Have you used 'hub and spoke orgs' for an acquisition or a divestiture? Skip to main content
https://support.okta.com/help/answers?id=906f0000000blqoiai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Pablo ValarezoPablo Valarezo 

Have you used 'hub and spoke orgs' for an acquisition or a divestiture?

We are working through a divestiture and are looking to the hub-and-spoke configuration to make this process easier and in a secure way. Has anyone done this before?
Edward HollidayEdward Holliday (Okta, Inc.)
I built a hub and spoke for a customer POC..... If you wanted to use it for a divestiture and you have a simple AD infrastructure you might be looking at the following high level approach:

Hub spoke contains
  • SAML apps that you still want employees in the spokes to be allowed to access
  • AD Agent (Desktop SSO/ AD authentication for domain connected PC's) for the hub with the OU container selected for hub employees
  • O365 app for Federation partnership with the mail/mx/DNS domain record owned by the hub for email

In the spokes
  • AD Agent with the OU container selected for each set of spoke employees
  • O365 app for Federation partnership with the mail/mx/DNS domain record owned by the hub for email
  • inbound SAML partnership between the spokes and the hub to allow employees in the spokes access to those apps the hub still wants to share
  • Above assumes the spokes at least start of by sharing the AD DC - but that mail could be divested straight away using separate O365 tenants

Next steps chat to your Enterprise cloud architect @ Okta!
Pablo ValarezoPablo Valarezo
Thanks Edward . We're likely to adopt this in two possible scenarios. The divestiture is one and the other is to segregate our employees from our clients while allowing all to access ServiceNow. Working with the support team to understand more details of setting it up.
Karen Huffman (admin)Karen Huffman (admin)
We had a recent discussion with a cloud architect @ Okta. There are potentially two options with the 2nd option illustrated below a bit more simplified / direct in its configuration.

Org-to-Org + Inbound SAML:
  • Hub of shared apps (HSA) -- shared apps between two companies.
  • Company 1 spoke (C1S) -- apps only available to company 1.
  • Company 2 spoke (C2S) -- apps only available to company 2.
  • Compnay X spoke (CXS) -- apps only available to company X.
Spokes access the hub but would require admins/joint admins for the hub: C1S --> HSA <-- C2S

Inbound SAML:
  • Company 1 (C1) -- apps only for C1; apps shared with C2 and/or CX but owned by C1.
  • Company 2 (C2) -- apps only for C2; apps shared with C1 and/or CX but owned by C2.
  • Company X (CX) -- apps only for CX; apps shared with C1 and/or C2.