This is an Early Access (EA) feature. Contact Okta Support to enable it.
This features enables sharing the same signing key among various app instances within an org.
When configuring multiple instances of the same app, it might be desirable to configure these multiple app instances to accept a single identity provider. In that case, the assertions from the two app instances must be signed by the same key, which is enabled by sharing the keys between two instances.
Using Shared Keys
Once the feature is enabled, there are no procedural changes needed to use it.
Any of the key credentials for an app instance can be shared with another app instance. To include the same key in both app instances’ key stores, the key must be cloned from the source app instance using the Clone Key Credential for Application API and updated in the target app instance using the Update Key Credential for Application API.
Key IdentifiersA key identifier (kid) is an opaque identifier for the signing key, defined in the specification https://tools.ietf.org/html/rfc7517#section-4.5. By examining the kids that each app instance points to, you can determine whether a key is shared across app instances.