Okta as OIDC based external identity provider in Microsoft Entra External ID: provider not appearing on login screen

Question

Okta as OIDC based external identity provider in Microsoft Entra External ID: provider not appearing on login screen

Anuj Sharma 20

Environment / context

Microsoft Entra External ID (External ID) as the CIAM provider for our tenant
Okta configured as an OpenID Connect (OIDC) external identity provider in the External ID tenant
Created an External ID user flow and added Okta as a custom OIDC IdP
Next.js app using NextAuth v4 as the client

What I configured

Okta side:

Created an OIDC Web Application in Okta Admin Console
Grant type: Authorization Code
Added the following redirect/callback URLs to the Okta app:


https://<mytenant>.ciamlogin.com/<tenantId>/federation/oauth2

https://<mytenant>.ciamlogin.com/<mytenant>.onmicrosoft.com/federation/oauth2

https://<mytenant>.ciamlogin.com/<tenantId>/oauth2/v2.0/authresp

https://<mytenant>.ciamlogin.com/<mytenant>.onmicrosoft.com/oauth2/authresp

Entra External ID side:

External Identities → All identity providers → New OpenID Connect provider
Filled in:
- Metadata URL: https://<okta-domain>.okta.com/oauth2/default/.well-known/openid-configuration
- Client ID: Okta app client ID
- Client Secret: Okta app client secret
- Scope: openid profile email
- Response type: code
- Response mode: form_post
User flow type: Sign up and sign in
Added the Okta OIDC provider to the user flow under Identity providers

Expected result

Okta should appear as a sign-in option on the External ID hosted login screen, the same way Google and Entra ID do when configured as OIDC providers.

Actual result

The Okta OIDC provider does not appear on the login screen presented by the External ID user flow, despite being configured under All identity providers and added to the user flow.

Notably, the following combinations are working in the same tenant and user flow:

✅ Google as OIDC external IdP — appears and works correctly
✅ Microsoft Entra ID as OIDC external IdP — appears and works correctly
✅ Okta as SAML-based external IdP — appears and works correctly
❌ Okta as OIDC-based external IdP — does not appear on login screen

This tells me the issue is not with the user flow itself, not with OIDC federation in general, and not with Okta as an IdP in general — it is specific to Okta running over the OIDC path inside External ID.

What I've already tried

Verified Okta app has Authorization Code grant type and a valid client secret
Added all four redirect URL variants (both tenant ID GUID and onmicrosoft.com domain formats) to the Okta app registration
Re-checked metadata URL, client ID, and client secret in the External ID OIDC provider config
Confirmed the user flow type is Sign up and sign in (not a legacy B2C flow)
Verified response_modes_supported in Okta's discovery document includes form_post ✅
Verified Okta's discovery document returns email in claims_supported ✅
Tried both Okta custom auth server (/oauth2/default) and org-level issuer — neither makes the provider appear
Compared Okta's OIDC discovery document against Google's and Entra's — no obvious disqualifying differences found
Reviewed Microsoft docs on custom OIDC IdPs in External ID — configuration matches documented steps
Confirmed the Okta SAML IdP works in the same user flow — so the problem is isolated to Okta + OIDC specifically

Questions

Why does the Okta OIDC provider not appear on the External ID login screen despite being configured correctly and added to the user flow?
Is there a known incompatibility between Microsoft Entra External ID's custom OIDC federation and Okta specifically — given that Google and Entra work as OIDC IdPs and Okta itself works as a SAML IdP in the same flow?
Is there something in Okta's OIDC discovery document or token response format that External ID silently rejects, causing the provider to be hidden rather than throwing an explicit error?
Are the redirect/callback URLs above the correct format for Okta → External ID OIDC federation?

Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-04T01:35:32.1766667+00:00
Hello Anuj Sharma

This behavior is a known limitation/validation failure scenario in Microsoft Entra External ID when using custom OIDC identity providers like Okta.

The reason it doesn't show up on the login screen is because an OIDC provider that doesn't fully satisfy the internal validation requirements of External ID is discreetly concealed from the user flow UI rather than explicitly reporting an error.

In this case, the problem is exclusive to Okta OIDC metadata/claims compatibility because Google and Entra ID OIDC providers function as well as Okta SAML. External ID requires tight compliance in the discovery document, token response, and claims mapping, as well as some required qualities (particularly a stable unique identifier like sub). The provider is not allowed to render in the user flow if these are absent, inconsistent, or incorrectly mapped (e.g., email not tagged as required/verified or topic identification not useable).

The issue occurred due to:

Sub (topic) claims that are absent or useless as unique identifiers

Email claim not returned or not tagged as validated Okta authorization server incompatibility (differences in behavior between custom and org servers)

Tokens and claims that do not match the required External ID schema

Make sure Okta is set up to completely adhere to OIDC requirements:

Only use the Authorization Code flow.

Make sure the ID token has the following: email, email_verified, and sub.

Set up Okta claims so that each user's sub is stable and distinct.

The default authorization server (/oauth2/default) is preferred.

Check scopes and return necessary claims (openid profile email).

Let me know if any further queries - feel free to reach out!
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-05T10:09:49.78+00:00

Hello Anuj Sharma

Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Anuj Sharma 20 Reputation points

2026-05-07T02:29:20.6933333+00:00

Thank you Rukmini for your reply and follow up, I will try the suggested mappings and confirm the outcome shorlty.
Anuj Sharma 20 Reputation points

2026-05-07T07:29:39.6533333+00:00
Hi Rukmini,

I have validated the suggested configurations but still the Okta OIDC based external IDP is not showing up on the entraID exnternalID login page. Please see the details and screenshots below:

I am using the default authorisation server. Please see the well-known url from my configuration https://integrator-8816652.okta.com/oauth2/default/.well-known/oauth-authorization-server

Sub (topic) claims that are absent or useless as unique identifiers - Confirmed

Email claim not returned or not tagged as validated Okta authorization server incompatibility (differences in behavior between custom and org servers) - Confirmed

Tokens and claims that do not match the required External ID schema - How?

Make sure Okta is set up to completely adhere to OIDC requirements:

Only use the Authorization Code flow. - Confirmed

Make sure the ID token has the following: email, email_verified, and sub. - Confirmed

Set up Okta claims so that each user's sub is stable and distinct. - Yes

The default authorization server (/oauth2/default) is preferred. - Confirmed

Check scopes and return necessary claims (openid profile email). - Confirmed

Sub (topic) claims that are absent or useless as unique identifiers - NA

Email claim not returned or not tagged as validated Okta authorization server incompatibility (differences in behavior between custom and org servers - Using org server

Tokens and claims that do not match the required External ID schema - Please explain

Make sure Okta is set up to completely adhere to OIDC requirements:

Only use the Authorization Code flow - Yes

Make sure the ID token has the following: email, email_verified, and sub - Confirmed

Set up Okta claims so that each user's sub is stable and distinct. - Yes

The default authorization server (/oauth2/default) is preferred. - Confirmed.

Check scopes and return necessary claims (openid profile email). - Confirmed

Reference: https://developer.okta.com/docs/concepts/oauth-claims/#claims-in-access-tokens

Have you been able to integrate exnternalID external IDP with Okta using OIDC?

How can we progress from here?

Thanks.

Anuj

Anuj Sharma 20

[
    {
        "id": "ocl12424y52lmkgMz698",
        "name": "address",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "address"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y52lmkgMz698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y60wLGugQ698",
        "name": "zoneinfo",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y60wLGugQ698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5yB5POe9698",
        "name": "website",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5yB5POe9698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5w0FG8CB698",
        "name": "updated_at",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5w0FG8CB698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5uy3TcgX698",
        "name": "profile",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5uy3TcgX698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5sgI6nd5698",
        "name": "preferred_username",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": true,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5sgI6nd5698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5qGo5FcZ698",
        "name": "picture",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5qGo5FcZ698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5ojML5Oq698",
        "name": "phone_number",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "phone"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5ojML5Oq698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5moXtain698",
        "name": "nickname",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5moXtain698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5kVd9MCH698",
        "name": "name",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": true,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5kVd9MCH698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5iAWtznf698",
        "name": "middle_name",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5iAWtznf698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5goieKMh698",
        "name": "locale",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5goieKMh698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5e6Vd9vb698",
        "name": "given_name",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5e6Vd9vb698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5cf7vzb6698",
        "name": "gender",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5cf7vzb6698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y5afjF9jd698",
        "name": "family_name",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y5afjF9jd698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y58gNVnVY698",
        "name": "email_verified",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "email"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y58gNVnVY698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y56TpMHNi698",
        "name": "email",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "email"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": true,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y56TpMHNi698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y54uwttfL698",
        "name": "birthdate",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "SYSTEM",
        "conditions": {
            "scopes": [
                "profile"
            ]
        },
        "system": true,
        "alwaysIncludeInToken": false,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y54uwttfL698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12424y50YtwKOw698",
        "name": "sub",
        "status": "ACTIVE",
        "claimType": "RESOURCE",
        "valueType": "EXPRESSION",
        "value": "(appuser != null) ? appuser.userName : app.clientId",
        "conditions": {
            "scopes": []
        },
        "system": true,
        "alwaysIncludeInToken": true,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12424y50YtwKOw698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    },
    {
        "id": "ocl12qtx9wtcOkuPI698",
        "name": "email_",
        "status": "ACTIVE",
        "claimType": "IDENTITY",
        "valueType": "EXPRESSION",
        "value": "user.email",
        "conditions": {
            "scopes": []
        },
        "system": false,
        "alwaysIncludeInToken": true,
        "_links": {
            "self": {
                "href": "https://integrator-8816652.okta.com/api/v1/authorizationServers/default/claims/ocl12qtx9wtcOkuPI698",
                "hints": {
                    "allow": [
                        "GET",
                        "PUT",
                        "DELETE"
                    ]
                }
            }
        }
    }
]

Answer accepted by question author

0 additional answers

Your answer

Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-04T01:35:32.1766667+00:00

Hello Anuj Sharma

This behavior is a known limitation/validation failure scenario in Microsoft Entra External ID when using custom OIDC identity providers like Okta.

The reason it doesn't show up on the login screen is because an OIDC provider that doesn't fully satisfy the internal validation requirements of External ID is discreetly concealed from the user flow UI rather than explicitly reporting an error.

In this case, the problem is exclusive to Okta OIDC metadata/claims compatibility because Google and Entra ID OIDC providers function as well as Okta SAML. External ID requires tight compliance in the discovery document, token response, and claims mapping, as well as some required qualities (particularly a stable unique identifier like sub). The provider is not allowed to render in the user flow if these are absent, inconsistent, or incorrectly mapped (e.g., email not tagged as required/verified or topic identification not useable).

The issue occurred due to:

Sub (topic) claims that are absent or useless as unique identifiers

Email claim not returned or not tagged as validated Okta authorization server incompatibility (differences in behavior between custom and org servers)

Tokens and claims that do not match the required External ID schema

Make sure Okta is set up to completely adhere to OIDC requirements:

Only use the Authorization Code flow.

Make sure the ID token has the following: email, email_verified, and sub.

Set up Okta claims so that each user's sub is stable and distinct.

The default authorization server (/oauth2/default) is preferred.

Check scopes and return necessary claims (openid profile email).

Let me know if any further queries - feel free to reach out!
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-05T10:09:49.78+00:00

Hello Anuj Sharma

Following up to see if the above provided information was helpful. If you have any further queries do let us know.
Anuj Sharma 20 Reputation points

2026-05-07T02:29:20.6933333+00:00

Thank you Rukmini for your reply and follow up, I will try the suggested mappings and confirm the outcome shorlty.

Answer 1

Rukmini 40,135 Microsoft External Staff Moderator

Hello Anuj Sharma

The problem seems to be with how Microsoft Entra External ID verifies the subclaim for custom OIDC providers before displaying them on the sign-in page, according to a check of the Okta claims setup. Your Okta subclaim is now set up as follows: (appuser != null)? appuser.userName: app.clientId appuser.Since userName is regarded as volatile, it might not meet External ID requirements for a stable, immutable unique identity.

Instead of displaying a clear error when this validation fails, External ID quietly conceals the OIDC provider.

Please check the below:

Set up the subclaim to utilize an unchangeable identification, like: user.id
Make sure the ID token includes: subemail email_verified
Make use of the common metadata endpoint: The URL is https://integrator-8816652.okta.com/oauth2/default/.renowned/openid-configuration
Save the OIDC provider again, remove or re-add it to the user flow, and give the metadata refresh ten to fifteen minutes.

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Anuj Sharma 20 Reputation points

2026-05-12T04:42:45.3+00:00

Thank you Rukmini - The login option is showing up now. Appreciate your help!

I will continue with the configuration and reach out if I face any more issues.

Regards,

Anuj
Rukmini 40,135 Reputation points Microsoft External Staff Moderator

2026-05-12T09:26:56.25+00:00

Hello Anuj Sharma

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

Okta as OIDC based external identity provider in Microsoft Entra External ID: provider not appearing on login screen

0 additional answers

Your answer