BenjaminW.98868 (Customer) asked a question.
I have a SP-initiated SSO Application using SAML that is going on to the Okta Integration Network. The app/SSO sign-in is working. Now supposed it is on OIN, Company A and Company B added my app and assigned their users to use the app to access my service: in what way can I know whether a user is from Company A or Company B? I don't see anything obvious in the SAML assertion. This is without trusting the usernames provided (I can go to Okta Directory, People, and create myself a "president@whitehouse.gov" without much of a question. I am not trusting the usernames).
I had also an idea when looking at the Okta Expression Language overview:
https://developer.okta.com/docs/reference/okta-expression-language/
It references the use of "org.name" and "org.subDomain". However when I tried them under SAML Settings, Attribute Statements, the page reported "The expression is invalid: Property 'org' not found". So, Okta Expression Language doesn't work here.
What other options do I have to identify which company/organisation a user is logging in from?
Use case scenario: internal security and auditing of users accessing my service.
Is your application mutliple tenant like Okta? for Okta, different customer with different tenant and with different url. so it can redirect to different url. I think every company like company A and B have different SAML configuration, So it can set different Okta tenant url.
the Okta expression is very powerful. it can like this:
String.replace("acs:ram::<account_id>:role/$approle,acs:ram::<account_id>:saml-provider/okta-provider", "$approle", appuser.approle)
the customer can set as this:
String.replace("acs:ram::177242285274****:role/$approle,acs:ram::177242285274****:saml-provider/okta-provider", "$approle", appuser.approle)