<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
0D54z00008nijHDCAYOkta Identity EngineSingle Sign-OnAnswered2023-02-21T07:55:03.000Z2023-02-15T14:50:15.000Z2023-02-21T07:55:03.000Z

TommyC.44066 (Customer) asked a question.

Org2Org SP initiated auth

We are currently testing the Okta Hub & Spoke model.

We have successfully managed to setup a Hub, Spoke and routing based on application.

When a user present in the Spoke using the appropriate application I can authenticate.

Part of our requirement though is to restrict any form of PII (including email addresses) to leak from our Spoke Org(s) to our Hub Org. We have very strict policies governing our requirements on this topic.

With this in mind I am attempting to limit the data being exchanged via SAML to only our internal identifiers when JIT on the Hub has to create an entity.

I have read numerous documents and scanning the support questions have not come across a clear case matching our requirement. Though the Hub & Spoke model is marketed as a perfect model to solve this problem.

Has anyone had any success with this and are there clear step-by-step guides available to explain to us how to successfully implement this type of model?


  • I don't know of any out-of-the-box solution for this.

    I know that we have HIPAA/FedRAMP compliant environment org options that might treat PII differently than regular orgs but I'm not sure even those would offer a way to keep PII separated if you have multiple orgs involved.

    My advise would be to reach out to your Okta Account Executive or Customer Success Manager to discuss options.

    If you do not know who they are or don't have their contact info, just open a case and ask our Support team to put you in touch.

     

    I hope that will help or at least give you a definitive answer!

    Expand Post
    Selected as Best
  • Hi @TommyC.44066 (Customer)​ , Thank you for reaching out to the Okta Community!

     

    Perhaps the following article will help your use case:

    https://help.okta.com/en-us/Content/Topics/Apps/Apps_Bookmark_App.htm

     

    I for one have always found the verbiage of the article confusing "simulate IDP initiated" (personal opinion) - but in essence, you would get the app login URL (app embed link on the General tab of the app), and use that in conjunction with a bookmark app in the org where you want to trigger the login from. 

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    Now available: Product release highlights, your top questions, and other things you may have missed in this month's newsletter

    Expand Post
  • TommyC.44066 (Customer)

    Hello @Mihai Negoita - Okta (Okta, Inc.)​ ,

     

    Thank you for the reply and advice.

     

    I have looked at the bookmark app approach but I do not think it is the appropriate solution for us.

     

    We have our Hub Org configured with a SAML Org2Org identity provider.

    This all works with the default configuration and provisioning occurs in the Hub Org for the entity, as it exists in the Spoke Org.

     

    As stated our use case requires that we keep all PII out of the Hub Org.

    This is where I am currently struggling with the configuration.

     

    It is not clear how to setup the profile mappings to ensure SAML assertions work and when the entity is provisioned, it is done in a manner of our choosing.

     

    This is where I need advise / assistance currently.

    Expand Post
    • I don't know of any out-of-the-box solution for this.

      I know that we have HIPAA/FedRAMP compliant environment org options that might treat PII differently than regular orgs but I'm not sure even those would offer a way to keep PII separated if you have multiple orgs involved.

      My advise would be to reach out to your Okta Account Executive or Customer Success Manager to discuss options.

      If you do not know who they are or don't have their contact info, just open a case and ask our Support team to put you in touch.

       

      I hope that will help or at least give you a definitive answer!

      Expand Post
      Selected as Best
This question is closed.
Loading
Org2Org SP initiated auth