I have the applications A - which uses Okta as its IdP and B - which manages users by themselves, but can also server as OIDC IdP.
Now the use case is to allow user of B to access A without the indication that okta is there.
So this should be the flow:
- user is logging to B
- B is redirecting user to A (maybe it is redirecting to okta with the link like https://okta.com?redirect_to=A&useIdP=B)
- Application A or Okta discovers user is not login to Okta and initiate the OIDC flow with service B.
- Okta authenticate the user and redirects the user to service A with proper tokens, so service A gives the access.
The constraints are:
- Service A cannot switch to use B as IdP.
- Service A needs to still support current users which login to Okta - it cannot start redirecting all to service B.
- Above flow can involve multiple redirection between A, B and Okta, but can never stop on Okta page.
- Accounts in Okta which needs to integrate A with B doesn’t need to be create just in time.
Is the above scenario possible with the external IdP and maybe redirection rules?