Hi,
I’m working on a SaaS application that currently supports three authentication methods: traditional username/password, and social logins via Microsoft and Google.
Now, some of our customers are requesting Okta support. I’ve already implemented an OIDC authentication flow with Okta, but it only works for users within my Okta tenant. External users from other organizations are unable to log in.
What I need is a multi-tenant authentication setup where users from different organizations can sign up and log in using their own Okta tenants.
Here’s the authentication flow I’m considering:
- A company admin signs up for our SaaS platform and creates an organization.
- From their Okta dashboard, the admin adds our app via the Okta Integration Network (OIN) and obtains a
OKTA_CLIENT_IDandOKTA_CLIENT_SECRET. (Is this step actually possible?) - In our app, on the organization settings page, we provide a section for Okta integration where the admin can input their Okta credentials.
- The admin continues logging in with their own username/password (or via another method).
- All other users from that organization, based on their email domain, are redirected to log in via the organization’s Okta login.
I’d like to validate whether this approach is feasible and aligns with best practices. Specifically:
- Is step 2 (self-service integration via OIN and obtaining credentials) something Okta supports for each organization?
- Does this flow make sense, or is there a better approach for enabling multi-tenant Okta authentication in a SaaS environment?
Any guidance or examples would be much appreciated!