Hi,
I am new to Okta.
I need to provide SSO capability in our deployment with okta. We do separate frontend & backend deployments for our different clients. One of the clients wants SSO with okta. Currently we have a session based authentication mechanism with username & password. Our application is already built so a path of minimal friction would be helpful.
Some issues i am facing:
Who manages the okta auth server. Client or us?
Do i need to create app in developer account? Do i need to publish to OIN?
What auth flow will be used. PKCE?
I have read the docs repeatedly & really having a hard time understanding how everything works together.
Hello,
It might be helpful to contact a representative to go over the exact details of your current environment and what you need.
I assume that the customer who wants SSO with Okta already has an Okta Org? If that is the case they would manage the auth server or an Okta resource and provide you the details to connect.
Publishing to the OIN is up to you. If your system will use SSO with Okta for more than 1 client, you would need a way to distinguish between the clients to make sure you use the correct Okta Org information for each client. If deployments are separate, no shared processes where each deployment has its own dedicated configurations this would be easy. If your clients share a common environment and login page, there needs to be a way to distinguish.
As far as Auth flow, when speaking of SPA applications usually that would be PKCE. However in most of those cases there is not a session based mechanism with a backend. I assume in this case your SPA applications are authenticating with the Node backend and still require various services from the Node app after authenticated? If that is true then you most likely would want to do a code flow on a web app (your node app) to mimic what you are currently doing. This way after Authentication with the Okta Org your SPA and Node app could then use the same session mechanism they are now. I am assuming a lot about your setup here. Also if you ever did plan to move your app to OIN, code flow is currently the only supported flow with a dedicated backend web server.
I do recommend speaking with a representative to go over your exact architecture and needs. Hope that helps some.