Skip to main content

Simple SSO with an external IdP using Active Directory and Okta

· 4 min read
Jeffrey Aven

This article describes a simple SSO pattern for authenticating and authorizing users from an external AD and to your application without requiring federation.

the Challenge

You need to authenticate external users to use your application, these users belong to an organization using Azure Active Directory with specific login policies (such as password strength and expiry, multi factor authentication, etc). Your requirements (if you choose to accept them) are:

  1. You are required to provide SSO to these users using their home AD tenant and policies
  2. The solution does not include SAML based federation between directories (yours and theirs)
  3. The solution does not require any changes on the external AD tenant (no new AAD applications, client secrets, etc)

the Solution

Using an IDAM/IDaaS platform (such as Okta in this case), along with an AAD application (in your AD tenant in your Azure subscription), you can create a local AD app using this magic property to accomplish all of the above requirements (requiring zero changes on the third-party AD).

Azure AD App Registration

This is what it looks like using the az cli:

the --available-to-other-tenants property is Microsoft's way of allowing you to implicitly trust other AAD/Office 365 tenants, meaning the authentication request is passed to the target AD tenant from your application.

Here is a context diagram which explains the interactions in the context of a Jamstack application (using a library such as Auth.js).

Okta AD SSO Context Diagram

Setup and Configuration

The following flowchart explains the steps involved in setting this up. The highlighted nodes are part of normal application lifecycle operations as users get created and deactivated.

Okta AD SSO Setup Flowchart

Authorisation flow

The authorization flow for a public client (SPA) using PKCE (Proof Key for Code Exchange) is shown here:

Okta AD SSO Authorization Flow

Next up

Code! Stay tuned...