问题描述
对于天蓝色广告应用程序,我们需要将okta配置为IDP.例如:当用户尝试访问企业应用程序时,将面临登录页面的挑战,该页面将由OKTA进行验证.发布此身份验证后,授权将由Azure处理,授权成功后,将向用户显示该应用程序的登录页面.
We need to configure okta as IDP for azure ad applications. For example: When a user tries to access the enterprise application, they'll be challenged with a login page, which will be validated by OKTA. Post this authentication, the authorization will be handled by Azure and upon successful authorization, user will be shown a landing page of the application.
我们引用了以下链接作为设置参考:
We have referred below links as reference for setup:
https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation https://docs.microsoft.com/zh-CN/azure/active-directory/hybrid/how-to-connect-fed-saml-idp https://developer.okta.com/docs/guides/custom-url-domain/overview/
到目前为止我们做了什么?
What we did so far?
- 注册公司"example.com";在okta.默认情况下,okta会将其配置为"example.okta.com"
- 注册的自定义域"id.example.com".使用此域可以访问我们的okta实例
- 在OKTA中创建企业SAML应用(在Azure AD中也存在)
- 导出的OKTA IDP元数据
现在,我们正在尝试将此IDP元数据作为AAD中的外部身份提供程序导入.但是,如果我们将example.com或id.example.com映射为联合idp的域名,它将失败并出现以下错误.由于这些错误,我们无法设置联合IDP(OKTA)的自定义域. 请在相同的方法上为我们提供帮助.
Now, we are trying to import this IDP metadata as external identity provider in AAD. But it fails with below error, if we map example.com or id.example.com as domain name of federating idp. Because of these errors we’re unable to setup the custom domain of federated IDP(OKTA). Please assist us on the approach for the same.
错误消息:
对于域为"id.example.com"无法添加SAML/WS-Fed身份提供程序.此直接联盟策略未通过一项或多项要求.转到aka.ms/b2b-direct-fed了解更多信息.
For domain as "id.example.com"Failed to add a SAML/WS-Fed identity provider.This direct federation policy does not pass one or more requirements. Go to aka.ms/b2b-direct-fed to learn more.
对于作为"example.okta.com"的域;无法添加SAML/WS-Fed身份提供程序.当前不支持此直接联合身份验证配置.身份验证URL必须与用于直接联合的域匹配,或者是允许的域之一.转到aka.ms/b2b-direct-fed了解更多信息.
For domain as "example.okta.com"Failed to add a SAML/WS-Fed identity provider.This direct federation configuration is currently not supported. The authentication URL must match the domain for direct federation or be one of the allowed domains. Go to aka.ms/b2b-direct-fed to learn more.
推荐答案
@Kalyan Krishna
@Kalyan Krishna
谢谢回复.我们已经阅读了文档.OKTA被列为Azure支持的受支持的第三方联合IDP之一.我们参考了MS文档并尝试进行配置,但是我们发现Azure AD不支持具有自定义域的外部IDP(OKTA)配置.如上文所述,它会引发错误.因此,我们尝试将联合域配置为".okta.com".(包括其他IDP元数据详细信息).然后它起作用了,并且为了进行身份验证,AZ AD被重定向到OKTA.当myapps URL附加有租户ID时,SP身份验证流程可以正常工作,但是在测试IDP启动的SSO时,它会失败.
Hi,Thanks for the reply. We have already gone through the documentation. OKTA is listed down as one of the supported 3rd party federated IDP that Azure supports. We referenced the MS docs and tried to configure, but we observed Azure AD doesn't support external IDP(OKTA) configuration with custom domain. It throws error as mentioned in the above post. So, we tried to configure the federated domain as ".okta.com" (including other IDP metadata details). It worked then, and for authentication AZ AD is getting redirected to OKTA. SP authentication flow works fine when myapps URL is appended with tenant ID, but while testing IDP initiated SSO it fails.
> IDP发起的SSO失败使用OKTA作为Azure中的IDP
IDP initiated SSO fails with OKTA as an IDP in Azure
这篇关于Okta作为Azure AD中的IDP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!