IDP initiated SSO fails with OKTA as an IDP in Azure

怎甘沉沦 提交于 2021-02-11 13:37:18

问题


We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.

https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation

What we did so far?

  1. Registered company "example.com" in OKTA.
  2. Created a custom SAML app in OKTA to export the OKTA IDP metadata
  3. Configured the app SSO settings as above reference link
  4. Imported OKTA metadata as external IDP in AzureAD

Followed below steps to test IDP Authentication Flow

  1. Logged in with the existing user in OKTA
  2. After successful authentication, user is redirected to dashboard page
  3. Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -

AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.


回答1:


i think direct federation doesn't support idp initiated login, you need to login using tenant context. have you seen that note in the link you pasted ?

Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.



来源:https://stackoverflow.com/questions/62956315/idp-initiated-sso-fails-with-okta-as-an-idp-in-azure

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!