Learning about how to implement Org2Org

I’m new to Okta, and I’m looking for help to understand a few things. I’ve taken training, studied documentation, and watched pertinent Oktane videos. Okta support has been very patient as they answered my questions. I also searched the forum for similar topics before posting this. I’m interested in learning what the forum community knows from their experience.

My company uses Okta to authenticate external users to our first party developed applications.

Users may be authenticating as individuals, or they may be associated with companies that we have relationships with.

I’ve been tasked with presenting a more integrated solution to one of these companies that will replace the current manual and burdensome process of managing their users on our Okta tenant.

Federation was suggested, but Okta support recommended Org2Org, because this company has their own Okta tenant. I’m not clear on the difference between Federation and Org2Org, and what the pros and cons are with each.

I understand that one big advantage with Org2Org is that the user will be deactivated on our side if disabled on the client side. This is a huge win for our security auditing process.

The user experience will improve, because they could log in with a bookmark app directly in their Okta tenant without having to authenticate separately to our Okta tenant.

I still have a few more questions from a developer on my team about how all of this works.

  1. How does the client using Org2Org decide which users to push to us, and how do we assign those users access to our applications? Workflows?

  2. Can the client send any extra info so that we can add the user directly to an APP without manual intervention?

  3. If the client doesn’t push the user through and we end up creating the same user in our Okta will both the profiles merge when the client sends the user?

  4. When the client takes an action on the user, will that same action reflect in our Okta Tenant? I’m sure the answer to this is yes, at least for deactivated users.

  5. If we have MFA enabled and they don’t, which one takes priority and how does that work?

  6. What about Tokens?

a. Who decides the token time out settings , client Okta or our Okta?

b. Is there anything we should know about token in case of a federated user?

I think it would look like this: