Using Azure AD as identity provider

    Customer side round 1

    • Inside Azure AD directory, on the left plane click "Enterprise applications"
    • On top bar click "New application"
    • On next screen:
      • Click "Create your own application"
      • Set name for the application (for this example, this will be "CXN_Product")
      • Select "Integrate any other application you don't find in the gallery (Non-gallery)"
      • Click "Create"
    • On the overview screen of the newly created application:
      • click "Single sign-on" on the left pane
      • Select "SAML"
    • On the "SAML-based Sign-on" screen:
      • On "Basic SAML Configuration" panel, click "edit"
      • Enter temporary values for "Identifier (Entity ID)"" and "Reply URL (Assertion Consumer Service URL)" to generate the certificate for download.
      • Click "Save"
    • On the "SAML Certificates" panel:
      • Click "Download" link for "Certificate (Base64)"
    • On the "Set up your application name" (for this example it's "Set up CXN_Product") panel:
      • record the values for:
      • Login URL
      • Azure AD Identifier
    • On the overview screen of "CXN_Product" application:
      • click "Users and groups" on the left pane
      • On Top bar click "Add user/group"
      • Assign users who need access to the application

    Chemaxon side round 1

    • In Okta, under "Security > Identity providers":
      • Add Identity Provider and select "SAML 2.0 IdP"
      • Add Name (for the example, this will be "Azure")
      • Set values:
        • Authentication Settings
        • IdP Usage => SSO Only
        • IdP Username =>
        • Match against => Okta Username
        • Account Link Policy => Automatic
        • Auto-Link Restrictions => None (or optionally restrict auto-linking to a group)
        • If no match is found => Create new user (JIT)
        • JIT settings
        • Check "Update attributes for existing users" checkbox
        • SAML Protocol Settings
        • IdP Issuer URI => Set value of "Azure AD Identifier field" from Azure
        • IdP Single Sign-On URL => Set value of "Login URL" field from Azure
        • IdP Signature Certificate => Upload certificate from Azure
        • Response Signature Verification => Assertion
      • Click "Finish"
      • Record values from new Identity provider:
      • Assertion Consumer Service URI
      • Audience URI
      • On "Routing rules" tab for Identity providers:
      • Add Routing Rule for the case when User is accessing the Application, the new Azure Identity provider will be used

    Customer side round 2

    • Inside Azure AD directory, on the left plane click "Enterprise applications":
      • Left panel > "Single sign-on"
      • Click "edit" on "Basic SAML Configuration" panel
        • For "Identifier (Entity ID)" set the value of "Audience URI" from Okta
        • For "Reply URL" set the value of "Assertion Consumer Service URL" from Okta
      • Click "edit" on "Attributes & Claims" panel
        • Make sure that:
        • The required claim "Unique User Identifier (Name ID)" maps to a valid unique identifier for the user, preferably the email
        • Under "Additional claims" there are these 3 other properties, and they map to correct values
          • login, email, firstName, and lastName
        • To set these values, click on the claim, and in the "Source attribute" field, you can choose which property of the user profile will map to the selected value

    Important notes

    • After doing changes in the Single sign-on attributes, new certificate needs to be downloaded and transferred to Okta
    • Okta Mapping
      • External name of Attribute is the path in the SAML assertion for example "login.login"
    • Required properties for Okta:
      • email
      • firstName
      • lastName
    • Flow of user profile attributes is:
      1. Azure > Claims > Setup name and source attribute AND don't set namespace
      2. Create Custom attribute for the field (different external name if source attribute has a namespace)
      3. Set Mapping from attribute to userProfile value
    • When creating Identity Provider:
      • Authentication Settings "IdP Usage" is very important: This value will select where will Okta look for the Unique Id of the User in the SAML Response