GregoryS.29475 (Customer) asked a question.
I'm struggling to understand why the option "Does your Initiate Login URI vary per tenant?" even exists.
If you opt out of this, all your customers will be redirected to (for example) https://myoidcapp.com/okta?iss=... from which point myoidcapp is supposed to initiate an oauth flow to Okta by calling the /authorize endpoint, receiving a grant, then calling the /token endpoint, etc. To initiate that oauth flow, myoidcapp will need to know what client credentials to use (client_id and client secret), which are tenant-specific.
How is the app supposed to know what credentials to use, unless the tenant can be identified from the URL? Having the iss parameter is not enough to identify a tenant, correct? Because the iss parameter identifies an Okta org, but an Okta org might have multiple tenants (that is, multiple installations of myoidcapp).
In other words, this iss parameter might map to more than one client in myoidcapp. So it seems to me that having a variable of some sort (for example, a custom subdomain, e.g. client1.myoidcapp/okta) is a requirement to implement the okta multi-tenancy requirement.
Am I missing something basic here?
Because the iss parameter identifies an Okta org, but an Okta org might have multiple tenants (that is, multiple installations of myoidcapp).
Every tenant with different url, it can be okta subdomain or your custom domain. there are no Okta Org, the issue is per tenant, not per org.
so many oidc app can map to one okta tenant. but you need create multiple instance or tenant for your application, then the application can map to different okta tenant. like Sentinelone, it is multiple tenant as Okta, every org with one or more tenant. they can setup oidc with okta in their tenant.