Implementing a simple OIDC SSO with user provisioning

Hi all,

  • note: since I am a new user, the forum system would not let me put more than 2 links. The links it recognizes are part of the id token I’m getting when working, so to work around that I used h_ttps instead of https, and prefixed email addresses with “!” sign.

We are implementing SSO for our product using Okta. Our product is an enterprise grade web based system written with Angular (Frontend) and Django (Python, Backend). For the first part, I would like to implement a flow where Login is initiated on Okta using a tile (chiclet), that is, a user is logged into Okta and launches the App using a tile.

I created a tile in my developers account and when I clicked it, my test web server got the id token mentioned below (I decrypted the JWT):

Questions:

  1. How do I know the tenant ID? Our system is multi-tenant so I would need to use some sort of tenant mapping. The most straightforward way I see is using the subdomain of the “iss” field - in the JWT written below - “dev-391102” would be the tenant name I would use to match into our system DB. Is this the way to get this info? If not, what is the correct way? Also, what should I ask the customer for to get this information? Their Okta account name?
  2. After I validate the token and I can match the user (using email) and the tenant (using the correct method) I can log the user in. If a user is then removed from the list of users allowed to use the application - how would my app know that in order to invalidate the session and log him out? Do I get a message from Okta? How does it work? (this is related to next question, namely, provisioning)
  3. User provisioning - How does it work with this flow? Does Okta and OIDC support SCIM? In our app we have different groups for permission control. I know that there are protocols to control this automatically, for example, mapping groups from Okta to groups in the application. How is this done? In the id token I couldn’t find a clue to what group the user comes from.
  4. And finally, I would need to implement a flow where the login is initiated from our system. How is it different?

family_name: Doe
aud: 0oaccbbmqmj6Lg4ng0h7
ver: 1
sub: 00uccf3k4dYjj3Dob0h7
locale: en-US
email_verified: True
zoneinfo: America/Los_Angeles
preferred_username: !john_doe@acme.com
updated_at: 1507536276
idp: 00occf3k1pXDxeXlD0h7
iss: h_ttps://dev-391102.oktapreview.com
jti: ID.WrzuZeSs6TjTbScfk7HhtYDPz9YM3UQSD2aCW-LYwsg
given_name: John
exp: 1507643003
auth_time: 1507639317
iat: 1507639403
amr: [u’pwd’]
email: !john_doe@acme.com
name: John Doe

I wouldn’t say it is a dead forum, it is that the questions that you asked are somewhat advanced.

How do I know the tenant ID? Our system is multi-tenant so I would need to use some sort of tenant mapping. The most straightforward way I see is using the subdomain of the “iss” field - in the JWT written below - “dev-391102” would be the tenant name I would use to match into our system DB. Is this the way to get this info? If not, what is the correct way? Also, what should I ask the customer for to get this information? Their Okta account name?

Is that your application is multi-tenant? Or are you using multiple Okta orgs?

For multiple Okta Orgs:
You would use the issuer to figure this out, because you will have different authorization servers per tenant.

For multitenant applications that use one Okta Org:
You would need to put the information on the user and create a default scope in your authorization server that puts this information in the id_token

After I validate the token and I can match the user (using email) and the tenant (using the correct method) I can log the user in. If a user is then removed from the list of users allowed to use the application - how would my app know that in order to invalidate the session and log him out? Do I get a message from Okta? How does it work? (this is related to next question, namely, provisioning)

User provisioning - How does it work with this flow? Does Okta and OIDC support SCIM?

I’m unsure about this, we support SCIM for the Okta Integration Network - @mcguinness?

In our app we have different groups for permission control. I know that there are protocols to control this automatically, for example, mapping groups from Okta to groups in the application. How is this done? In the id token I couldn’t find a clue to what group the user comes from.

When you configure your authorization server you can configure scopes and claims, this is where you would map user information (and groups) to claims in tokens which your application could use.

And finally, I would need to implement a flow where the login is initiated from our system. How is it different?

With OIDC, it isn’t different, you are collect credentials in your application (for branding) or send the user to your Authorization Server authorize route to initiate the login.

Hope this helps,
Tom