Automatic use of external Identity Provider

Questions
1

I have the applications A - which uses Okta as its IdP and B - which manages users by themselves, but can also server as OIDC IdP.

Now the use case is to allow user of B to access A without the indication that okta is there.
So this should be the flow:

  1. user is logging to B
  2. B is redirecting user to A (maybe it is redirecting to okta with the link like https://okta.com?redirect_to=A&useIdP=B)
  3. Application A or Okta discovers user is not login to Okta and initiate the OIDC flow with service B.
  4. Okta authenticate the user and redirects the user to service A with proper tokens, so service A gives the access.

The constraints are:

  • Service A cannot switch to use B as IdP.
  • Service A needs to still support current users which login to Okta - it cannot start redirecting all to service B.
  • Above flow can involve multiple redirection between A, B and Okta, but can never stop on Okta page.
  • Accounts in Okta which needs to integrate A with B doesn’t need to be create just in time.

Is the above scenario possible with the external IdP and maybe redirection rules?

2

With an OIDC flow, you can pass the idp parameter to specify which identity provider the user should authenticate with.

As for never stopping on the Okta page, I believe that behavior may change depending on whether your Okta org is on Classic or Identity Engine. You can also use a custom url domain and custom branding so that if the user lands on the Okta login page, it doesn’t mention Okta.