Microsoft Entra ID to Okta SAML Federation
Enable seamless single sign-on from Microsoft Entra ID to Okta-managed applications
Organizations using Microsoft Entra ID (formerly Azure AD) as their primary identity provider often need to provide users access to applications managed by Okta. This federation enables seamless single sign-on from Entra ID to Okta-managed applications using SAML 2.0.
Prerequisites
- Microsoft Azure tenant with Entra ID P1 license or higher
- Okta organization with administrative access
- Global Administrator permissions in Entra ID
- Super Admin permissions in Okta
Architecture Overview
- Identity Provider: Microsoft Entra ID (manages users and authentication)
- Service Provider: Okta (provides applications and services)
- Flow: User → Entra ID (authenticate) → Okta (federate) → Applications
Step 1: Create Enterprise Application in Entra ID
Navigate to Enterprise Applications
1. Log into Azure Portal (portal.azure.com)
2. Navigate to Microsoft Entra ID
3. Select Enterprise applications > New application
4. Select "Create your own application"Create Custom Application
# Application Configuration
Name: Okta Federation
Integration type: "Integrate any other application you don't find in the gallery"
# Configure Single Sign-On
1. Navigate to Single sign-on in application menu
2. Select SAML as authentication methodGenerate SAML Certificate
# Generate Certificate
1. In Section 3 (SAML Signing Certificate), click Edit
2. Click "New Certificate"
3. Set expiration (default 3 years)
4. Download certificate in Base64 format
5. Save certificate file securely
# Collect Identity Provider Details
Copy from Section 4:
- Login URL
- Microsoft Entra IdentifierStep 2: Configure SAML Identity Provider in Okta
Create New Identity Provider
# Create Identity Provider
1. Log into Okta Admin Console
2. Navigate to Security > Identity Providers
3. Click "Add Identity Provider"
4. Select "SAML 2.0 IdP"Basic Configuration
Identity Provider Settings
Name: Entra ID Federation
IdP Username: idpuser.subjectNameId
Filter: Leave blank
Match against: Okta usernameAccount Link & Provisioning
✓ Automatic account linking
✓ Auto-Link users
✓ Create users if one does not exist (JIT)
✓ Update attributes for existing users
Group Assignment: Create or select groupSAML Protocol Configuration
# Certificate
X.509 Certificate: Upload Base64 certificate from Entra ID
# Endpoints
IdP Issuer URI: Microsoft Entra Identifier (from Step 1)
IdP Single Sign-On URL: Login URL (from Step 1)
IdP Single Log-Out URL: Leave blank
# After creation, copy:
- Assertion Consumer Service URL
- Audience URIStep 3: Complete Entra ID Application Configuration
Configure Basic SAML Settings
# Return to Entra ID Enterprise Application > Single sign-on
# In Section 1 (Basic SAML Configuration), click Edit
Identifier (Entity ID): [Audience URI from Okta]
Reply URL (ACS URL): [Assertion Consumer Service URL from Okta]Configure User Attributes & Claims
# Default claims provided with namespaces for Okta mapping:
Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Given Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Surname: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStep 4: Configure Attribute Mapping in Okta
Access Profile Editor
# Configure Attribute Mapping
1. Navigate to Directory > Profile Editor
2. Find your Entra ID Identity Provider profile
3. Click Mappings > Configure User mappings
# Reset Existing Mappings
Clear all attributes except login using dropdown: "Do not map"Create Custom Attributes
# Email Attribute
Variable Name: email
External Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Attribute Type: string
# First Name Attribute
Variable Name: firstName
External Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Attribute Type: string
# Last Name Attribute
Variable Name: lastName
External Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Attribute Type: stringConfigure Profile Mappings
# Map Attributes to User Profile
firstName → user.firstName
lastName → user.lastName
email → user.email
displayName → user.displayNameStep 5: Assign Users and Test Federation
Assign Users in Entra ID
# Assign Users
1. In Entra ID Enterprise Application, navigate to "Users and groups"
2. Click "Add user/group"
3. Select target users or groups for Okta access
4. Assign appropriate roles if neededTest Authentication Flow
# Test Federation Flow
1. User navigates to myapps.microsoft.com
2. Authenticates with Entra ID credentials
3. Clicks Okta Org tile
4. First-time users may need to complete additional setup
5. Successfully lands on Okta dashboard with assigned applications
# Verification
- Check Okta System Log for successful SAML assertions
- Verify user creation in Directory > People
- Confirm group assignment for federated usersTroubleshooting Common Issues
SAML Response Errors
- “General Nonsuccess”: Review attribute mappings in Okta Profile Editor
- “Unable to JIT”: Verify email format and attribute mapping
- Check Okta System Log for detailed error messages
Authentication Failures
- Certificate Issues: Verify Base64 format and expiration
- Endpoint Config: Confirm Issuer URI matches exactly
- Check for trailing slashes or extra characters
User Provisioning Problems
- Missing Attributes: Review Entra ID claims configuration
- Namespace URLs: Verify exact matches and case sensitivity
- Group Assignment: Confirm federated user group exists
Conclusion
This federation enables seamless user experience while maintaining security boundaries between Microsoft and Okta identity platforms, providing centralized access management across hybrid identity infrastructures. Users can authenticate once with Entra ID and gain access to all Okta-managed applications.
Best Practice: Implement conditional access policies in Entra ID and configure appropriate Okta policies for federated users to maintain security across both platforms.
Federating Microsoft Entra ID with Okta: Cross-Platform Identity Integration
