Hello.
I’m doing research on if it’s possible to integrate our custom iOS/macOS (and possible Windows) apps to authenticate with Okta. I’ve been reading a lot the docs. and follow some examples but I still have some questions.
I have already a proof of concept macOS app that authenticates with my Okta dev app using the Swift Authentication SDK. But that’s where my questions begin.
Our frameworks work with users maintained in our own database that hold information about the resources that a user can access.
I understand that Okta will hold the user information. After being authenticated, is there a way to put in the Otka app information about the user that can be crosschecked with our database? I’ve been reading about the authorization framework but its workflows still doesn’t look like something I can use.
I’ll appreciate if someone can help me, or point me to the correct documents or examples to follow.
Okta can do both authentication and authorization if you load all your information from the DB into it. Then inside Okta you can manage access to your different resources. This way you will have centralized management both for authentication and authorization purposes.
In your particular request, it’s not clear for me, what type of information you would like to include into Okta’s response? If you just doing authentication, there is no application context at this moment (unless you try to use so-called “embedded links”, which represent a specific application). There are ways to initiate a sign-in process into Okta’s application (OIDC or SAML) but then I’d return back to my first paragraph, why don’t you want to put all the info into Okta, so that it decides, if a user can access a particular application?!
Also, if you send a user to Okta for authentication, don’t you know by that time, what URL the user tried to access, when you intercepted him being unauthenticated?
I’d say you need to draw a diagram of all the components you are planning to have and understand what role each one will play in your system.
The idea is simple, we have our own service and we administrate our users internally. But then there is this client that manages his users with Okta and is asking if we can integrate with them. I already explored authenticating Okta users, that is quite simple. But it’s not clear to me what to do with that. I was thinking in a way to “link” the Okta user with a user in our database, but from several angles that doesn’t look like a good idea.
In short, because of the nature of our service we need the user to exist locally, I don’t see us exporting our user database somewhere else. Then, what is the recommended framework or workflow that we could use for this case?
I’d say then, use Okta only for authentication/IdP to get a trusted information about who
user is, and match then this user against your database to get what
user is allowed (authorization). That will require matching of course, hopefully you can do it based on usernames/logins, if not, then you would need some sort of syncing and/or SCIM/OPP provisioning to maintain the sync in the future.
As for the “app info” you asked - don’t you know which application a user tries to access, when they come to you? If so, then all you need is “verified” identity information from Okta (OIDC/SAML) and your database with authorization information