We manage our users in a DB currently. They sign in using all kinds of methods, Google Sign-In and passwordless etc. We just add a field noting how they signed up. Am trying to add a customer’s Okta auth servers as an IdP to my Okta org, as another way for users there to sign in/up to our app, hoping to get them an SSO experience. Am I doing something totally wrong? An Okta developer success engineer told me I should stop using Okta (CAPs, bolds, emphasis are his):
If you are planning to use a managed DB to manage all of your identities, then STOP using Okta now. Okta is meant to manage and handle ALL THE IDENTITY OF ALL OF YOUR USERS. Again, if you were to use Okta, OKTA WILL MANAGE ALL OF YOUR IDENTITIES. This requires a signed contract in place with Okta, and again, Okta will manage and handle ALL identities from your application. I would highly recommend doing some more research into Single Sign On, Open ID Connect protocol vs. SAML protocol, and how identity providers work, before continuing down this path. You will need basic fundamental knowledge of how federated identity works in a SaaS enterprise application first.
What are my options, if I am to stop using Okta? Can this, keeping our current user identifies in DB while using Okta for some users, be achieved if I use auth0 or Cognito? Or do I have to write my own software to implement OpenID Connect “natively”, i.e. not using Okta? (The engineer defined it as follows. CAPs, bolds and emphasis are his):
Supporting OIDC natively means that you BUILD OIDC into your app. By using the Okta API (which you’re doing right now), you’re testing the Okta API which is BUYING an OIDC implementation to put into your app. Therefore, I can tell you right now, you’re not supporting it natively. You have not built anything. You are simply using our product to enable OIDC into your app – which will eventually require you to pay for the product. Again, you will need to BUILD OIDC into your app NOT USING OKTA. By using Okta, you are BUYING OUR PRODUCT and USING IT to ENABLE OIDC and other Single Sign On mechanisms.
To recap: Your app is NOT natively supporting ANY federated single sign on mechanism.
Well. I had expressed I was ok with paying Okta. Anyways any pointers are appreciated.