Multi tenant SP app with Authentication at Ext. IDP and Authz on SP

Hello Everyone,

We have a multi tenant application(Non-SPA) with the requirement of

  1. Delegating authentication activities to external user authentication platforms but with a common IDP Gateway(May be using an IDP Discovery process)
  2. Assert the identity to Service Provider
  3. Need to perform authorization on the Service provider side and communicate the Authz info to backend service provider application. This is like a complete user access level authorization decisions that needs to be received from Okta SP engine with all scopes added in tokens.

Can someone help with best supported architecture here? Does the below options help in achieving above requirements.

  1. Customer IDP <–SAML–> Okta IDP Discovery <–SAML–> Okta SP <–OIDC, OAuth2–> Backend Application
  2. Customer IDP <–SAML–> Okta SP <–OIDC, OAuth2–> Backend application


1 Like