I recently submitted my first OIN app and one of the questions was “Is your app considered a “Big Bang”? This means you don’t allow username password logins once SSO is enabled.”
The answer is yes or that is our intention at least. The method for doing is the problem. I have worked with Okta support and they told me there is no way out of the box to do this. I am really skeptical that Okta would ask this question via the OIN submission form but not have it as a feature for Service Providers.
Is there a way, once a user is associated with an IdP, to not allow them to login via username and password? We do already use IdP discovery policies but there are places (native desktop app) where we can’t do this and thus want to basic auth there.
A Big Bang SSO means that your application will not allow the usage of credentials once the SAML connection is established. Once SAML is configured, mutual customers would need to go through Okta in order to authenticate to your application.
If you would like to have the other way around, where an application is the identity provider for your Okta users, then you can do the following:
set your application as SAML Identity Provider
set a random password for all Okta users
deactivate self service password recovery
In this way, users will need to authenticate via the SAML identity provider in order to access the Okta tenant.