Multi tenant application

Unkis · August 26, 2019, 11:16am

Hello,
I have the following use case.
I have several organizations that want to use my application (spa). The owners of these organizations must be able to register a new organization by email. Once the email has been verified and the organization has been unlocked, the owner must be able to create new users for their own organization. the username and password can be chosen freely by the owner (no email, eg Callagent1, Bob, etc.). The newly created users can now log in with the help of organization id, username and password.

how can i realize this with the help of your product? which steps do I have to take?

NAMRATA · August 26, 2019, 6:29pm

Hi Unkis,
Have you got the answer for this question?I am also looking for same thing.

Unkis · August 27, 2019, 4:13am

No, unfortunately no

dragos · September 2, 2019, 3:07am

Hi @Unkis @NAMRATA

The organization registration can be treated as a group. When a user registers an organization, the group will be created in your Okta tenant and he will assigned as a group administrator.

Group administrators are allowed, as mentioned here, to create and manage users that are in the group they are administrating.

By default, the username needs to be in the format of an email. To remove this restriction, you can go in Okta administrative panel to Directory/Users >> Profile Editor >> select “Okta” from sidebar >> Profile >> click on the information icon for Username >> change “Format restrictions” to “None”.

If you do not see the “Format restrictions” section, it means that the self service registration option has been enabled for your account. You will need to have it disabled in order to remove the email format restriction.

To remove the restriction, please send an email to support@okta.com and ask for the features SELF_SERVICE_REGISTRATION and UD_MAP_FIELD_TO_LOGIN to be disabled.

This operation consists of two main operations:

authenticate the user using the username and password
if authentication is successful, check the organization id provided by the user against the group he is part of (if they match, the user should be allowed access)

Unkis · February 10, 2020, 7:24am

Thanks a lot for your answer. i have one question more.

This operation consists of two main operations:

authenticate the user using the username and password

if authentication is successful, check the organization id provided by the user against the group he is part of (if they match, the user should be allowed access)

in the different groups can exist the user with the same username. How it schould work with “two main operations” ?

thx.

Unkis · February 21, 2020, 5:55am

any updates regarding this?

alchemist_ubi · February 23, 2020, 11:55am

@dragos, how could I connect to an external IdP (included Okta) for a particular tenant instead?

It will allow me to have groups, users, and so on for that particular tenant.

I guess I would need some Okta tenant for my customers as well.

dragos · February 24, 2020, 4:05am

User would need to specify the group name after authentication, which should provide uniqueness (combination of user + password and user in group membership).

At the moment, limiting the identity provider to a particular group is not possible. The identity provider will be applied globally on the Okta organization.