How to get oid for OKTA with Azure as OIDC external provider

Pradeep Mishraji 1

Hi,

Trying to add Azure as an external identity provider in OKTA as IDP provider to have Azure users login into OKTA integrated Applications.
We have tried same with SAML2.0 IDP with objectid as okta username(login) but not able to find the same(objectId-oid) under optional claims as any of IDtoken,AccessToken or SAML token.

Please suggest if I am missing something in the configuration.

When i used oidc debugger to fetch the accesstoken and idtoken though,seeing ""oid": "c35ec35b-c968-499d-bd53-f5283cbd335c"" in Accesstoken.

Suggest how to retrieve this value and use it in OKTA profile mapping to have the OKTA username as objectId using OIDC(same as SAML2.0 IDP setting) and eventually able to use account linking process for single user using both SAML2.0 IDP Azure and OIDC IDP Azure setup.

AmanpreetSingh-MSFT 56,306 Reputation points

2022-04-19T09:04:17.6+00:00

Hi @Pradeep Mishraji • Thank you for reaching out.
Looking at the Okta OIDC metadata endpoint https://okta.okta.com/oauth2/default/.well-known/openid-configuration, I don't see oid listed as a supported claim but I can see the sub claim that many IDPs use for the object ID of the subject. So, rather than using 'oid', try to use sub.
Pradeep Mishraji 1 Reputation point

2022-04-19T09:31:37.113+00:00

Hi Aman,

We already have OKTA username value with say example ''c35ec35b-c968-499d-bd53-f5283cbd335c" through SAML2.0 IDP setup and now we are trying to migrate to OIDC, and username match is needed for account linking process so that one user can be managed by both SAML and OIDC IDP as profile source in OKTA.

in one of Azure doc, it was mentioned that objectid is unique within a tenant and its immutableID so more secure.

let me know if there is any workaround.

Also, I am not seeing sub as a claim in optional claims to get it added under ID/Access/SAML.