ekz2o (ekz2o) asked a question.
Integrating multiple IDPs with okta application and users authenticate using those IDPs
Our application supports only one IDP on the SAML interface. While our customers have users connecting to multiple IDPs.
We need some setup where we run an Okta application (using a dev account) and add IDPs to the same application and route the requests using the routing rule and IDPs in turn should return the user authentication to my application which returns the assertion to our application.
Our product doesn't have any knowledge of IDPs okta application talking to.
Is it possible to do this using okta?
Image is not available
Hi @ekz2o (ekz2o) , Thank you for reaching out to the Okta Community!
Short answer: Yes
Long answer:
Okta Supports multiple IDPs. See documentation here.
You will be able to implement various IDPs to either "import" users (JIT provisioning via SAML) or just route authentication to the for pre-existing users.
Once authenticate in Okta via those IDPs, you can assign the respective app(s) to them and have them access the necessary resources.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.
Hi @Mihai Negoita (Employee),
Thanks for your reply. Here, in this scenario, IDP is replying the assertion to my application, instead of sending it to the SAML application interfaced with my app(broker in the image). This will not work as the IDP entity is not known to my application and we cannot add multiple IDPs to my app. Do we have any way to get the SAML assertion from IDP via the SAML application I have interfaced with my application?
Thanks,
Anil Vippala.
The way I'm seeing this implementation, Okta would be the only IDP for the app and for the purposes of the authentication, the users would leverage their respective IDPs to sign into Okta - from there Okta sends a different SMAL assertion to give them access to the app.
If your apps requires certain attributes to be passed from those respective IDPs, this might be done via attribute mappings. In essence, the IDP sends the values to Okta, Okta adds them to the user profile then sends them to the downstream app.
Of course this is just a high level discussion. The whole implementation would have to be tested in a sandbox/preview environment to properly identify any potential variables and limitations.
Yes, @Mihai Negoita - Okta (Okta, Inc.).
This is the environment I need. How can I make IDPs reply assertion to Okta? and can u point me to any document/guide to do it? [I can use another dev account to configure IDP to keep it simple].
Thanks,
Anil Vippala.
If the app you are looking to integrate is in our catalogue you can look it up here and follow the guide: https://www.okta.com/integrations/ or from your Okta Admin dashboard→ Applications→ Browse App Catalog.
If the app is not in our catalog, you will have to set up a custom integration using the Application Integration Wizard.
I left a hyperlink to the IDP setup documentation in my initial response.
Regards.