We have a multi-tenant application. By default, tenants use our Okta organization. Some tenants want to bring their Azure AD credentials. We've setup Azure AD (single tenant) as a custom IDP in Okta. All works well.

For tenants that use Okta directly, I've setup automated tests to check that newly created Users get proper access to our application. I've done this by using Resource Owner Password flow to issue tokens from Okta for dynamically created users. All great.

Here's the problem. I want to do the same kind of tests for users in Azure AD. I want to programmatically issue Okta tokens for users in Azure AD. Creating users in Azure AD is not a problem. Getting Id Tokens or Access Tokens from Azure AD (using the same App Registration that is linked to the Okta Custom Idp) is not a problem.

I don't understand how am I to go about this.

• Is there a way to exchange the Id Token or Access Token issued by Azure AD with one issued by Okta? To my understanding, this is a different thing that using On-Behalf-Of token exchange, since the API (Resource) is the same.
• Is there a way to use Code flow in Azure AD and have it redirect to some Okta endpoint ? (this sounds a bit SF to me)
• Am I going the wrong way about this ?
• I could do this via UI Tests but I would really like to avoid that, since I don't want to test Okta features, I want to test that users are linked properly between Okta and our App.

Thanks.