问题
We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
What we did so far?
- Registered company "example.com" in OKTA.
- Created a custom SAML app in OKTA to export the OKTA IDP metadata
- Configured the app SSO settings as above reference link
- Imported OKTA metadata as external IDP in AzureAD
Followed below steps to test IDP Authentication Flow
- Logged in with the existing user in OKTA
- After successful authentication, user is redirected to dashboard page
- Here, when we click on custom app chiclet, instead of getting redirected to Microsoft apps portal, it throws below error -
AADSTS50107: The requested federation realm object 'http://www.okta.com/xxxxxxxxxxxxxxxxxxxx' does not exist.
回答1:
i think direct federation doesn't support idp initiated login, you need to login using tenant context. have you seen that note in the link you pasted ?
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.
来源:https://stackoverflow.com/questions/62956315/idp-initiated-sso-fails-with-okta-as-an-idp-in-azure