<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007roGF1CAMOkta Classic EngineAdministrationAnswered2024-03-25T08:59:51.000Z2022-07-26T01:01:55.000Z2022-07-27T14:39:19.000Z

yqvvc (yqvvc) asked a question.

July 26, 2022 at 1:01 AM
For Partner Access Management is Hub & Spoke the right approach?

Hello Community

I am new to Okta and trying to figure out best implementation strategy for Workforce Identity that will involve lot of partners. I would like to tap in the knowledge of the community to get recommendation/suggestions.

 

My company collaborates with lot of partners and we have multiple projects with each partners. Partners would need access to our infrastructure & tools (GCP, AWS, GitHub, Jira...) for collaboration. I want to manage partner access at project level.

 

I am thinking of creating groups for each project, and adding partner employees to group and use the group to configure access policies on my infrastructure & tool. But managing all these groups and onboarding/offboarding/updating partner employees seems like a demanding and daunting task, so I want to offload group management to partners (may be an admin from partner site).

 

Also each partners have their own identity providers (Active directory, Okta, Ping, Google cloud identity...). I want partners to use their own IdP but force some policies like MFA (security key or key from an app), access audits for compliance.

 

I am thinking of using the Hub & Spoke model of Okta for this. Question are:

* Can I create spoke orgs for each Partner.

* Can each spoke use their own IdP with my enforced policies from Hub.

* Can I restrict each spoke configuration to its spoke admin and my super admin only. (don't want to expose PartnerA to PartnerB).

* Can I create the groups on spokes and delegate it to spoke admin.

* Can I create group on my Hub which can be a union of groups from different spokes.

 

Am I looking in the right direction? is Hub & Spoke the right design for this implementation?

 

 

  • 2 answers
  • 625 views

  • Mihai N. (Okta, Inc.)

    Hi @yqvvc (yqvvc)​ , Thank you for reaching out to the Okta Community!

     

    In short the answer would be "yes" to all of the questions. 

     

    To answer the questions individually:

     

    * Can I create spoke orgs for each Partner.

    • Yes and if necessary all the orgs could be customized with branding and custom domains.  

     

    * Can each spoke use their own IdP with my enforced policies from Hub.

    • Yes, they can leverage their own IDP provided it's one of the supported configuration, but as far as policies goes, all orgs would have their own individual policies. You can enforce app level sign on policies for the resources that would be then accessed from your main org. 

     

    * Can I restrict each spoke configuration to its spoke admin and my super admin only. (don't want to expose PartnerA to PartnerB).

    • Yes - you'll have to create for yourself a Super Admin account in each org then at least one each for the respective partners in their individual org. 

     

    * Can I create the groups on spokes and delegate it to spoke admin.

    I'm a bit unclear as to what you mean by "delegate it to spoke admin." but the answer would still be "yes" for all of my interpretations:  

    • Create a Group Admin in the org and have them manage a certain group. 
    • Create dedicated group for various uses and then Push the membership to downstream orgs via Org2Org provisioning
    • A mix of both of the above. 

     

    * Can I create group on my Hub which can be a union of groups from different spokes.

    • Yes, using the above mentioned Push Group functionality, you could get all the groups to your main org and then leverage the Group Rules to functionality to add all the members to another desired group. 

     

    That being said, this type of deployment has many variables and environmental factors to consider, so definitely test things out in sandbox/preview environments as much as possible. 

    All in all, you're on the right track. I'm also curious to see what other members of the Okta Community have to add. Maybe experiences to share? 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope it helps! 

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @yqvvc (yqvvc)​ , Thank you for reaching out to the Okta Community!

     

    In short the answer would be "yes" to all of the questions. 

     

    To answer the questions individually:

     

    * Can I create spoke orgs for each Partner.

    • Yes and if necessary all the orgs could be customized with branding and custom domains.  

     

    * Can each spoke use their own IdP with my enforced policies from Hub.

    • Yes, they can leverage their own IDP provided it's one of the supported configuration, but as far as policies goes, all orgs would have their own individual policies. You can enforce app level sign on policies for the resources that would be then accessed from your main org. 

     

    * Can I restrict each spoke configuration to its spoke admin and my super admin only. (don't want to expose PartnerA to PartnerB).

    • Yes - you'll have to create for yourself a Super Admin account in each org then at least one each for the respective partners in their individual org. 

     

    * Can I create the groups on spokes and delegate it to spoke admin.

    I'm a bit unclear as to what you mean by "delegate it to spoke admin." but the answer would still be "yes" for all of my interpretations:  

    • Create a Group Admin in the org and have them manage a certain group. 
    • Create dedicated group for various uses and then Push the membership to downstream orgs via Org2Org provisioning
    • A mix of both of the above. 

     

    * Can I create group on my Hub which can be a union of groups from different spokes.

    • Yes, using the above mentioned Push Group functionality, you could get all the groups to your main org and then leverage the Group Rules to functionality to add all the members to another desired group. 

     

    That being said, this type of deployment has many variables and environmental factors to consider, so definitely test things out in sandbox/preview environments as much as possible. 

    All in all, you're on the right track. I'm also curious to see what other members of the Okta Community have to add. Maybe experiences to share? 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope it helps! 

    Expand Post
    Selected as Best
This question is closed.
Loading
For Partner Access Management is Hub & Spoke the right approach?