Has anyone successfully set up an OIDC or SAML integration from IDP Entra to SP Okta with an AMR recognized by Okta? Can you point me to resources to make it work?

Has anyone successfully set up an OIDC or SAML integration from IDP Entra to SP Okta with an AMR recognized by Okta? Can you point me to resources to make it work?

This has been asked before in this forum, but I did not see successful answers. I have an Okta org that is set up as an SP to an Entra IDP. I can successfully SSO from Entra to Okta, using SAML or OIDC. But I want to leverage Okta’s “trust claims from this identity provider.” I want the MFA the user did in Entra to be recognized by Okta. Documentation for this feature seems to be incomplete. A youtube video from CloudKnowledge shows how to add the AMR attribute (SAML) in Profile Editor, but is not clear if “trust claims” works.

So, I’d appreciate any help navigating what I don’t find clear in the documentation.

Thanks.

Hi,

For the AMR claim to work, the IDP is supposed to return the amr claim in the ID token. I suggest checking first whether the tokens returned by Entra include the claim in the ID token. To do that, you can leverage the endpoint - List all tokens from OIDC IdP

Hello,

If using the v2 endpoints Entra will return the amr claim in the access_token. This can be worked around by configuring the Okta OIDC integration to use the v1 endpoints, see knowledge article, Claims Sharing and Entra.

When adding the issuer for the v1 endpoints make sure to include the trailing forward slash / as detailed in the above article.