Dynamics CRM On-Premise SDK Authentication

We followed the directions in the “Configure Okta Single Sign-On (SSO) for Microsoft Dynamics On-Premises” guide, for our Dynamics CRM deployment, and it went more-or-less smoothly (we had the added wrinkle of hosting out CRM on at CloudFlare-secured network, and not the public internet).

The guide states: Note: This guide applies to both Dynamics On-Premises and Dynamics CRM 2016. CRM/Dynamics SDK integration is out of scope for this guide.

…so we are trying to figure out how to connect our custom apps that use the SDK, and used to connect using windows authentication to CRM - especially in cases where the application is a ‘headless’ console app that has logon credentials stored in a config file.

Has anyone done this?

From the MS documentation, it sounds like we need to get a SAML token from Okta - where Okta is acting as a STS, and then pass that token with our calls to the SDK. Would there be a way to contact the Okta app and get the token using a username and password? Am I even on the right track? Can I get such a token from the Okta WS-Fed app and then pass it to CRM, or does CRM need to contact Okta?

I can’t find any documentation or guidance on this anywhere…


I am also encountering this issue. Unfortunately, it may not be possible to successfully authenticate against the CRM web services while using a non-ADFS identity provider. In a typical IFD setup for CRM, the ADFS server will have a 'username" endpoint listening to accept the message sent by the client. I am not sure if there really is any way around this. I would imagine that MS would have to update the CRM SDK to better support third party identity providers like Okta.