0xa3a (0xa3a) asked a question.
We have a number of applications which point at our own identity server. The identity server presently supports local login, and SSO over OIDC using Azure Active Directory and Google.
We want to include configuration for okta, to allow our clients who use okta to be referred from our identity server to okta for authentication.
With Entra, I am able to specify against my app registration that "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)" can access the application. When a user is authenticated with Entra for the first time, if they have the correct authorizations, they are able to authorize access to the application on behalf of their organisation. The authorised application then appears configured as an enterprise application.
I have created a developer account, created an application and configured our identity server to authenticate against that application. From a technical perspective that's all working fine. However I am only able to log in using an account within the directory of the developer account. I would like for any okta organisation to be able to access the account.
Can anyone advise or point me in the right direction to achieve this?
Is this the purpose of the okta OIN integration?
Hi @0xa3a (0xa3a) , Thank you for reaching out to the Okta Community!
The external IDP feature is used for use cases where you want users that access your Okta org to be redirected to an external source for authentication.
If I understood your desired use case correctly, you just want other people that might be using Okta to sign into your Microsoft Entra resource/app.
I'm not aware of an out-of-the-box implementation for this use case, but this does remind me of an older post that was looking to leverage Microsoft Entra for guest access.
Perhaps this will help.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Ask Us Anything thru 7/14: Okta WIC leadership want to hear from you
Hi Mihai, thanks for your response.
I don't think that has quite captured our use case. I think ours is quite typical.
When users who attempt to authenticate with one of our applications, they are redirected to our identity server. If they choose to authenticate with okta then they are redirected to okta for authentication. On successful authentication they are redirected back to our identity server with a valid identity token, and then back to the application they originally attempted to access.
My question is cantered around how this is set up with okta. I have it working with an Application set up in the developer account I set up. But only users within this account, and who are assigned to it can access the application. How do I register this application so users from other accounts can also assign their users to the application?
Is anyone able to provide additional guidance on this query please?