Related to my other question which is unanswered Deferring OwinStartup call
When OwinStartup is called, the credentials are provided at that point. This is on app startup. This happens before (for example) any page_load events
As far as I can tell, this means your web app is married to those credentials until it terminates. Yet the most common use case in SAAS applications will be where Client A has their own okta account, and Client B also has their own okta account, and the same instance of your SSO app would have to serve client A and client B. So how can you do this when the creds are provided one-time on app initialisation ?