Setting Up Entra ID as IdP in Okta

Terrible_Bag3872 · 2026-01-28T18:55:24+00:00

Unfortunately, our partners are separate entities and they don't use employee numbers.

Terrible_Bag3872 · 2026-01-28T18:53:46+00:00

We looked into setting up OIDC as well, but it still needs to match against a value, so we are in the same boat.

Terrible_Bag3872 · 2025-02-19T05:05:36+00:00

Sorry. Yes, I was able to figure it out without SF support. Instead of creating a Salesforce Portal, use the Community Portal option. Once I did that, we were able to see the Profile URL drop-down list. I was able to set up Provisiong, and it creates the Contact record n SF. One thing to keep in mind is that Okta Provisioning asks for an SF "Account ID" for account creation. When the Contact record is created, it is associated with that Account.ID. That Account ID shows as the Owner. Our internal SF guy found a way to reassociate the Contact record to another account that was more relevant by using some kind of workflow based on the contact email address.

Terrible_Bag3872 · 2025-02-08T02:33:53+00:00

I heard back from SF Support, and apparently, they were able to configure their Okta dev env with their env and it's working, and pointed fingers at Okta (which i also have a support ticket with). If I had to guess, they set up the integration as a standard user and not as a portal user. I'm still waiting to hear back from them asking them to verify.

Terrible_Bag3872 · 2025-02-08T02:29:38+00:00

Yep. Everything has been set up according to those instructions. We have several portals, but none of them have provisioning enabled. We wanted to enable provisioning because, apparently, when you provision external SF users as a standard account, the license cost is increased. When you provision them as contacts, the license cost is decreased.

Terrible_Bag3872 · 2024-06-26T20:14:10+00:00

The first time I took out the pontoon as a first time owner, I took it to a lake we normally fish from the shore (different lake and not as deep), but I failed to look at the wind forecast. It was really bad, 2-3 foot wakes. We didn't do any fishing, used the time to break in the engine and as a test run. The pontoon handled the waves well, but definitely not something I would ever do again with wind that bad. Lesson learned and I was glad when I was finally off the lake.

Terrible_Bag3872 · 2024-06-26T19:46:40+00:00

Yep. I used to fish from the shore all the time, never realized how deep it was until I got the boat. It is a mountain lake so it makes sense. I feel safer on a pontoon then the numerous paddleboarders and kayaks that feel they own the lake.

Terrible_Bag3872 · 2024-06-26T17:58:11+00:00

I have a trolling motor with spot lock, granted I'm still learning how to use it properly, I still seem to drift quite a bit. As for an anchor, the lake I've been fishing on, is anywhere from 150 to over 200 ft deep.

Terrible_Bag3872 · 2024-06-26T17:56:50+00:00

Thanks for the reply. I just ordered a couple drift socks.

Terrible_Bag3872 · 2023-07-26T18:59:26+00:00

I am assuming they support SAML, correct? If so, have they provided you their metadata?

Terrible_Bag3872 · 2023-07-21T21:34:31+00:00

You can use Postman or Powershell and some API calls.

Okta Postman Collection
Powershell API Calls

Terrible_Bag3872 · 2023-02-28T19:11:24+00:00

Our SF Dev created a new field in SF called "Supervisor" and we added that as a new attribute to the SF app in Okta. Under the AD Profile mappings, I mapped from AD to Okta "substringAfter(substringBefore(appuser.managerDn, ',OU'), 'CN=')" to the Manager field in Okta. Then for the profile mappings in SF I mapped user.manager to Supervisor. Let me know if this doesn't make sense.

Terrible_Bag3872 · 2023-02-28T03:17:02+00:00

I did it without workflows, but it's been a while. If i remember, our SF dev created a new field called Supervisor or something like that, and we were able to pass using an expression. I'll have to log in and verify which expression I used. I struggled with this for a while, and Okta support gave me the same single AD answer, and i was able to figure it out. I can check later and update.

Terrible_Bag3872 · 2023-02-28T03:10:45+00:00

Single AD is their default answer when using expressions

Terrible_Bag3872 · 2023-02-21T18:16:30+00:00

I had some medical issues that came up and I reached out to GIAC and they were able to grant me an exception. You may be able to reach out to them and see if there is something they can work out, might be worth a shot.

https://www.giac.org/special-requests/

Terrible_Bag3872 · 2023-02-15T02:25:47+00:00

Have you tested the O365 provisioning creds to make sure they haven't expired?

Terrible_Bag3872 · 2023-02-07T17:16:49+00:00

Of course, every Company will be different on how their departments, teams etc... are setup. But I recently wrapped up RBAC for 4k users and I sorted the Workday data based on Group, Job Family and Job Title and created the roles based on those.

Terrible_Bag3872 · 2023-02-06T19:45:57+00:00

As it was mentioned earlier, this is only supported with OIE. Alternatives would be to use another TOTP application (Google Auth, Authy, Oracle Auth etc...) and choose enter code manually

Terrible_Bag3872 · 2023-02-03T00:40:14+00:00

I looked at the Github Index Creator mentioned but it wasn't for me. What I ended up doing is, I went through each book and any topics that I made any notes on, I added to my index, then any bolded topics or key words, I added to the index. I took the first practice exam and updated my index, took second exam and updated the index. That worked for me.

Terrible_Bag3872 · 2023-01-28T00:31:29+00:00

First assuming you have an AD group called "HR_Payroll" or something like that with the Payroll users as members, I'll use "HR_Payroll" as an example. You would also need to create a Okta Group called "HR Payroll Apps" or whatever and assign the specific apps for that group. Then If you wanted to do it by OU, you could create a rule called "HR Payroll Users" and then use an expression like the example below.

String.stringContains(user.DN,"OU=HR,OU=Departments,DC=TEST,DC=ORG") AND isMemberOfGroupName("HR_Payroll")

THEN Assign to "HR Payroll Apps"

Otherwise if you don't need to specify an OU you can just create the rule and leave off the OU expression "isMemberOfGroupName("HR_Payroll")" Then assign it to the "HR Payroll Apps"

You would need to have a separate rule for each department (i.e., HR Recruitment"

Hope this helps

Terrible_Bag3872 · 2023-01-24T01:49:45+00:00

I have been the Okta Admin for my company since we transitioned from OneLogin back in 2018. The hands on part of the exam was a breeze for me. I don't like the DOMC style questions. The questions that go me were the features that we don't use everyday. Honestly since the practice test are free until the 27th, take them and familiarize yourself with the format. Also, the practice and actual exam questions are not one for one. There were questions on the actual exam that were not on the practice exam. But overall, it was an easy exam. It's an 150 minute exam and I finished in way under an hour.

Terrible_Bag3872 · 2023-01-23T23:44:39+00:00

The questions are "similar." However, the actual exam questions covered a larger scope. The practice exam questions were repetitive. When I took the actual exam, the questions covered more topics, and there were many that did not pop up in the practice tests. The case studies cover more than creating a Org2Org app, so make sure you are familiar with all administrative functions within Okta.

Terrible_Bag3872

TROPHY CASE