question

priyankakumari-0227 avatar image
0 Votes"
priyankakumari-0227 asked amanpreetsingh-msft commented

ad b2c integration with okta

We have a requirement to integrate ADB2C with Okta as an external Identity Provider, this is the use case:

Okta has users imported from the on-prem Active Directory and authenticated with AD credentials via Okta.

Kindly help with detailed steps or reference to some existing documents.

we have a project undergoing kindly help at the earliest.

Thanks

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @priyankakumari-0227 • Thank you for reaching out.

You can add Okta as an Open ID Connect IDP to Azure AD B2C.

<ClaimsProvider>
  <Domain>okta.com</Domain>
  <DisplayName>Okta Account</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Okta-OIDC">
      <DisplayName>Okta Account</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <Metadata>
        <Item Key="ProviderName">https://dev-XXXXXX.okta.com</Item>
        <Item Key="METADATA">https://dev-XXXXXX.okta.com/.well-known/openid-configuration</Item>
        <Item Key="response_types">id_token</Item>
        <Item Key="response_mode">form_post</Item>
        <Item Key="scope">openid profile email</Item>
        <Item Key="HttpBinding">POST</Item>
        <Item Key="UsePolicyInRedirectUri">0</Item>
        <Item Key="client_id">XXXXXXXXXXXX</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="client_secret" StorageReferenceId="B2C_1A_oktasecret" />
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" />
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="https://dev-XXXXXX.okta.com" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

Once you have added the above technical profile, update the orchestration step 1 and 2 in the user journey, as mentioned below:

     <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
   <ClaimsProviderSelections>
     <ClaimsProviderSelection TargetClaimsExchangeId="OktaExchange" />
     <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
   </ClaimsProviderSelections>
   <ClaimsExchanges>
     <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
   </ClaimsExchanges>
 </OrchestrationStep>
 <!-- Check if the user has selected to sign in using one of the social providers -->
 <OrchestrationStep Order="2" Type="ClaimsExchange">
   <Preconditions>
     <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
       <Value>objectId</Value>
       <Action>SkipThisOrchestrationStep</Action>
     </Precondition>
   </Preconditions>
   <ClaimsExchanges>
     <ClaimsExchange Id="OktaExchange" TechnicalProfileReferenceId="Okta-OIDC" />
     <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
   </ClaimsExchanges>
 </OrchestrationStep>

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @priyankakumari-0227 • Just checking if you had a chance to test it out.

0 Votes 0 ·