Hi,

We are protoyping the usage of Okta to support SSO using SAML.

Our application will be the SP, we will have multiple clients who will register with Okta to function as the IdP.

We assume that each client will have their own Okta Org.

We will have at least 2 applications - one used for testing/validation and one used for production. 

We would like to validate the following assumption:

In response to our applications's SAML authorization request for any user of a specific client Okta Org, the IssuerID in the SAML response will be unique for the combination of: client Okta Org and our Application (but not for the client user) 

For example: 

Assuming that we have two instances of our applications called TestApp and ProdApp, and 

Assuming we have 2 client Okta Orgs partnered with us, ClientOrg1 and ClientOrg2.

There will be 4 possible IsssuerIDs returned:

IssuerID in SAML responses for any user from ClientOrg1 in TestApp

IssuerID in SAML responses for any user from ClientOrg1 in ProdApp

IssuerID in SAML responses for any user from ClientOrg2i n TestApp

IssuerID in SAML responses for any user from ClientOrg2 in ProdApp

Is this a valid assumption? 

We wanted to try to test this by creating multiple test Okta Orgs but as our applications have not yet been published, it appears that they cannot be accessed from any other Okta Org. 

Apologies if this has been posted elsewhere. The only mention of this which we were able to find of using the IssuerID in this way was an indirect reference in https://developer.okta.com/standards/SAML/*single-idp-vs-multiple-idps

Thank you so much for your help!

Krista Campbell

kcampbell@halocommunications.com