I’m trying to connect Okta to Azure AD, using an OpenID Connect iDP, as described in the following Okta Tutorial: https://developer.okta.com/docs/guides/add-an-external-idp/azure/create-an-app-at-idp/
When registering the Application in Okta, its configured to Create a new user (JIT), if no match is found.
The matching settings are the default ones:
I follow the exact steps, and tested the integration URL, as described here:
https://developer.okta.com/docs/guides/add-an-external-idp/azure/create-authz-url/
When executing the Authorization URL, the Microsoft login page is presented, where i enter an AD user.
The User is then correctly validated at the Active Directory, and then redirected to Okta, “executing” the URL callback at: <OKTA_DOMAIN>/oauth2/v1/authorize/callback?code=…&state=…&session_state=…
This redirects to the Redirect URL, but with the following error:
“Unable to process the username transform. A required property is missing. Missing field”
On Okta, the Logs seem to indicate that the validation on Active Directory was successful, but it was not possible to create the user, as the Active Directory response did not include the user email:
These seems to be a common situation, there is even a similar problem reported on the okta support here: Okta Help Center (Lightning)
Is there anyone that can help? I’ve been on this for a few days without success, even though i’ve followed the exact steps described in the Okta tutorial !!!
Thanks in advance.
I assume that Azure AD doesn’t have an email attribute, thus its not sent, failing the JIT transform.
If i hardcode the email value in the AD<->Okta mappings, it works:
Can anyone help? Unfortunately, although Okta documentation is very good, there is almost no documentation for this …
Anyone?
I don’t have a clue why isn’t Azure AD sending the email information.
Moreover, it seems that only a very few fields are sent:
- First Name
- Last Name
- ExternalId
- Username
Both ExternalId and Username, have the same value, something like:
- OuQm-h3mrLMr-Ckt5w1z__6uyYY5awsJ6zSVBQepXc0
Any idea why this is happening?
I also have this problem. Did you ever find a solution?
The account i was using wasn’t “linked” to an Office 365 account.
When using users with Office 365 accounts, the Email property was properly sent, and the user synchronized.
We are still researching why the other accounts don’t have an email property, or if there is any way to correct it, so far, with no luck.
Hi @VascoOliveira
I also faced the same problem when I was testing it with Azure AD
When you map attributes in okta for Azure AD (as per https://help.okta.com/en/prod/Content/Topics/Provisioning/azure/azure-map-attributes.htm) Make sure to check that the External URL name does not have “.” at the end. cause if you directly copy and paste it will include “.” also in URL and it will give an error.
Let me know if it worked for you or not.
Hi @VascoOliveira,
I ran into the same issue. When I dug into it, I found that the email was being sent, but not in a way that Okta could map it.
To resolve this specific issue, I had to add a claim within the Azure AD SAML-based Sign-on User Attributes and Claims settings with the following value:
1 Like
I am facing similar issue. Is there any fix for this?
We found that Okta was unable to use the optional user-info endpoint reported by Azure (https://graph.microsoft.com/oidc/userinfo). When we removed this endpoint from the Identity Provider everything worked as expected.
1 Like