Okta IdP with O365 using SAML 2.0

OPSWAT MetaAccess can be easily integrated with an existing Okta O365 integration to ensure that a device is compliant with the organization's security policy before it is granted access to O365. This ensures that the device is not only authenticated by the IdP, but also tested for risks and vulnerabilities such as infections or unpatched versions of operating systems, BEFORE it access an organization's cloud services.

To get started with implementing OPSWAT MetaAccess integration to enforce device posture check before granting a device to access O365 with Okta Single Sign On (SSO) service, you set up SSO between Okta and O365 manually as below steps even you already have SSO set up for O365 on Okta. The built-in O365 application doesn't allow you to modify a LoginURL of O365 .

  1. Log into Okta console as an Administrator

  2. Switch to Admin view, navigate to Application



  3. Click Add Application


  4. Click " Create New App " button to create an application manually

  5. Select SAML 2.0 option and click Create

  6. On the step 1 General Settings, fill in the app name and upload a new logo for the app if needed, then click Next

  7. On the step 2 Configure SAML, fill in the below information and then click Next

    1. Single sign-on URL: https://login.microsoftonline.com/login.srf

    2. Audience URL (SP Entity ID): urn:federation:MicrosoftOnline

    3. Default RelayState: your organization's URL

    4. Name ID format: Unspecified

    5. Application username: Okta username

    6. In Attribute Statement, you need to add two more attributes "ImmutableID" and "IDPEmail" as the below:


  8. On the step 3 Feedback, select the option "I'm an Okta customer adding an internal app" and click Finish


  9. On Assignments tab, click on Assign to assign person you want to allow to access this application


  10. Follow Microsoft guideline to install Windows PowerShell for Azure Active Directory .

  11. Follow Okta guideline to install Okta Active Directory agent to sync your Active Directory users to Okta.

  12. You should test the configuration to make sure that users can log into O365 from the Okta app you just create.

Now it's the time you can integrate MetaAccess with your Okta O365 by following below steps. You can learn more details for each step here at 3.1.1. How to set it up?

Step 1. Enable Access Control on your MetaAccess account

  1. Login to the MetaAccess console

  2. Navigate to Access Control and then Configurations

  3. Check on the box "Enable access control" and configure a port for the cross-domain API. Note that you must select a port which no applications on endpoints is running.

  4. Click SAVE.


Step 2. Add protected applications with IdP Method

  1. Download Okta IdP: the next step is importing an Okta X.509 certificate to MetaAccess. This allows MetaAccess to verify users signing though a trusted IdP, Okta. Each identity provider has a unique X.509 certificate. Download the Okta X509 certificate by following these steps:

    1. Login to Okta as Administrator

    2. Switch to Admin mode

    3. Go to Applications dashboard

    4. Select O365 application

    5. Go to Sign On tab and click View Setup Instruction


    6. Click Download certificate to download Okta certificate


  2. Collect Idp Login URL: this is an embed link which Okta generated for the app to embed outside Okta. You can find this URL on General tab, scroll down to the App Embed Link section


  3. Add the Okta Identity Provider. If you already have Okta IdP settings on your MetaAccess account, go to 4 to add O365 application.

    1. Login to the MetaAccess console

    2. Navigate to Access Control and then Configurations

    3. On the Identity Providers tab, click "Add New Identity Provider" to add your IdP

    4. Fill in required fields for the Identity Provider

      1. IdP Name: an IdP name, for example: Okta

      2. IdP Certificate: upload Okta certificate you downloaded in Step 2.1


    5. Click Add IDP

    6. Click SAVE

  4. Add the O365 application:

    1. Expand the Okta IdP settings you have just added in Step 2.3 above.

    2. Click Add New Application

    3. Enter required field

      1. Application: application name, for example: O365

      2. IDP Login URL: application login URL which you have from Step 2.2

      3. Login URL: https://login.microsoftonline.com/login.srf

      4. Logout URL: https://login.microsoftonline.com/logout.srf

      5. Access Mode: pick an access mode you prefer. See details on the access modes at Step 2. Add protected applications with IdP Method

    4. Click SAVE

  5. After saving your changes sucessfully, click the Setup Instructions button of the O365 application you have just added and then copy the URL MetaAccess generated there. This URL is used to replace O365 Single sign on URL on Okta.


Note: you can add O365 application (step 2.4) when you add Okta IdP settings.

Step 3. Configure Access Rules

  1. On MetaAccess console, navigate to Access Control and then Configurations

  2. On Access Rules tab, click "ADD NEW RULE" to add a new rule for this application OR you can update existing access rules to add this application

  3. With a new access rule, you need to specify how you would like to block/allow access a device from the application

    1. Rule name: a rule name, for example Block non-compliant devices

    2. Action: Block or Allow

    3. Configure conditions to do the action. Details at Step 3. Configure Access Rules

  4. Click ADD RULE


Step 4. Update Applications settings on Identity Provider

  1. Login to Okta as administrator

  2. Go to Applications dashboard

  3. Select O365 application

  4. On General tab, click Edit on the SAML Settings box

  5. Click Next at the first step

  6. Replace Single sign on URL with the MetaAccess URL which you got from Step 2.5


  7. Click Next and Finish

Step 5. Configure SSO settings on Office 365

  1. Get IssuerUri and PassiveLogOnUri from Okta

    1. Login to Okta as administrator

    2. Go to Applications dashboard

    3. Select O365 application

    4. On Sign On tab, click View Setup Instructions

    5. Get IssuerUri and PassiveLogOnUri

  2. Click Download OPSWAT certificate to download a self-signed certificate MetaAccess generated for your account


  3. Converting your domain in Office 365 to federated

    1. Login to a computer installed Windows PowerShell for Azure Active Directory

    2. Start PowerShell and run Connect-MsolService cmdlet and enter your administrator credentials for your Office 365 domain when prompted

    3. Run Set-MsolDomainAuthentication cmdlet

      C:\Windows\system32>Set-MsolDomainAuthentication `
      -FederationBrandName MetaAccess `
      -DomainName <Your Domain>`
      -Authentication Federated `
      -IssuerUri <IssuerUri in step 5.1> `
      -PassiveLogOnUri <PassiveLogOnUri  in step 5.1>`
      -LogOffUri https://login.microsoftonline.com/logout.srf `
      -PreferredAuthenticationProtocol SAMLP `
      -SigningCertificate <OPSWAT Certificate in step 5.2>

      Note: enter the certificate on a single line without break line

    4. Run following cmdlet to verify configuration

      C:\Windows\system32>Get-MsolDomainFederationSettings -DomainName <Your Domain>

      Note: it can take some time for Office 365 to apply new configuration

Step 6: Test your integration

Follow guideline at Step 6: Test your integration to test your integration to verify if it works as your expectation.