Automatic use of external Identity Provider

I have the applications A - which uses Okta as its IdP and B - which manages users by themselves, but can also server as OIDC IdP.

Now the use case is to allow user of B to access A without the indication that okta is there.
So this should be the flow:

  1. user is logging to B
  2. B is redirecting user to A (maybe it is redirecting to okta with the link like https://okta.com?redirect_to=A&useIdP=B)
  3. Application A or Okta discovers user is not login to Okta and initiate the OIDC flow with service B.
  4. Okta authenticate the user and redirects the user to service A with proper tokens, so service A gives the access.

The constraints are:

  • Service A cannot switch to use B as IdP.
  • Service A needs to still support current users which login to Okta - it cannot start redirecting all to service B.
  • Above flow can involve multiple redirection between A, B and Okta, but can never stop on Okta page.
  • Accounts in Okta which needs to integrate A with B doesn’t need to be create just in time.

Is the above scenario possible with the external IdP and maybe redirection rules?

With an OIDC flow, you can pass the idp parameter to specify which identity provider the user should authenticate with.

As for never stopping on the Okta page, I believe that behavior may change depending on whether your Okta org is on Classic or Identity Engine. You can also use a custom url domain and custom branding so that if the user lands on the Okta login page, it doesn’t mention Okta.