Okta as IDP for Azure - azure

So I want to provide access to users over Okta to Azure.
We have local AD which is not synced to MS Azure account
We have custom domain inside Azure AD
There is also 2nd part of this where we want to sync local AD mail field to Workday and add some O365 users to the same tenant which is another (native) Okta app.
So looking at docs, it seems I need to install ADConnect client which will import all users to the same O365/Azure tenant. Then on the Okta, there is native o365 app that I simply need to configure (it didn't look like problematic). But for the Azure part, the documentation is not really good and I am confused what should I do with Azure.
It seems I need to add Custom SAML 2.0 Application on Okta for Azure and configure External Identities-->New SAML connection on Azure. There also should be a way how to link Okta users to AzureAD ones but they have different domains. Did I get this correctly?
Thank you!

You can do the following:
Use AAD Connect to sync on-premise users to Azure AD
Integrate on-premise AD with Okta
Use Okta's native Office 365 application to integrate Okta with Azure AD for Single Sign On. When you use this application, you don't have to do anything on Azure AD. Okta will take care of everything for you. All you need to do is follow these steps: https://help.okta.com/en/prod/Content/Topics/Apps/Office365-Deployment/configure-sso.htm

Related

Using both Azure AD and Azure AD B2C to authenticate with SSO

My Azure web application will have both internal and external users. The requirements regarding authentication are:
Internal users authenticate with their domain accounts (with SSO)
External users authenticate through Azure AD B2C (we need to create accounts for them)
How can I set up such scenario?
Regards
George
If your internal users are using Azure AD - simple - you add your corporate AAD as Identity provider to your B2C.
There are various ways to do this. So start here.
If your internal users do not have Microsoft 365 (Azure AD), and you only have on-premises AD DS infrastructure - ... move to Cloud, things will be so much easier. If not, you need at least ADFS, then you can hook up ADFS as Identity Provider in your B2C.
There is no way to make Windows Integrated Authentication and Claims Based authentication at the same time for the app.

OneLogin Azure AD as a Directory

Our organization uses Azure AD and not Microsoft AD DS .
Does OneLogin integrate with Azure active directory as a 'Directory' apart from the traditional on-prem AD DS. Is there any way to use Azure AD as a directory.
There is an Azure AD application in the applications section, can we use it to import users from Azure AD? Seems like it's an SSO app only and does not do user provisioning/syncing!
Out of desperation, I also tried the Azure AD Connect to sync to a dummy on-prem ADDS to Azure AD and then sync this dummy ADDS to OneLogin, but this seems like a very hackish way to do it and has it's own host of problems.
I'm not able to figure out how to contact support; there is no support email mentioned on the website anywhere.
Not similar to Connecting OneLogin to Azure Ad, as I am trying to add Azure Ad as a directory and the aforementioned question is about an error in federation configuration in Office 365 application of OneLogin.
Any help on this would be immensely appreciated! Thanks in advance!
After a conversation with OneLogin support, here's a few ways to achieve this paraphrased:
"We are not able to utilise Azure AD as a classic on-premise directory (such as we might use for AD synchronisation using the OneLogin Active Directory Connector) although customers who pay extra to Microsoft and have enabled LDAP are able to use our "LDAP via SSL" option although this does not allow for any customisation.
We do have plans to deliver some expanded directory offering but there is no release date for this and you can register a vote and add use-case notes for this request using our IDEAS channel. On US based systems you can use the IDEAS button available at the bottom right corner of the administration screen otherwise access https://onelogin.ideas.aha.io, select your tenant and then login. Then look at https://onelogin.ideas.aha.io/ideas/IDEAS-I-1488
If you can generate a CSV list of users in AD then you can import users using a CSV file into OneLogin - still a manual process but you may find this less complex than using the on-premise server - see https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0010529
The "Azure AD application in the applications section" is for going in the other direction and is for using SAML 2.0 with OneLogin as an Identity Provider and is used for Microsoft Azure AD tenancies where there is no Office 365 involved but users need access to other apps installed in Azure AD.
The other mechanism being used is to have Azure AD as a Trusted IdP and then also enable Just-In-Time provisioning. This allows the Azure AD users to authenticate to Microsoft and then have a SAML assertion sent into OneLogin and dynamically create all the required fields that the classic directory synchronisation might have allowed (see https://onelogin.service-now.com/kb_view.do?sysparm_article=KB0011181)"
I decided to try Just-In-Time provisioning, will update if any blockers!

Azure AD B2C and on-premise Active Directory

We have the following scenario:
an Angular app accessing a Web Api backend
our own user database
We are planning to use a third-party identity solution such as Azure AD B2C, AWS IAM or Auth0. To my surprise, I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)
We want to get to the following scenario:
an Angular app accessing a Web Api backend
third-party identity solution that manages the users of the angular app (preferably Azure AD B2C)
users need to authenticate via the identity solution (e.g. using a social account)
some users are in an existing on-premise AD and also need to be able to access the angular app
So my problem basically is : if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?
This scenario can be solved with AD B2C custom policies.
I found that Auth0 has an integration with on-premise Active
Directory, but Azure AD B2C seems not to support this (at least not
that I could find out)
One way I know to make this work through ADFS. Where you can Integrate ADFS in B2C. I will update this answer if I know any other way of doing this.
Update Start
You can use Shibboleth and Okta servers apart ADFS server.
Update End
users need to authenticate via the identity solution (e.g. using a
social account) some users are in an existing on-premise AD and also
need to be able to access the angular app
If you use custom policies, you can achieve all of these scenarios. You can integrate both social accounts and AD via ADFS (On Premise ADFS server which give access to On Premise AD users)
if we would use Azure AD B2C, how can we let users that are defined in
an on-premise AD, authenticate in our Angular app? Or with other
words: can an on-premise AD be an identity provider for Azure B2C?
As I said this is possible through ADFS server. All you need to do is enable ADFS service on your server and add Relying Parties and make B2C consume and allow your AD users to login with B2C.
Warning: If at all your server not have ADFS enabled first try it on other test server.
ADFS in custom policies can found at: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp

Azure AD as Federation Provider for Okta

We are developing an application in which we plan to use Okta as the ID provider. However, this application will be hosted in Azure and we would like to use the Azure ACS for Federation. However, off late we came to know that ACS is going be integrated with Azure AD (http://blogs.technet.com/b/ad/archive/2015/02/12/the-future-of-azure-acs-is-azure-active-directory.aspx). I am bit confused here.
I understand AD provides the directory services and will be used for authentication. In our case, this will be Okta. How can I use AD (as ACS is going to be integrated with AD) for this? I tried uploading a Ws-Federation metadata for a test application from Okta to Azure ACS (tried to create a new ID provider), however I couldn't succeed in doing that. Any help will be much appreciated.
I tried using Okta APIs, and it worked well. But, the ask is to use Azure to communicate with Okta.
You can set up Okta as the IDP to Azure since you plan to leverage Okta as the directory and as the IDP. The benefit here is that you can leverage other policies and features within Okta for authorization during login time (eg. mfa).
https://msdn.microsoft.com/en-us/library/azure/dn641269.aspx - This page provides a pretty detailed description on how to set this up. So effective, Azure is not "directly" communicating with Okta - but rather - integrating with Okta where Azure (and your app) is the SP and Okta is the IDP.

Connecting ADFS to Windows Azure Active Directory

We are developing a multi-tenant application and would like to be listed on Azure and support Azure AD as an IdP for our customers. However, a few customers that already have ADFS 2.0 setup didn't like the idea of sync'ing all accounts and passwords to Azure AD. So, is there anyway that when Azure AD receives a login request, somehow, have it redirect to ADFS and let ADFS do all the magic and return a token back to Azure AD which then returns JWT (using OpenID Connect) to our application?
I know that ACS supports such scenario but we are worried that Microsoft would soon drop support for it.
Thanks!
This document details how your customers can federate their ADFS instance with Azure AD:
https://technet.microsoft.com/library/dn550987.aspx

Resources