I have successfully implemented support for SSO by OIDC, using the okta libraries for React. Following the docs here
Now, this saas app that I am working with, will also support SCIM so that has been implemented as well by following the docs here
From the intro of the SCIM docs:
Your Okta integration should use Single Sign-On (SSO) to initiate end-user authentication. Learn how to set up your integration with SSO in our Build a Single Sign-On (SSO) integration guide.
I assumed that I already had implemented support for that, but reading more closely it seems to not support OIDC SSO, is that correct? Do I need to change my OIDC implementation to SAML to get this to work? And in that case, do I need to remove the react libraries that Okta provides, as I also guess that those only support OIDC? Why is Okta recommending to use OIDC in the first place, without mentioning limitations as this?
Hello,
If you are building an application for the Okta Integration Network (OIN), both OIDC and SCIM are supported.
As you go through the various pages, Prepare Your Integration, Create your Integration, etc make sure that in the Instruction For dropdown you choose OIDC.
And I wonder if my application does already meet this criteria or not:
Your Okta integration should use Single Sign-On (SSO) to initiate end-user authentication. Learn how to set up your integration with SSO in our Build a Single Sign-On (SSO) integration guide.
Hi @generti! Are you looking to submit your application to our Okta Integration Network (our apps marketplace) for ALL Okta users to use - https://oinmanager.okta.com/.
Yes I guess so. I want end users of the saas application I work on to be able to use this integration, so I guess that it has to be supplied to OIN then?
Apologies for the confusion, we’ll need to update our docs specifically on that step, but for now please choose SAML without configuring for it and proceed with your SCIM server setup. Upon submission, you can submit your OIDC and SCIM app separately and from there, our team will merge the two apps into one before publishing it to the OIN.
So when I have the OIDC and SCIM integrations ready, is there any connection between the two? Or is it assumed that my application takes care of, for instance, only allowing existing users (which has been added through SCIM) to be able to login with OIDC?
I guess that in the settings of the OIDC setup at Okta I can allow all users to login. And then in my application, after the user has been signed in with OIDC, I check whether the user actually exist in the application or not. If it does, it is allowed to proceed.
@generti right, two separate integration one to provision users and one to sso/sign-in users. They are connected in a sense via Okta when you assign the provisioned users to the app.