mwr89 (mwr89) asked a question.
Using Okta as Identity Provider but allowing multiple tenants / applications
A simplified version of what I am looking for is :
- We have an Identity Server 4 app (service provider) (ASP.NET Core)
- Depending on the login email used, we are looking to redirect to the appropriate external IdP
- Two different users may not necessarily have the same Okta account
So that last one is what I am wondering about. In all the documentation / examples I've seen, you have to pre-configure the Okta clientid/secret/domain. So the assumption seems to be that all the users use that same config. What I am looking for is to allow user-a from company-a to use their Okta account and user-b from company-b to use theirs. And hypothetically user-c from company-c might use a non-Okta IdP.
Is this supported? Any documentation / pointers?
One thing you can easily try if you have user-a, user-b-user-c,user-d all belong to different domains, you can configure the IDP discovery in your OKTA tenant with the help of OKTA support Team & post that, based on the login email used, it should be redirected to the correct IDP.
Thanks Sandeep. Wouldn't that require us to add all users from all domains to our Okta tenant, and then keep doing that as new users get added? The idea here is that tenants/companies can add/remove/manage their own user logins without having to sync with us. Thank you.
Then In that case, add OKTA as SP & Keep the Identity providers separately. they can manage the identities at their end. you can define a federation attribute/flag example loginID/Username in OKTA etc to do the federation. they should send that unique attribute in SAML assertion & OKTA will verify that & provide access.