<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00007Wz60kSABOkta Classic EngineSingle Sign-OnAnswered2024-05-03T19:59:51.000Z2020-01-10T14:39:21.000Z2020-04-03T20:31:14.000Z

IsaacB.16315 (Customer) asked a question.

January 10, 2020 at 2:39 PM
One SAML app integration, two identities?

I am looking to create an integration with a SAML app that can be accessed two ways:

 

  1. Named users, i.e., your Okta account name or email is your app user name
  2. The app is accessed via a shared, dummy account

 

When I create two SAML integrations to the same app, one of the integrations (the one whose cert/key match what was uploaded to the app) works, the other fails as the certs don't match.

 

I could create a single app integration and set a custom username, i.e., if some condition is true then app user name is user.login, otherwise, dummy ID, but I don't want to do that, as I won't have (don't want) something to condition on.

 

It does not appear that I could assign username based on group membership and I would prefer not to do this anyway, as I want any user to be able to access this app either way, as a "named" user and as a "shared account" user, depending on circumstance.

 

Any alternate ideas on how to hack this?

 

Thanks

 

  • 2 answers
  • 1.06K views

  • Issac Brumer (Customer)

    Thanks Molly. Okta Support came through with an elegant approach:

     

    Put the app behind its own Okta org. As Okta orgs _do_ allow multiple IDPs, set up two SAML integrations between the "user" org and the "new" org, each with its own identity rules.

     

    /help/servlet/rtaImage?refid=0EM1Y0000012EWn

    Expand Post
    Selected as Best

  • molly.masterson1.5499146976511477E12 (Okta)

    Hi Isaac! Apologies for the lack of response to your question. Going forward, we're implementing a new process to ensure that all Discussions receive a response from either another Community member or from the Okta Support team within 7 days of posting. Thank you for your patience while we put this into action!

     

    I know this question is a bit old now, but If you’re still looking for information or help I’d recommend reaching out to the fine folks in the Admin Pro Tips group to see if anyone there can help: https://support.okta.com/help/s/group/0F90Z000000EK23SAG/admin-pro-tips

     

    Thanks 🙂

    Expand Post

  • Issac Brumer (Customer)

    Thanks Molly. Okta Support came through with an elegant approach:

     

    Put the app behind its own Okta org. As Okta orgs _do_ allow multiple IDPs, set up two SAML integrations between the "user" org and the "new" org, each with its own identity rules.

     

    /help/servlet/rtaImage?refid=0EM1Y0000012EWn

    Expand Post
    Selected as Best
This question is closed.
Loading
One SAML app integration, two identities?