IDP启动的SSO失败,OKTA作为Azure中的IDP [英] IDP initiated SSO fails with OKTA as an IDP in Azure
问题描述
我们已将OKTA配置为Azure AD中的IDP.在测试IDP(OKTA)身份验证流时,它将引发错误.
配置的Okta&使用下面的Microsoft链接作为参考的Azure AD.
We have configured OKTA as an IDP in Azure AD. While testing the IDP(OKTA) authentication flow, it throws error.
Configured Okta & Azure AD using below microsoft link as reference.
https://docs.microsoft.com/en-us/azure/active-directory/b2b/direct-federation
- 注册公司"example.com";在OKTA中.
- 在OKTA中创建了一个自定义SAML应用以导出OKTA IDP元数据
- 按照上面的参考链接配置应用SSO设置
- 在AzureAD中将OKTA元数据导入为外部IDP
按照以下步骤测试IDP身份验证流程
- 使用OKTA中的现有用户登录
- 身份验证成功后,用户将重定向到仪表板页面
- 在这里,当我们单击自定义应用程序chiclet时,它没有重定向到Microsoft应用程序门户,而是抛出以下错误-
AADSTS50107:请求的联合王国对象'http://www.okta.com/xxxxxxxxxxxxxxxxxxxxxxx'不存在.
推荐答案
我认为直接联盟不支持IDP发起的登录,因此您需要使用租户上下文进行登录.您在粘贴的链接中看到该笔记了吗?
i think direct federation doesn't support idp initiated login, you need to login using tenant context. have you seen that note in the link you pasted ?
直接联盟来宾用户必须使用包含租户上下文的链接登录(例如, https://myapps.microsoft.com/?tenantid= 或 https://portal.azure.com/,或者对于经过验证的域,为 https://myapps.microsoft.com/\ .onmicrosoft.com).只要包含租户上下文,就可以直接链接到应用程序和资源.当前,直接联盟用户无法使用没有租户上下文的公共端点登录.例如,使用 https://myapps.microsoft.com , https://teams.microsoft.com 将导致错误.
Direct federation guest users must sign in using a link that includes the tenant context (for example, https://myapps.microsoft.com/?tenantid= or https://portal.azure.com/, or in the case of a verified domain, https://myapps.microsoft.com/\.onmicrosoft.com). Direct links to applications and resources also work as long as they include the tenant context. Direct federation users are currently unable to sign in using common endpoints that have no tenant context. For example, using https://myapps.microsoft.com, https://portal.azure.com, or https://teams.microsoft.com will result in an error.
这篇关于IDP启动的SSO失败,OKTA作为Azure中的IDP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
