I have a multi-tenant SaaS application and I would like to add Okta SSO as a login option for my users. One requirement we have is that we support this for our admin application and we must check that the user who is signing in is also the Admin of their Okta workspace. I have tried adding okta.roles.read to my oauth scopes but it appears that this isn’t allowed. How can I check that the user is an admin before I create an account for them and sign them into my application?
For what it’s worth, it is trivial to do this with Google and Microsoft OAuth APIs. I see some documentation about setting up an API Service Integration but my concern is that this kind of treats the integration as single tenant and there will be a lot of overhead to set up a new service integration for each client.
okta.roles.read would be the necessary scope to make an API call to get user admin roles, but the token must have Super Admin permissions to use this endpoint.
When you/your application makes this call, is it making it on behalf of the user or do you use a Service app with admin permissions?
Hi, thanks for the response. Yes, I’m requesting that role and specifically want to know if the admin is a super admin. We are trying to make this request on behalf of the user. A service app takes a lot of work on both our side and our clients’ side to set up so we’d like to just use OAuth and standard APIs, if possible
Then you will not be able to call the /roles endpoint to confirm if a user is an admin, unless they are a super admin. For security reasons, only Super Admins can add, remove, or view administrators in an org.
Yes, that makes sense. I was still struggling to call this endpoint using the Super Admin’s credentials though. I have two use cases:
Single sign on for self serve onboarding onto my admin app. For this flow, I want to check that they are a super admin of Okta before I provision a new account for them (i.e. one of their employees should not be able to make an account with us – just the super admin). Is this possible with standard OAuth and using the super admin’s token to make calls to the roles API? Or do I need to use a service account integration?
I have an integration I would like to set up after the fact where a super admin can give us a separate auth token with permissions to hit the directories endpoint to pull the list of their entire employee list. Is this possible with standard OAuth and API calls? Or do I need to use a service account integration?
Tokens issued to a super admin should work. Did you enable consent for the okta.roles.read scope on the OIDC app you created for this use case? Are you encountering a 403 when you call the /roles endpoint?