Who has setup / would be willing to talk about setting up Org-to-Org trusted Okta instances?
Would like to talk to organizations who have setup Org-to-Org domains domains. Would like to know how it works, what options are available, how to setup a "trust" between Okta instances, apps, metadata, and universal directory sync / sharing.
I've done the Inbound SAML from our production instance into preview which works very well for my user-only test account.
My admin account in preview uses a password and I tried to set it up for SWA but -ironically enough- it has never worked, so, as preview-admin I have to type in a username and password. Turning on the SAML auth is in my to-do list.
Let me know if you want to talk about this setup. I'll be interested in trying out different scenarios as well.
In setting that up I still see some limitations in that the best option i see for user sync is JIT creation of users based on inbound SAML. I haven't played with it much, perhaps a rich saml assertion could also be used to provide enough info about a user to deal with group memberships using rules based group memberships and then doing application assignments from there.
Are there some features i'm overlooking?
I certainly see plenty of opportunities in leveraging OPP agents or the API.
I think there was some conversation that transpired in the old Jive community that added some context. I'll see if we can get it added into the post.
The reasons i did it the way I documented.
I didn't want to give my normal productivity account admin rights for a variety of reasons
Account lifecycle - I don't have many Okta Admins but the risk associated with forgetting to disable an okta admin's account in a departure event is huge. Having that Okta Admin account tied to a normal user account that is tied at the hip to my HR lifecycle was huge
MFA, I didn't want to be concerend with multiple 'sets' of factors, as it is setup now the only account with factors configured is my productivity account. The account that is actually the admin is a federated user and essential doesn't have credentials.