question

AlfredSee-0136 avatar image
0 Votes"
AlfredSee-0136 asked AlfredSee-0136 commented

Unable to set up Okta as SAML IdP with Azure AD (not B2C) via External Identities

Hi all,

Greetings. I have been trying to set up Okta as SAML IdP in Azure AD External Identities but after filling out the form and clicking "Save", I keep getting the error: "Failed to add a SAML/WS-Fed identity provider". When checking the network and the response, this is what I got:

 {
   "odata.error": {
     "code": "Directory_BindingRedirection",
     "message": {
       "lang": "en",
       "value": "Tenant information is not available locally. Use the following Urls to get the information."
     },
     "requestId": "fb56c895-1d14-44b7-b2f8-5b0eb7fc75a9",
     "date": "2021-07-27T01:39:40"
   }
 }

I'm just wondering whether I missed anything. The following is a screenshot of the setup:

118056-image.png

Thanks!

azure-ad-saml-sso
image.png (112.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered AlfredSee-0136 commented

Hi @AlfredSee-0136 · I understood that you want below functionality with Azure AD and this can only be done by adding SAML Identity Provider under external identities (the way you have mentioned in your question).
119335-image.png

However, as of now, Azure AD allows you to add external Identity Providers only for those domains which are not added as verified domain in any Azure AD tenant.

Since Okta.com is already added as verified domain in an Azure AD tenant, you cannot add external SAML IDP for Okta.com. If Okta.com domain is removed from its Azure AD tenant, adding Okta.com as external SAML IDP will work.

You may post a feedback regarding this at Azure feedback portal, which is monitored by the product group for product improvements.


image.png (17.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @AlfredSee-0136 · Thank you for reaching out.

The SAML/WS-Fed identity provider (IdP) federation is possible only for the domains which are NOT added as verified domains in any Azure AD tenant. In your case, you are trying to add okta.com, which is already added as a verified domain in an Azure AD tenant.

An easy way to identify this is, open Portal.azure.com and on the sign-in page type anything@okta.com in the username field and it will redirect you to Okta sign-in page, i.e., https://okta.okta.com/login/login.htm . This means, okta.com is added as a federated domain in Azure AD.

This information is documented here: DNS-verified domains in Azure AD


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft thanks for your reply!

I tried the portal.azure.com thingy and found out that it is used to log into Azure portal, so I think I didn't explain my problem well, sorry for that. I will describe what I am trying to do in details.

Essentially, what I am trying to do is to provide SAML SSO support for my web application, and to make Azure AD as SP to do the SAML heavy lifting for me, similar to what GCP Identity Platform (https://cloud.google.com/identity-platform/docs/web/saml) and AWS Cognito (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html) provide in terms of adding SAML identity providers. From your response, I assume I might be using a wrong feature or service for this purpose. If that is the case, would you mind pointing me to the feature/service that I should be using?

Thanks!

0 Votes 0 ·

Hi @AlfredSee-0136 · If I understood your requirement correctly, you want to configure SAML application to authenticate from Azure AD. For this purpose, you need to:

  • Azure Active Directory > Enterprise Applications > +New Application > +Create your own application > Integrate any other application you don't find in the gallery (Non-gallery) > Create.

  • Open the Application that you have created and click on Single Sign On blade and under Select a single sign-on method, click on SAML.

  • Upload the metadata or manually update the required fields to provide information about the Application to Azure AD.

  • Similarly upload the metadata or manually update the required fields to provide information about Azure AD to the application. (Azure AD Metadata can be downloaded from the Single Sign On blade under SAML Signing Certificate section)

  • Once above steps are completed successfully, your application can authenticate from Azure AD using SAML.

0 Votes 0 ·

Hi @amanpreetsingh-msft, Hmm... not quite, I think the instructions ^ is to set up Azure AD as a SAML Identity Provider (I could be wrong though). What I am trying to do is to make Azure AD as a SAML Service Provider.

Take AWS Cognito as an example, I am able to:
1. Assign and setup an external SAML identity provider to a Cognito user pool
2. Setup the Cognito user pool as a SAML service provider in that external SAML identity provider
3. Redirect my user from my web app to Cognito login page
4. Cognito performs SAML auth against the external SAML identity provider
5. Once authenticated, Cognito redirects the user to my web app with ID token and access token
6. My web app uses the ID token and access token to establish a session for the user

So essentially I am looking for an Azure alternative to ^. Let me know if it makes sense.

Thanks!



1 Vote 1 ·
Show more comments