Sharing Application Key Credentials Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a000000u8essa0&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fsharing-application-key-credentials
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Sharing Application Key Credentials
Published: Sep 21, 2016   -   Updated: Jun 22, 2018
This is an Early Access (EA) feature. Contact Okta Support to enable it.

Overview

This features enables sharing the same signing key among various app instances within an org.

When configuring multiple instances of the same app, it might be desirable to configure these multiple app instances to accept a single identity provider. In that case, the assertions from the two app instances must be signed by the same key, which is enabled by sharing the keys between two instances.

Using Shared Keys

Once the feature is enabled, there are no procedural changes needed to use it.

Any of the key credentials for an app instance can be shared with another app instance. To include the same key in both app instances’ key stores, the key must be cloned from the source app instance using the Clone Key Credential for Application API and updated in the target app instance using the Update Key Credential for Application API.

Key Identifiers

A key identifier (kid) is an opaque identifier for the signing key, defined in the specification https://tools.ietf.org/html/rfc7517#section-4.5. By examining the kids that each app instance points to, you can determine whether a key is shared across app instances.