Configure Okta SharePoint People Picker agent

Installing the Okta SharePoint People Picker plugin allows you to fetch users and groups from Okta. The People Picker plugin is a Microsoft Windows executable that you can download from the Downloads page of your Okta Administrator Dashboard.

Before you begin

  • Ensure that the user account that has permissions to modify the SharePoint farm.
  • Ensure you have SharePoint Management Shell or SharePoint PowerShell snap-in to run PowerShell commands on your SharePoint Server. Add the required snap-in to an existing PowerShell prompt by entering the following the command:

    Add-PSSnapIn Microsoft.Sharepoint.Powershell

Start this procedure

This procedure includes the following tasks:

1. Set configuration values in SharePoint farm

2. Run the appropriate commands

3. Configure search scope values

4. Optional: Filter Active Directory imports

1. Set configuration values in SharePoint farm

You need to set several configuration values in the SharePoint farm to install the Okta People Picker. These values are used to configure People Picker functionality and define the Okta org that you are integrating with this SharePoint environment.

Property Value
Okta API Key Read-only administrator API key generated during prerequisite steps
BaseUrl Your Okta org domain, example: https://oktaorg.okta.com
OktaClaimProviderDisplayName Set to Okta by default. Can be set to a different value if you prefer a different display name for the Okta People Picker
MapUpnToWindowsUser Configuration flag to enable or disable C2WTS protocol translation
UniqueUserIdentifierClaimType

To define the unique user identifier claim. Identifier claim type on the Okta trusted token issuer must be unique and immutable, and must match the UniqueUserIdentifierClaimType. Set to Email or UserName, depending on what you want to use as identifier claim.

2. Run the appropriate commands

Replace the variables below with the appropriate values as defined above and enter the following commands.

Tip

Tip

Type in the commands rather than copy and paste.

  1. Enter the following command to update the farm properties.

    Copy
    $farm = Get-SPFarm
    $farm.Properties["OktaApiKey"] = "OktaAPIKey"
    $farm.Properties["OktaBaseUrl"] = "https://oktaorg.okta.com""
    $farm.Properties["OktaLoginProviderName"] = "Okta"
    $farm.Properties["OktaClaimProviderDisplayName"] = "Okta"
  2. Optional: If you are enabling C2WTS, execute the following command. If not, go to the next step.

    Copy
    $farm.Properties["MapUpnToWindowsUser"] = $true
  3. To specify UniqueUserIdentifierClaimType execute one of the following command.

    Copy
    $farm.Properties["UniqueUserIdentifierClaimType"] = "Email"

    OR

    Copy
    $farm.Properties["UniqueUserIdentifierClaimType"] = "UserName"
  4. Enter the following command to update the farm values.

    Copy
    $farm.Update()

3. Configure search scope values

You must also set several configuration values in the SharePoint web application for the Okta People Picker to use search scope.

Copy
$webApplication = Get-SPWebApplication
$ webApplication.Properties["UserSearchScope"] = "OKTA"

OR

Copy
$ webApplication.Properties["UserSearchScope"] = "APP"
$ webApplication.Properties["UserSearchScopeAppId"] = "{AppID}" //app instance id in Okta org
$webApplication.Update();
Important Note

Important

  • When App ID is not provided or is invalid, UserSearchScope fallback to using OKTA (org level search) as search scope.
  • People Picker does not verify if the App ID specified belongs to an app instance WS-Federated with this SharePoint web application. The verification must be done manually.

When you have multiple web applications in the same farm, make sure to check the value of $webApplication before setting the properties, so that you can set value on the proper web application you need.

Example: Set UserSearchScope and UserSearchScopeAppId for $webApplication[1]

Copy
PS C:\Users\administrator.SP10> $w[1].properties
Name Value
------ ------
UserSearchScope OKTA
UserSearchScopeAppID 0oalx5qLAHqqLVtNv0w4

PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScope"] = "APP"
PS C:\Users\administrator.SP10> $w[1].properties["UserSearchScopeAppID"] = "0oalx5qLAHqqLVtNv0w4"
PS C:\Users\administrator.SP10> $w[1].properties

Name Value
------ ------
UserSearchScope APP
UserSearchScopeAppID 0oalx5qLAHqqLVtNv0w4

PS C:\Users\administrator.SP10> $w[1].update()

4. Optional: Filter Active Directory imports

Okta People Picker shows users imported from Active Directory twice: as an Okta user and as an AD-domain user. You have the ability to see and manage only the original AD users. You can also specify that certain domains retain the original behavior. Enabling this feature requires setting certain $farm object properties in SharePoint.

If you import from Active Directory, you can take advantage of the People Picker Active Directory filtering option, which allows for filtering AD imports.

To enable this feature, use the following properties:

Copy
$farm = Get-SPFarm
$farm.Properties["FilterActiveDirectoryClaims"] = $true
$farm.Properties["AllowedActiveDirectoryDomains"] = "foo.com", "bar.com"
$farm.Update()
Info

Note

Active Directory domain filtering is only available with the OKTA search scope.

Next steps

Troubleshooting: Microsoft SharePoint (On-Premises)