How to integrate Okta as IDP using SAML with Azure AD B2C?

Question

I have my Azure AD B2C tenant, where I have an application that is connected with my AD using OpenIdConnect.

I've been reading the MS documentation on how to add one IDP that can communicate with my Azure AD B2C tenant trough SAML, for that I've been using Okta for testing so

1. A user can login into its okta account
2. Using okta's dashboard user can click on my application (the one setup in my Azure tenant)

but internally what I need to happen is:

1. Okta sends a SAML package to my Azure AD B2C tenant (SAML Idp inititated)
2. My Azure AD B2C can read the content and gets the user identifier (email)
3. Email gotten from the SAML package is read by my Azure AD B2C and checks if that exists already in my users already registered, if so, then user is authorized to login
4. After Azure AD B2C confirms users is good to continue, then it redirects the user to my application using OpenIdConnect (this integration I'd say is already in place)

But there is where I'm having some difficulties trying to add okta as an IdentityProvider within my Azure AD B2C, as source of truth, I did tried using the direct federation, it didn't work, so continued trying to accomplish it using custom policies but I can't still get my mind around how it works. Found this repo with samples, while in my research found this link where basically mentions like I cannot do that:

I'm very very new with this, so trying to get any kind of assistance. Any ideas if that's possible or how can I integrate it using SAML? The samples found are mainly using OpenIdConnect and most of them if the user does not exists then it signs them up, and that's not what I want either. Any help?

Answer 1

Azure AD is not Azure AD B2C. Two separate services, different purposes, different features.

Adding a SAML IdP in AAD B2C has an end to end walkthrough here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy

There are worked examples for some SAML IdP https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-salesforce-saml?tabs=windows&pivots=b2c-custom-policy

Then to connect a SAML App with AAD B2C https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy

AAD B2C doesnt support IdP initiated sign in to a SAML App if the IdP is a federated IdP (in your case that’s okta), it’s only supported if the IdP is AAD B2C (Local Accounts).

You can’t do an IdP initiated login and then have AAD B2C issue a OIDC response to an app. You should just federate to Okta using OIDC. It’s a lot simpler and achieves the same UX.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#supported-and-unsupported-saml-modalities

You could point the Okta dashboard tiles to the SP initiated login endpoint of your app instead.

Now AAD could be used too, you could federate using SAML to Okta. https://help.okta.com/en/prod/Content/Topics/Apps/Office365-Deployment/configure-sso.htm

This approach would allow sign in to your line of business apps with Okta identities. But there won’t be any sign up experience. It’s more suited for employees to access your apps. Sign up type experience will need AAD B2C.