Reputation: 41
Okta SSO with Azure ADB2C
We have a requirement to use Okta as an SSO for an application that uses Azure ADB2C as IDP. So, the basic flow will be, user signs into Okta, click on the configured application tile. In the background, Okta validates the user's identify with Azure ADB2C (this user details will be already there in ADB2C) and returns the user to the application with the token provided from ADB2C. So in short, the user will sign into Okta only and with that they should be able to enter into the application. I have been checking various blogs and discussions and nothing was pointing in this required direction. Can anyone guide me on this by providing needed documentation or necessary links?
Until now, I have tried similar to this https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-salesforce-saml and https://help.okta.com/en/prod/Content/Topics/integrations/open-id-connect.htm
But the above doesn't seem to fulfill our needs. Is this possible? If not, what is the best way to implement Okta as an SSO provider with Azure ADB2C IDP?
Upvotes: 2
Views: 1050
Answers (2)
Reputation: 11315
Follow adding a generic OIDC IDP: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect
For custom policy you need to fill in the claims provider, as an example
<ClaimsProvider>
<Domain>Okta</Domain>
<DisplayName>Login using Okta</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Okta-OpenIdConnect">
<DisplayName>OktaEmployee</DisplayName>
<Description>Login with your Contoso account</Description>
<Protocol Name="OpenIdConnect"/>
<Metadata>
<Item Key="METADATA">https://okta.com.....well-known/openid-configuration</Item>
<Item Key="client_id">00000000-0000-0000-0000-000000000000</Item>
<Item Key="response_types">code</Item>
<Item Key="scope">openid profile</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">false</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="B2C_1A_ContosoAppSecret"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="oid"/>
<OutputClaim ClaimTypeReferenceId="tenantId" PartnerClaimType="tid"/>
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" />
<OutputClaim ClaimTypeReferenceId="surName" PartnerClaimType="family_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
<OutputClaim ClaimTypeReferenceId="identityProvider" PartnerClaimType="iss" />
<OutputClaim ClaimTypeReferenceId="UserTitle" PartnerClaimType="UserTitle" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Reference to the OIDC tecnical profile
https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect-technical-profile
To get claims from the Azure AD B2C user, read the claims first:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy#read-and-write-a-claim
Then issue any claims into the B2C token that have been acquired during the journey
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-user-input?pivots=b2c-custom-policy#include-a-claim-in-the-token
Upvotes: 3
Reputation: 1373
You can find the documentation here: https://developer.okta.com/docs/guides/add-an-external-idp/azure/configure-idp-in-okta/
Thank you.
Upvotes: 0
Related Questions
- Can you use both Azure Active Directory and Okta for SSO
- How to implement AAD B2C and OKTA Integration?
- Okta redirect URI when used as OpenID IDP provider in Azure AD B2C
- How to integrate Okta as IDP using SAML with Azure AD B2C?
- Integration of Azure with OKTA using OIDC
- IDP initiated SSO fails with OKTA as an IDP in Azure
- Detailed steps to configure Okta as an IDP in Azure AD
- Okta vs Azure AD B2C When Already Using Azure AD
- okta sso(partner integration)
- Azure AD as Federation Provider for Okta