vu7k4 (vu7k4) asked a question.
Hi,
We're extending our clients platform to include multiple cloud tools connected via SSO through Okta. All users already have credentials in Drupal. From the documentation (https://help.okta.com/oie/en-us/content/topics/integrations/open-id-connect.htm) it seems like Okta can rely on Drupal as the OIDC IdP.
If we configure Okta to use Drupal OIDC and then connect a second app to Okta, would the following authentication flows be correct.
Components
- Okta
- Drupal
- App1
Unauthenticated user tries to authenticate directly in App1
- App1 makes authentication request to Okta
- If user is not already authenticated Okta redirects the user to Drupal credential input
- User authenticates and Okta redirects to App1 authorization endpoint
User authenticates on Drupal and accesses App1
- User authenticates via Okta to Drupal
- User access link to page on App1
- App1 redirects to Okta for authentication
- Okta confirms existing authentication and redirects to App1 authorization endpoint
One of the main goals is to prevent the need to migrate users to Okta or require users to recreate passwords.
If there is a better model for this please advise.
We've previously used Auth0 which had a "migration" feature. If a user account did not already exist it would authenticate username and password against the drupal site. Those validated credentials then became the user creds in Auth0.
Thanks
The technique - Okta inbound federation - that you describe is best suited for when you want to permanently use the Drupal credentials.
One of the main reasons for using Okta is taking advantage of Identity specialist managed credentialing, the policy and governance that you get from that to provide better privacy and security for your clients.
So, hopefully your main goal is to make migration seamless for your users. Like in Auth0 there are techniques in Okta that can help you with that. Would you like to know more?