Using Azure AD as identity provider
Customer side round 1
Inside Azure AD directory, on the left plane click "Enterprise applications"
On top bar click "New application"
On next screen:
Click "Create your own application"
Set name for the application (for this example, this will be "CXN_Product")
Select "Integrate any other application you don't find in the gallery (Non-gallery)"
Click "Create"
On the overview screen of the newly created application:
click "Single sign-on" on the left pane
Select "SAML"
On the "SAML-based Sign-on" screen:
On "Basic SAML Configuration" panel, click "edit"
Enter temporary values for "Identifier (Entity ID)"" and "Reply URL (Assertion Consumer Service URL)"
Click "Save"
On the "SAML Certificates" panel:
Click "Download" link for "Certificate (Base64)"
On the "Set up your application name " (for this example it's "Set up CXN_Product") panel:
record the values for:
Login URL
Azure AD Identifier
On the overview screen of "CXN_Product" application:
click "Users and groups" on the left pane
On Top bar click "Add user/group"
Assign users who need access to the application
Chemaxon side round 1
In Okta, under "Security > Identity providers":
Add Identity Provider and select "SAML 2.0 IdP"
Add Name (for the example, this will be "Azure")
Set values:
Authentication Settings
IdP Usage => SSO Only
IdP Username => idpuser.email
Match against => Okta Username
Account Link Policy => Automatic
Auto-Link Restrictions => None (or optionally restrict auto-linking to a group)
If no match is found => Create new user (JIT)
JIT settings
Check "Update attributes for existing users" checkbox
SAML Protocol Settings
IdP Issuer URI => Set value of "Azure AD Identifier field" from Azure
IdP Single Sign-On URL => Set value of "Login URL" field from Azure
IdP Signature Certificate => Upload certificate from Azure
Response Signature Verification => Assertion
Click "Finish"
Record values from new Identity provider:
Assertion Consumer Service URI
Audience URI
On "Routing rules" tab for Identity providers:
Add Routing Rule for the case when User is accessing the Application, the new Azure Identity provider will be used
Customer side round 2
Inside Azure AD directory, on the left plane click "Enterprise applications":
Left panel > "Single sign-on"
Click "edit" on "Basic SAML Configuration" panel
For "Identifier (Entity ID)" set the value of "Audience URI" from Okta
For "Reply URL" set the value of "Assertion Consumer Service URL" from Okta
Click "edit" on "Attributes & Claims" panel
Make sure that:
The required claim "Unique User Identifier (Name ID)" maps to a valid unique identifier for the user, preferably the email
Under "Additional claims" there are these 3 other properties, and they map to correct values
login, email, firstName, and lastName
To set these values, click on the claim, and in the "Source attribute" field, you can choose which property of the user profile will map to the selected value
Important notes
After doing changes in the Single sign-on attributes, new certificate needs to be downloaded and transferred to Okta
Okta Mapping
External name of Attribute is the path in the SAML assertion for example "login.login"
Required properties for Okta:
Flow of user profile attributes is:
Azure > Claims > Setup name and source attribute AND don't set namespace
Create Custom attribute for the field (different external name if source attribute has a namespace)
Set Mapping from attribute to userProfile value
When creating Identity Provider:
Authentication Settings "IdP Usage" is very important: This value will select where will Okta look for the Unique Id of the User in the SAML Response