<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00009a2YHpCAMOkta Classic EngineAuthenticationAnswered2024-04-17T10:33:13.000Z2023-09-05T10:57:37.000Z2023-09-06T16:40:42.000Z

gs27j (gs27j) asked a question.

September 5, 2023 at 10:57 AM
Implementing cross-account authentication with the "Log in with Okta" button

Hello everyone!

 

Has anyone had to add a "Log in with Okta" button to your application's login page, similar to how you can log in with Google, GitHub, Microsoft, and so on?

 

I'm currently dealing with a challenge where I can only set up this kind of integration for one Okta account (organization, realm). Unfortunately, it doesn't work for other accounts (companies). For instance, I've configured SAML or OAuth integration using my Okta developer account and linked it as an Identity Provider (IdP) in Keycloak. When I click the "Log in with Okta" button, it always redirects me to the authentication page at "https://dev-12345678.okta.com/app/dev-12345678_appname/somehash/sso/saml". However, the issue is that users from different Okta accounts, not associated with my organization, can't use this authentication method.

 

If anyone has encountered a similar problem and can offer potential solutions, I would greatly appreciate it.

 

Thank you!

  • 3 answers
  • 970 views

  • Mihai N. (Okta, Inc.)

    Hi @gs27j (gs27j)​ , Thank you for reaching out to the Okta Community!

     

    This question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out devforum.okta.com to take advantage of their expertise.  

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work). 

     

    In the case of Okta as an IDP, account federation happens at tenant(org) level. 

    The way I'm seeing things, you have the following options: 

    1.You'll need to have the users in your org.(add them manually, or imports/external IDP)  

    OR

    2.Implement self-service registration. 

     

    OR

    3.If you are the app owner, add it to the OIN (Okta Integrations Network) and make the integration public so that any Okta customer can set it up in their org. In this case, the app would need to support multiple IDPs or offer services per tenant.  

     

    That being said, I still recommend checking on the Developer side for confirmation and further advice. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

     

    Follow us at OktaSupport

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @gs27j (gs27j)​ , Thank you for reaching out to the Okta Community!

     

    This question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out devforum.okta.com to take advantage of their expertise.  

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work). 

     

    In the case of Okta as an IDP, account federation happens at tenant(org) level. 

    The way I'm seeing things, you have the following options: 

    1.You'll need to have the users in your org.(add them manually, or imports/external IDP)  

    OR

    2.Implement self-service registration. 

     

    OR

    3.If you are the app owner, add it to the OIN (Okta Integrations Network) and make the integration public so that any Okta customer can set it up in their org. In this case, the app would need to support multiple IDPs or offer services per tenant.  

     

    That being said, I still recommend checking on the Developer side for confirmation and further advice. 

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

     

    Follow us at OktaSupport

    Expand Post
    Selected as Best

    • gs27j (gs27j)

      Thank you very much for your response @Mihai N. (Okta, Inc.)​!

       

      I will definitely ask this question in the developer support section, thanks.

       

      Am I understanding correctly that my Okta account can only act as an Identity Provider for those end users who are registered in my Okta account? In other words, if a user is not in my Okta account but exists in my customers' accounts, my Okta account cannot confirm the identity of that end user for my authentication server (in other words, my application that I added to OIN)? If so, the only way is to add such a user to my account using one of the available methods (manually adding them in the admin console, importing a list of end users from a file provided by our customers, enabling self-registration for end users within our account)?

       

      In short, if the end user is not registered in my account, my account cannot confirm their identity in any way?

      Expand Post

      • Mihai N. (Okta, Inc.)

        That is correct. When you set up Okta as the IDP for an app, you provide to app side the tenant level information, like entity ID, login URL, certificates. When a user tries to authenticate, they are directed to those specific resources.

        Again, I'm not sure how you are trying to integrate your app and you also mentioned Keycloak being involved. I'm not familiar with the product, but as far as I can tell from a quick read online, it seems to offer similar functionality as Okta so one of them might be redundant depending on the use case.

        That is why I recommend checking on the developer side of things to see if anyone has something similar set up.

         

        Regards.

        --------------------------------

        Follow us at OktaSupport

        Expand Post
This question is closed.
Loading
Implementing cross-account authentication with the "Log in with Okta" button