign-in methods it mentions "You can enable various options for signing in to your app, including username and password, one-time passcode, and Google or Facebook identities." , so no SAML/WS-FED. That might be the reason it's failing for you.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Join the discussion for the Ask Me Anything online event on May 23, 2024 with Okta Tactical Edge Product Experts
Hi Mihai,
Thanks for your response, but I think you're mistaken, this article clearly states that it is possible
Identity providers for External ID - Microsoft Entra External ID | Microsoft Learn
This guy, Carlos, posted an article on LinkedIn (1) Integration of Okta as an IdP for Microsoft Azure AD B2B | LinkedIn which outlines the how to of the scenario, but just doesn't seem to provide sufficient detail to get it over the line.
Hi @User17144780020881967175 (Customer) That's fair.
So according to this, you will need a "Direct Federation" with Okta as the external IDP for Entra.
On the Okta side there is not explicit integration with "Azure/Entra" in this sense but this is done via the M365 app. So you would need to go through this setup process.
I'm assuming in this particular case the federation would be against the "dedicated external tenant" for the purposes of setting up the M365 app in Okta.
The LinkedIn article mentions setting up a custom SAML app in Okta for the purposes of this integration which is uncommon.
Regards.
--
Join the discussion for the Ask Me Anything online event on May 23, 2024 with Okta Tactical Edge Product Experts
Hi @Mihai Negoita - Okta (Okta, Inc.) ,
We're not looking to use OKTA as the IDP for the M365 tenant, we simply need OKTA to be the IDP for a subset of Guests, who are being invited to collaborate, where their organization uses OKTA as the IDP service.
We've not considered using a 2nd M365 tenant for managing access to applications which are being shared with external (Guest) users, but I don't see that scenario being any different. We'd still want to user Entra as IDP service for the tenant, with B2B user authentication managed via the various options available, one of which being SAML SSO via OKTA for specific Guest Domains.
I've got a support ticket open with Microsoft and am requesting further details on the correlation id that's presented when the invitation redemption process fails against Entra. Hopefully this will shed some light on what the problem is and allow a solution to be identified.
@Mihai Negoita - Okta (Okta, Inc.) ,
I've been liaising with Microsoft Support on this problem and their feedback is that the the error is "AADSTS500089: SAML 2.0 assertion validation failed: SAML token is invalid"
The solution is to make sure the okta idp is sending the attributes in the format required by entra id (https://learn.microsoft.com/en-us/entra/external-id/direct-federation#required-saml-20-attributes-and-claims) and then to initiate the login on https://myapps.microsoft.com/.onmicrosoft.com, as per https://learn.microsoft.com/en-us/entra/external-id/direct-federation#sign-in-endpoints.
I've reviewed the attributes which are being exchanged and the 1 issue which I see is that the Attribute which Microsoft expect to see named as AssertionConsumerService is being passed as Destination. Is there an option to change the way this is named from within the Okta Application?
Hi @User17144780020881967175 (Customer)
I don't think that's where the problem is. ACS typically refers to the URL, which is configured under the app's SAML settings, so "Destination" is the same as the SSO URL.
Check point "3- Configure SAML" in Carlos' doc : https://www.linkedin.com/pulse/integration-okta-idp-microsoft-azure-ad-b2b-carlos-segura-vidal-juope/
He seems to have it set as "Use this for Recipient URL and Destination URL".
But to answer your question - No, the name cannot be changed.
If it's related to a custom attribute statement, those can be named as needed.
Maybe this helps? https://support.okta.com/help/s/question/0D54z00007LkgO4CAJ/using-okta-as-saml-external-idp-for-azure-active-directory?language=en_US
Or this one seems to suggest that the "entity Id" (also under SAML Settings on the Okta side) might be wrong: https://learn.microsoft.com/en-us/answers/questions/721875/error-aadsts500089-saml-2-0-assertion-validation-f
Sorry I can't be of more help with this.
Regards.
--
Join the Ask Me Anything online event on June 13, 2024 to discuss the new Govern Okta Admin Roles feature with our Experts
Ok, I found the mistake in the config of the OKTA App
These values were incorrect
Once corrected and with the Attributes set as below I have authenticated the test user against the target Tenant.