This article provides details about the ability for K2 Cloud customers to use Microsoft Azure Active Directory (AAD) when AAD is federated to Okta for authentication. In this scenario, identities must be stored in AAD for every user expected to use K2 Cloud sites and services, including K2 Management, K2 Designer, K2 Workspace, and K2 mobile apps.
Microsoft Azure AD (AAD) is the sole Identity Provider (IdP) within K2 Cloud and users are expected to be presented to K2 for authorization following an authentication pipeline by AAD. In some circumstances, you may want to delegate the final authentication of a user to a system outside of AAD, in this case, Okta, to serve as the location where identity is validated. Users that are in an environment configured for this type of federated authentication use this authentication flow:
Use the following diagram to understand how the technologies and services described in this article work together. Image adapted from Hybrid Identity Required Ports and Protocols
K2 does not warrant or provide troubleshooting support of the federation between AAD and Okta. The details provided below provide a high-level overview of the steps used to configure a reference deployment but are not meant to be used by customers as the definitive guide on how federation between AAD and Okta should be configured in every situation. Please refer to the set of links at the end of this article for additional resources from Microsoft and Okta.
The scenario assumes you have the following pre-requisites in place before starting:
By configuring Okta as a federated authentication provider, you can use Okta-based accounts, synchronized from an on-premises Active Directory, to access K2 Cloud behind AAD authentication.
Use this step to sync your Active Directory users to Okta using the Okta agent.
Use this step to add the Microsoft Office 365 application to Okta.
To start the sync immediately, click the Directories menu, then Directory Integrations, and click Import Now.
Use this step to configure who can log in through Okta using their Azure AD account.
You can log in to a K2 site using your Okta credentials.