Using Azure AD as identity provider

Customer side round 1

• Inside Azure AD directory, on the left plane click "Enterprise applications"
• On top bar click "New application"
• On next screen:
  • Click "Create your own application"
  • Set name for the application (for this example, this will be "CXN_Product")
  • Select "Integrate any other application you don't find in the gallery (Non-gallery)"
  • Click "Create"
• On the overview screen of the newly created application:
  • click "Single sign-on" on the left pane
  • Select "SAML"
• On the "SAML-based Sign-on" screen:
  • On "Basic SAML Configuration" panel, click "edit"
  • Enter temporary values for "Identifier (Entity ID)"" and "Reply URL (Assertion Consumer Service URL)" to generate the certificate for download.
  • Click "Save"
• On the "SAML Certificates" panel:
  • Click "Download" link for "Certificate (Base64)"
• On the "Set up your application name" (for this example it's "Set up CXN_Product") panel:
  • record the values for:
  • Login URL
  • Azure AD Identifier
• On the overview screen of "CXN_Product" application:
  • click "Users and groups" on the left pane
  • On Top bar click "Add user/group"
  • Assign users who need access to the application

Chemaxon side round 1

• In Okta, under "Security > Identity providers":
  • Add Identity Provider and select "SAML 2.0 IdP"
  • Add Name (for the example, this will be "Azure")
  • Set values:
    • Authentication Settings
    • IdP Usage => SSO Only
    • IdP Username => idpuser.email
    • Match against => Okta Username
    • Account Link Policy => Automatic
    • Auto-Link Restrictions => None (or optionally restrict auto-linking to a group)
    • If no match is found => Create new user (JIT)
    • JIT settings
    • Check "Update attributes for existing users" checkbox
    • SAML Protocol Settings
    • IdP Issuer URI => Set value of "Azure AD Identifier field" from Azure
    • IdP Single Sign-On URL => Set value of "Login URL" field from Azure
    • IdP Signature Certificate => Upload certificate from Azure
    • Response Signature Verification => Assertion
  • Click "Finish"
  • Record values from new Identity provider:
  • Assertion Consumer Service URI
  • Audience URI
  • On "Routing rules" tab for Identity providers:
  • Add Routing Rule for the case when User is accessing the Application, the new Azure Identity provider will be used

Customer side round 2

• Inside Azure AD directory, on the left plane click "Enterprise applications":
  • Left panel > "Single sign-on"
  • Click "edit" on "Basic SAML Configuration" panel
    • For "Identifier (Entity ID)" set the value of "Audience URI" from Okta
    • For "Reply URL" set the value of "Assertion Consumer Service URL" from Okta
  • Click "edit" on "Attributes & Claims" panel
    • Make sure that:
    • The required claim "Unique User Identifier (Name ID)" maps to a valid unique identifier for the user, preferably the email
    • Under "Additional claims" there are these 3 other properties, and they map to correct values
      • login, email, firstName, and lastName
    • To set these values, click on the claim, and in the "Source attribute" field, you can choose which property of the user profile will map to the selected value

Important notes

• After doing changes in the Single sign-on attributes, new certificate needs to be downloaded and transferred to Okta
• Okta Mapping
  • External name of Attribute is the path in the SAML assertion for example "login.login"
• Required properties for Okta:
  • email
  • firstName
  • lastName
• Flow of user profile attributes is:
  1. Azure > Claims > Setup name and source attribute AND don't set namespace
  2. Create Custom attribute for the field (different external name if source attribute has a namespace)
  3. Set Mapping from attribute to userProfile value
• When creating Identity Provider:
  • Authentication Settings "IdP Usage" is very important: This value will select where will Okta look for the Unique Id of the User in the SAML Response