Doubts regarding adding users to SPA app

Hi there,

I was checking this guide:

But having issues with the “Assign users” concept.
I have a developer account and for what I understand there are two “assignation” modes:
-If the Federation broker mode is active, for what I understand every Okta user can log-in and it’s my app the one in charge of either accepting or declining the user after that
-If it is disabled, I need to manually assign either people or groups

In that second case, only users and groups under my developer account are listed. However, next steps are:

  1. Sign out of your administrator account in your development org. Click Sign out in the upper-right corner of the Admin Console.
  2. Sign in to the Okta End-User Dashboard as the regular user that was assigned the integration.

How am I supposed to test/make it available to other users&orgs if I only can add users from my dev org? I already have a trial end-user account created but don’t know how to interact with my app.

You can only ever assign/allow users to access an app if they are in the Okta org in which this application exists. Users outside of your Okta org will not be able to use any apps within it unless they are JIT’d/created in that org.

If you don’t want to use Federation Broker Mode to give users in your org instant access to your app AND if the users are federated into your org from another Okta org (using Org2Org for example, or even from an external Identity Provider), you can assign the users to group when they are JIT’d and assign that group to the app so they can access the application.

Okay, understood. And how about that from the docs:

To support the potentially large numbers of Okta orgs accessing an authorization server through the OIN, an OIDC integration can’t use a custom authorization server, including the default server.

It means we cannot use the authorization server if we plan to make the app available in the OIN? How are we giving access to login with Okta to our customers (the reason we are integrating) which are already having SSO with Okta if not published in the OIN?

You will have to ensure you use the Org Authorization Server if you want to publish an OIDC app in the OIN.

Applications that are manually configured (application integration wizard) instead of added from the OIN do not have this limitation. Keep in mind though, that your customers may not be licensed to be able to use a custom authorization server. This requires that the customer’s org have a certain add-on SKU, API Access Management. This is why the OIN has this requirement/stipulation: to ensure your OIN app will work for all Okta orgs, it must use an authorization server available to all orgs. Aka, the Org Authorization Server.