<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y000068b2YTSAYOkta Classic EngineSingle Sign-OnAnswered2024-04-15T09:50:06.000Z2019-04-10T19:26:00.000Z2019-06-05T21:40:48.000Z

m5cmv (m5cmv) asked a question.

April 10, 2019 at 7:26 PM
What if only some of my users require Okta authentication?

Scenario: I have an existing ASP.NET customer portal shared by numerous customers where I manage authentication/authorization w/o Controller Attributes. One of the big customers (Customer A) wants to use federated security (OpenID) via Okta.

 

Question: In this scenario - is it possible to have a single web tier where only one customer (for now) authenticates against Okta while other customers authenticate against an internal AD. Note: I can identify "Company A" users pre-login via the host header. The problem is - the source code is shared. Any suggestions would be welcome. Thank you

  • 2 answers
  • 690 views

  • m5cmv (m5cmv)

    Hello Okta, I just wanted to post my solution to this problem in the event someone else is required to do this as well.

     

    What I did was create a simple ASP.NET application called Okta.Login that used OAuth. After a user authenticates, I grab the Okta claim and I look for the account in my own ACL (Access Control List). If the account does not exist - I create this account (runs once) in accordance with the legacy app standards. At this point -- provided the user authenticates and belongs to the appropriate groups - I transform or populate the legacy session based on the Okta account I bound to when creating the legacy account.

     

    Accordingly, I then added the "Login Application" as a virtual application within the root of my legacy application. In the event a user comes to the portal with session remnants of an expired session representing an Okta bound account - I redirect them to the Okta Login portal - otherwise the client authenticates against the legacy ACL. I have found, in order for this to work. Okta clients who have never logged into this portal must point their browser to the "xxx.xxx.com/Login" (name of the virtual app) where if authentic, clients will be redirected to the legacy app within the root of the web application. In my case - I am lucky because this specific client has their own third level domain I can key off and detect this w/o any session remnants.

     

    It works great and is transparent to the end user who is an Okta. Thank you Okta support for all of your teams help. I love this product!

    Expand Post
    Selected as Best

  • brooks.johnson1.5389696669435503E12 (Okta, Inc.)

    Hi Sean,

     

    Currently that type of setup is not possible within Okta unfortunately. I would recommend reaching out to your AE to possibly put you in touch with our Sales Engineering to see if there is another viable solution to your scenario though.

     

    Brooks Johnson

    Okta Support Engineer

    Expand Post

  • m5cmv (m5cmv)

    Hello Okta, I just wanted to post my solution to this problem in the event someone else is required to do this as well.

     

    What I did was create a simple ASP.NET application called Okta.Login that used OAuth. After a user authenticates, I grab the Okta claim and I look for the account in my own ACL (Access Control List). If the account does not exist - I create this account (runs once) in accordance with the legacy app standards. At this point -- provided the user authenticates and belongs to the appropriate groups - I transform or populate the legacy session based on the Okta account I bound to when creating the legacy account.

     

    Accordingly, I then added the "Login Application" as a virtual application within the root of my legacy application. In the event a user comes to the portal with session remnants of an expired session representing an Okta bound account - I redirect them to the Okta Login portal - otherwise the client authenticates against the legacy ACL. I have found, in order for this to work. Okta clients who have never logged into this portal must point their browser to the "xxx.xxx.com/Login" (name of the virtual app) where if authentic, clients will be redirected to the legacy app within the root of the web application. In my case - I am lucky because this specific client has their own third level domain I can key off and detect this w/o any session remnants.

     

    It works great and is transparent to the end user who is an Okta. Thank you Okta support for all of your teams help. I love this product!

    Expand Post
    Selected as Best

Loading
What if only some of my users require Okta authentication?