Who has setup / would be willing to talk about setting up Org-to-Org trusted Okta instances? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Karen Huffman (admin)Karen Huffman (admin) 

Who has setup / would be willing to talk about setting up Org-to-Org trusted Okta instances?

Would like to talk to organizations who have setup Org-to-Org domains domains. Would like to know how it works, what options are available, how to setup a "trust" between Okta instances, apps, metadata, and universal directory sync / sharing.
Pablo ValarezoPablo Valarezo
Hi Karen,

I've done the Inbound SAML from our production instance into preview which works very well for my user-only test account.

My admin account in preview uses a password and I tried to set it up for SWA but -ironically enough- it has never worked, so, as preview-admin I have to type in a username and password. Turning on the SAML auth is in my to-do list.

Let me know if you want to talk about this setup. I'll be interested in trying out different scenarios as well.

Karen Huffman (admin)Karen Huffman (admin)
Yes, that would be great. I reviewed the Org-to-Org documentation, but it's not exactly what we are looking for...
  • Company 1: Okta instance 1 will be managed/administered by one organization. 
  • Company 2: Okta instance 2 will be managed/administered by another organization.
  • Individiuals will sign into Company 1 instance / remain in Company 1 OR sign into Company 2 instance / remain in Company 2.
  • Syncing between Company 1 and Company 2: We have selected content/metadata, apps, etc. that we want to share / sync between Company 1 and Company 2.
api-workday api-workdayapi-workday api-workday
Hi Karen,

I've setup some self-to-self federation for stepping up privleges to admin with mfa (https://support.okta.com/help/blogdetail?id=a67F0000000XZBy) and carried that same method forward in my preview org.

In setting that up I still see some limitations in that the best option i see for user sync is JIT creation of users based on inbound SAML. I haven't played with it much, perhaps a rich saml assertion could also be used to provide enough info about a user to deal with group memberships using rules based group memberships and then doing application assignments from there.

Are there some features i'm overlooking?

I certainly see plenty of opportunities in leveraging OPP agents or the API.
Karen Huffman (admin)Karen Huffman (admin)
@Matt, I reviewed the self-to-self federation information / perhaps a diagram or discussion might help as I was wondering why can't you enable MFA for any admin accounts in Okta to do the same thing? 
api-workday api-workdayapi-workday api-workday
HI Karen,

I think there was some conversation that transpired in the old Jive community that added some context. I'll see if we can get it added into the post.

The reasons i did it the way I documented.
  1. I didn't want to give my normal productivity account admin rights for a variety of reasons
  2. Account lifecycle - I don't have many Okta Admins but the risk associated with forgetting to disable an okta admin's account in a departure event is huge. Having that Okta Admin account tied to a normal user account that is tied at the hip to my HR lifecycle was huge
  3. MFA, I didn't want to be concerend with multiple 'sets' of factors, as it is setup now the only account with factors configured is my productivity account. The account that is actually the admin is a federated user and essential doesn't have credentials.
I think that about sums it up 
James SmithJames Smith
Good to know that this is possible. thanks guys.