Integration of Azure with OKTA using OIDC

Question

question

YuvashriJayakumar-8834 asked Aug 8, '20 azure-cxp-api edited Feb 18, '21

Integration of Azure with OKTA using OIDC

How do we integrate Azure with OKTA using OIDC.

My requirement is to accessing protected application and it redirects to OKTA. This passes to Azure for authentication. Once the user info is valid, then it redirects to the protected web application.

Here Azure acts as a IDP and OKTA as a federation provider. I have created a IDP in OKTA using OpenID connect provider. Then I have created an application in Azure Active Directory. In the IDP for the application, I have chosen OpenID connect and mapped the details of OKTA client Id and secret. But its not working.

I have tried using SAML. Its working fine. But I need to integrate both using the OIDC only.

I appreciate any help on this.

azure-active-directory azure-webapps azure-ad-single-sign-on

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2020-08-10T05:48:54.043Z

soumi-MSFT answered Aug 10, '20 soumi-MSFT commented Aug 12, '20

@YuvashriJayakumar-8834, Thank you for reaching out. Inorder to create add Azure AD as the IDP to OKTA, you need to make sure that the details of OKTA like RedirectURI is properly set in Azure. you can follow the steps mentioned below:

The first step is to create an App registration and you can find the steps here.
In the Redirect URI section of the page, paste the Okta redirect URI. The redirect URI sent in the authorize request from the client needs to match the redirect URI in the Identity Provider (IdP). This is the URL where the IdP returns the authentication response (the access token and the ID token). It needs to be a secure domain that you own. This URL has the same structure for most Identity Providers in Okta and is constructed using your Okta subdomain and then the callback endpoint.

For example, if your Okta subdomain is called company, then the URL would be: https://company.okta.com/oauth2/v1/authorize/callback. If you have configured a custom domain in your Okta Org, use that value to construct your redirect URI, such as https://login.company.com/oauth2/v1/authorize/callback.
3. Copy the Application ID value so that you can add it to the Okta configuration.
4. Under Certificates & secrets of your App registration in AAD, click New client secret to generate a client secret for your app. Copy the value so that you can add it to the Okta configuration. This is the secret that corresponds to your Application ID.

For Registering Azure AD as the IDP in OKTA, you would need to get the following details from Azure AD and feed it in OKTA.
1. On the app Overview page, click Endpoints.
2. In the panel that appears, copy the OpenID Connect metadata document URL and then paste that URL into a browser window to obtain the following endpoints:

    - issuer
    - authorization_endpoint
    - token_endpoint
    - jwks_uri

Once you have the following details, you can follow the steps mentioned in the below article to configure Azure AD as IDP in OKTA:
https://developer.okta.com/docs/guides/add-an-external-idp/azure/configure-idp-in-okta/

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 2

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YuvashriJayakumar-8834 · Aug 12, 2020 at 04:36 AM

@soumi-MSFT Thanks for the help. It worked.

Reg the OpenID Connect metadata document URL, there is a policy name which need to be replaced. What should we need to provide?

Since that was not sure, I have used this URL
https://login.microsoftonline.com/{tenant ID}/v2.0/.well-known/openid-configuration?appid={appID/Client ID Azure}

0 ·

soumi-MSFT YuvashriJayakumar-8834 · Aug 12, 2020 at 12:20 PM

@YuvashriJayakumar-8834, You can use the following URL as the OIDC metadata endpoint:
https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration.

Also, you can refer to the screenshot below to figure out the location to fetch the OIDC Metadata Endpoint:

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further.

1 ·

oidcendpoint-li.jpg (860.7 KiB)

question