I have an existing web application correctly configured as an OIDC client and allowing for authentication and JIT user creation to our Okta Developer tenant via the org level sign-in widget hosted by okta using both direct Okta OIDC and Social Authentication (via Google).
I’d like to add an additional authentication flow from an external customer SAML IDP through the use of IDP routing rules, though I’d still like to retain the existing OIDC client configuration for the application. Thus, the app-initiated login flow would resemble:
User visits our application (httx://app.example.com) and clicks “Login”
You would need to double check the OIDC flow you use in your application, but for me it worked for implicit flow, even when a target user doesn’t exist in your Okta org
Okta handles more than I assumed here initially and will appropriately authenticate user and redirect them back to OIDC Application without specifically configuring the redirect. The Oauth2 flow includes enough information for Okta to handle this. We now accomplish the desired functionality by:
Add a unique Saml2 IDP for partner using temporary values for Issuer IdP Issuer URI, IdP SSO URL, IdP Certificate.
Provide the generated ACS URL, and Audience URI to partner for use in adding a SAML App to their IdP.
Request the partner to provide back their IdP Issuer URI, IdP SSO URL, IdP Certificate and replacing temporary values from step 1.
Add a routing rule which points to this new identity provider given pattern matching for partner username. This is commonly email domain.
This of course requires that either the username exists and is given access to the OIDC application, or is allowed JIT in IdP configuration in a way which would automatically give them access (Group Assignment presumably)
Thanks for your reply. I already configured this use case. But when I tried it on my React application it fails. here’s my exact problem in this forum.