- note: since I am a new user, the forum system would not let me put more than 2 links. The links it recognizes are part of the id token I’m getting when working, so to work around that I used h_ttps instead of https, and prefixed email addresses with “!” sign.
We are implementing SSO for our product using Okta. Our product is an enterprise grade web based system written with Angular (Frontend) and Django (Python, Backend). For the first part, I would like to implement a flow where Login is initiated on Okta using a tile (chiclet), that is, a user is logged into Okta and launches the App using a tile.
I created a tile in my developers account and when I clicked it, my test web server got the id token mentioned below (I decrypted the JWT):
- How do I know the tenant ID? Our system is multi-tenant so I would need to use some sort of tenant mapping. The most straightforward way I see is using the subdomain of the “iss” field - in the JWT written below - “dev-391102” would be the tenant name I would use to match into our system DB. Is this the way to get this info? If not, what is the correct way? Also, what should I ask the customer for to get this information? Their Okta account name?
- After I validate the token and I can match the user (using email) and the tenant (using the correct method) I can log the user in. If a user is then removed from the list of users allowed to use the application - how would my app know that in order to invalidate the session and log him out? Do I get a message from Okta? How does it work? (this is related to next question, namely, provisioning)
- User provisioning - How does it work with this flow? Does Okta and OIDC support SCIM? In our app we have different groups for permission control. I know that there are protocols to control this automatically, for example, mapping groups from Okta to groups in the application. How is this done? In the id token I couldn’t find a clue to what group the user comes from.
- And finally, I would need to implement a flow where the login is initiated from our system. How is it different?
name: John Doe