How can you use Okta as the IdP to authenticate guest users singing in as guests to AAD? Just a few gotchas in the following few paragraphs.
TL;DR
The idea is to create a new user in Okta, either manual or automatic. The user has an attribute, like “MSFT Guest Account UPN” (in this example we just use email) which includes a specific domain, in this example ‘guest.thomasheinz.net’. This domain is federated as a 3rd party IdP in Azure to Okta.
We will use an Okta Workflow to create the guest account in AAD and send the invite message as well via Okta Workflows.
Configure
Federation with a SAML/WS-Fed identity provider (IdP) for B2B – Azure AD – Microsoft Entra
Configure a new SAML app in Okta – you can find the required attributes and claims in the MSFT article: Federation with a SAML/WS-Fed identity provider (IdP) for B2B – Azure AD – Microsoft Entra
You can find the Tenant ID in the Azure AD Overview blade:
In Okta, make sure that the username matches the Email address you set for the new Guest Account when inviting the user.
In Okta it does not have to be the Email attribute – usually you should create a new attribute like MSFT Guest Account UPN or sth in that area.
My working SAML settings:
Note: In my example I am using the domain “guest.thomasheinz.net” as email – this is not an email address which is routable. It is just the realm. I create Guest Accounts via Okta Workflows and send the invite email to another, routable e-mail address.
Adding another domain
As you can see in the screenshot below, the passive authentication endpoint is using my Okta custom domain. The first domain you add also has to match the passive authentication endpoint!
We want to use “guest.thomasheinz.net” though – that’s why I added the domain as a second one.
To be able to do that you have to add a TXT entry in DNS with DirectFedAuthURL=$passiveauthurl – please see screenshot:
How does it look?
Just a quick video – how does it look when the end-user clicks on the invite link. (Sorry no audio).