How do we integrate Okta SSO with dev/test/staging environments?

Hi! Apologies if this question has already been answered here and I missed it, but I had a question about what the recommendation is for integrating SSO with production vs. dev/test/staging environments.

I’ve had some trouble getting an understanding of what Okta recommends here. Should we be using the Okta sandbox? Does it offer the same security as the production okta account? Or, should we potentially have two clients set up–one for production and one for the other environments. What have others done? We want non-prod environments to be as secure as the production environment.

Thanks in advance!

Alina

both .oktapreview.com and .okta.com are equally secure :slight_smile: preview have some limitations. But you can always have your non-prod environments created in okta.com

Great, thanks for this information! If it’s appropriate to set up non-prod environments with .okta.com rather than the sandbox, would the best way to do that be to have two clients (one for prod and one for non-prod environments)? I assume we want to avoid having both prod and non-prod environments using the same client secret.

Sure, you can have different client apps in different environments. Would be a terrible idea to accidentally leak production secrets during development/testing.

Just keep in mind that .oktapreview.com is free, though you’d have to pay for .okta.com. So think twice :slight_smile:

Hi! I’m a bit confused–if my organization already pays for .okta.com, would there be an extra cost for integrating an additional client? I didn’t think there was additional charges for adding clients.

A reason I’m interested in using .okta.com for non-prod environments is because we would need to load our users into the sandbox and users would need different sandbox credentials. But if that’s the best practice, I definitely want to follow the best practice.

I think we maybe talking about different things. Here is the scheme I mentioned:

  • you have 2 okta orgs, one in .okta.com as your production and in .oktapreview.com as your non-production
  • you need to clarify what you mean as “client”, if it’s an application inside an okta org, then you don’t have to pay extra, you can have as many of those in your prod as you need, not sure if there is a limit in preview though

I would not necessarily say it’s “best” practice. It’s just a one of applicable models. As I said, there might be some limitations in .oktapreview.com for a number of things you can create. Better to consult okta support.

I’ve worked with clients who paid for extra .okta.com organization and had it as their TEST/UAT environment

Hi! Yes, my use of “client” was confusing. The schema I’m interested in is having two applications on a single .okta.com organization, one for my site’s production environment and one for my site’s test environment.

Can you confirm this is an appropriate model?

I really appreciate your responses here–this has been so helpful!