Multi-Tenant Authentication with Tenant-specific IdPs

We are trying to develop SSO authentication system for a suite of our applications that would be used by our customers coming from various companies. We wanted to understand the options to setup multi-tenant authentication where each tenant could bring their own IdPs which our applications can authenticate against.

The specific points we want to understand are:

  1. How do I isolate one tenant’s users & groups from other tenant? It there like a authentication realm or pool that I need to setup?
  2. Can I configure upstream IdPs for a given tenant so that they are redirected to their IdP for login while Okta issues authetication tokens/assertions to downstream applications we build?
  3. Does Okta provide ways to configure tenant-specific URLs which can be used to start the authentication process?
  4. Finally, is there support for multiple upstream IdPs for a given tenant? For example, some of our customers have different IdPs for their users from different regions. Is this supported in Okta?

It appears Okta Identity Engine may solve part of this with the feature:

Different sign-in branding based on subsidiary

I also expect more to be announced on this during Oktane Live in a few weeks:

Thanks @Govner for sharing that. I wanted to understand if Okta Organizations is another possible way to do what we were thinking. Is it possible to define multiple organizations under one Okta account and have each organization maintain its own set of users, groups and upstream IdP configurations?

Yes, definitely. You can have a discrete tenant (Org) for each and if you need to link these together there is an Org2Org connector:

https://saml-doc.okta.com/Provisioning_Docs/Okta-Org2Org_Provisioning.html

Govner, can you provide few more details:

  1. I currently have a Okta free plan with one organization. Where could I setup additional organizations under this account?
  2. Are there any restrictions on the number of organizations per account?
  3. Can organization setup be automated via APIs or SDKs?
  4. So for every organization, there are 3 environments provisioned one for development, staging and production?