EmanuelA.69765 (Customer) asked a question.
Hi!
We have a user case where we want them to be able to "switch accounts" depending on the resource they are accessing. We understand that we can implement something like this with multi tenancy, which can be implemented by setting up Applications/Groups accordingly, for example:
- https://example.domain/resource/a -> tenant A
- https://example.domain/resource/B -> tenant B
In this case, we can create two application, Application A and Application B, and their corresponding Group A, and Group B. We can even create an IdP, that will automatically assign users to a given group, and thus "lock" tenants to a given IdP. This setup sounds like a good solution, although if we welcome any input of how it can be improved.
But now the requirements get more complex: we need to allow users from tenant A to access tenant B, and keep track of them as if they are a single identity. We still need these two users to have separated identities, given that "you cannot assign multiple accounts to individual users for a single application because it would dilute the integrity of the authentication" [1]. In other words: user_a@example.com, and user_b@example.com, cannot both be mapped to a single user object in Okta, is this correct? If so, we could easily link users by associating their Okta IDs to a single identity internally in our system. Another way would be to add a custom attribute to users, that we can set to a custom ID that is shared across linked users. Is there any issue with this approach?
Another place where this requirement gets tricky, is performing the actual switching. When a user authenticates, Okta initializes a session and sets the corresponding session cookies. So when asking for a authorization with the Okta OAuth 2.0 API, if a session is active, Okta will just return a token for the active session. I can give an example to clarify this case:
- alice@example.com login for Application A
- they are granted access to /resource/a
- now they want to access from the same browser /resource/b and they are redirected to /authorize with a different client_id
- since the session cookies are set for alice@example.com, the /authorize call returns an error that user is not assigned to Application B
Instead, what we need to happen at 4., is Okta to redirect the user to a new login page, and reauthenticate the user, but it obviously doesn't because there's a session active. The only way around this is to close the session, and reauthenticate the user, which is cumbersome, since the user will need to login back again every time they switch resources. Is there a way to do this in a more efficient way? What we are looking for is something like Google's account switcher feature, where you can switch between accounts seamlessly, and without having to reauthenticate every time.
So, summing it up:
- Is it possible to have multiple usernames under a single user object?
- We understand the answer for 1. is no, it makes sense, so is there a recommended way to link users across groups/tenants?
- Is there an easy way to switch sessions, instead of closing and opening a new one?
Thank you people for any help you can provide!
We do this by not using 2 tenants but 2 accounts(or more)
we use least privilege by offering levels of account. Main has email,cloud can admin cloud svcs, server can admin servers. We then get the imployee id of main account n add it to the other admin accounts allowing us to track them as 1 user. User tought to use 2 browsers or incognito window. I have 5 accounts for admin work n works fine.
join Facebook group okta help tips and tricks for growing community
Hello, this is Eusebiu.
Seeing that your request is very complicated and it definitely needs a meeting in order for us to understand the exact flow, our only recommendation in this situation is to create a ticket and our support team will be there to help you either achieve your goal or advise you as best as possible towards your goals.