question

RamyaKamalanath-7252 avatar image
0 Votes"
RamyaKamalanath-7252 asked FalconDarkstarMomot-9350 published

How to use Okta as IDP and Azure as SP -SAML-Setup B2B collaboration

Hi Team



I have a app hosted on Azure . I want to setup B2B collaboration with Okta.

Okta will be IDP. Need to setup B2B collaboration with Azure.

Here is what I have created. SAML 2.0 application on OKTA and added appropriate users.

(Could you pls provide me examples where i could reference Single sign on URL and Audience URI (SP Entity ID) ,  and all other SAML settings to work seamlessly with Azure)



On Azure

External Identities-->New SAML connection--> Added a dummy domain and metadata file obtained from Okta

ON App registration what should be my redirect uri ?



So user on a dummy domain from okta is getting authenticated but redirected to a page where it says SAML 2.0 assertion token failed .



Could you please provide me links/example



Regards

Ramya

azure-ad-b2b
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered soumi-MSFT edited

Hello @RamyaKamalanath-7252, thank you for sharing the details. Ideally, the redirect URI for any app has to be provided by the application team as it's the URI where the app expects to receive the token from AAD or any other IDP. Hence it is something that the application team should have an understanding of.

Now coming to the bigger question of Adding Okta as IDP on Azure AD for that we can go by the general understanding of adding Okta as the External Identity provider on AAD and create a claims provider trust with it and on Okta's end AAD would be as a replying party.

To do that I guess you can try to check on the steps mentioned in this article where you would add O365 as an RP to Okta: https://help.okta.com/en/prod/Content/Topics/Apps/Office365-Deployment/deploy-main.htm
Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RamyaKamalanath-7252 avatar image
0 Votes"
RamyaKamalanath-7252 answered soumi-MSFT commented

Thanks soumi for answering my question :)

The reference site that you have shared is for o365 but m looking out for something different . I have created a web application on Azure and deployed a simple .netcore project that displays home page upon successful URL. Authentication and authorization is happening from Azure

My requirement is I have users on Okta and now I want authentication and authorization to happen from Okta and upon success i should let only these users access the web application that i have created.
I have created openID connect webapplication on Okta configured the login url . And used the ClientID and secret in the code and published it to the site hosted on Azure

Using this directly in startup.cs has worked for me

.AddOpenIdConnect(options =>
{

     options.ClientId = "";
     options.ClientSecret = "";
     options.Authority = "https://domain.okta.com";
     options.CallbackPath = "/authorization-code/callback";
     options.ResponseType = "code";
     options.SaveTokens = true;
     options.UseTokenLifetime = false;
     options.GetClaimsFromUserInfoEndpoint = true;
     options.Scope.Add("openid");
     options.Scope.Add("profile");
     options.TokenValidationParameters = new TokenValidationParameters
     {
         NameClaimType = "name"
     };

But I want to Add Okta in Identity Provider on Azure. How do I achieve it ?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RamyaKamalanath-7252, thank you for sharing more details. The reason I shared the O365 integration with Okta is that, when you are creating a federation between Okta and O365, the federation is actually getting created between AAD and Okta with Okta as the IDP and AAD as the replying party.

As the only other way to add Okta as an external Identity would be by following the details mentioned here:

Okta being third party I have no means to test that out and hence I can only ask you to test the same and share the general guidance.

1 Vote 1 ·
lmurthy avatar image
0 Votes"
lmurthy answered lmurthy edited

@RamyaKamalanath-7252

Did you ever get the direct federation with Okta working? If so, can you please share the details?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FalconDarkstarMomot-9350 avatar image
1 Vote"
FalconDarkstarMomot-9350 answered FalconDarkstarMomot-9350 published

I did, and I wrote up what I did at https://serverfault.com/a/1062334/126699 if anyone wants.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.