We are trying to develop SSO authentication system for a suite of our applications that would be used by our customers coming from various companies. We wanted to understand the options to setup multi-tenant authentication where each tenant could bring their own IdPs which our applications can authenticate against.
The specific points we want to understand are:
- How do I isolate one tenant’s users & groups from other tenant? It there like a authentication realm or pool that I need to setup?
- Can I configure upstream IdPs for a given tenant so that they are redirected to their IdP for login while Okta issues authetication tokens/assertions to downstream applications we build?
- Does Okta provide ways to configure tenant-specific URLs which can be used to start the authentication process?
- Finally, is there support for multiple upstream IdPs for a given tenant? For example, some of our customers have different IdPs for their users from different regions. Is this supported in Okta?