Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,914 questions
How to get oid for OKTA with Azure as OIDC external provider
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 99%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pradeep Mishraji
1
Reputation point
Hi,
Trying to add Azure as an external identity provider in OKTA as IDP provider to have Azure users login into OKTA integrated Applications.
We have tried same with SAML2.0 IDP with objectid as okta username(login) but not able to find the same(objectId-oid) under optional claims as any of IDtoken,AccessToken or SAML token.
Please suggest if I am missing something in the configuration.
When i used oidc debugger to fetch the accesstoken and idtoken though,seeing ""oid": "c35ec35b-c968-499d-bd53-f5283cbd335c"" in Accesstoken.
Suggest how to retrieve this value and use it in OKTA profile mapping to have the OKTA username as objectId using OIDC(same as SAML2.0 IDP setting) and eventually able to use account linking process for single user using both SAML2.0 IDP Azure and OIDC IDP Azure setup.
{count} votes
-
AmanpreetSingh-MSFT 55,556 Reputation points2022-04-19T09:04:17.6+00:00 Hi @Pradeep Mishraji • Thank you for reaching out.
Looking at the Okta OIDC metadata endpointhttps://okta.okta.com/oauth2/default/.well-known/openid-configuration, I don't seeoidlisted as a supported claim but I can see thesubclaim that many IDPs use for the object ID of the subject. So, rather than using 'oid', try to usesub. -
Pradeep Mishraji 1 Reputation point
2022-04-19T09:31:37.113+00:00 Hi Aman,
We already have OKTA username value with say example ''c35ec35b-c968-499d-bd53-f5283cbd335c" through SAML2.0 IDP setup and now we are trying to migrate to OIDC, and username match is needed for account linking process so that one user can be managed by both SAML and OIDC IDP as profile source in OKTA.
in one of Azure doc, it was mentioned that objectid is unique within a tenant and its immutableID so more secure.
let me know if there is any workaround.
Also, I am not seeing sub as a claim in optional claims to get it added under ID/Access/SAML.
Sign in to comment