Need for Multi Tenant Solution - Is this even possible? Help needed

Hi,

I would like to become a service provider for Okta’s users, and I believe I should have my own integration app which will allow to access customers okta orgs with API after receiving their approval. The ideal solution would be app with oAuth 2.0 flow, in which customer review requested scopes and can approve my app.

Here is description of what I want to achieve:

There is Company A, and Company B,

  • Company A already have established Okta organization, and all Okta specific entities, users, groups, apps, lifecycle management settings, etc.

  • Company A becomes client of Company B,

  • Company A admin wants to grant access to Company B, so it can read all data via API calls - data like mentioned Users, Groups, Apps, Policies, Custom Roles, etc.

And now, the question is, how can one Company give access to another one?

Creating new app in Org directory with one user that will be a “middleman”, and with all read accesses in not an option, because solution must be scalable, best scenario would be:

  • Company A admin, connect (somehow) with Company B,
  • this admin indicates that he agrees for Company B access,
  • and that’s all (maybe this Admin will have to pass some credentials from Company B, to his own Company A Org).

AND WHAT IS IMPORTANT - flow of this integration is on oAuth 2.0, and it uses API calls.

Is this even possible?

Okta Org2Org, and Apps provisioning was looking promising, but as far as I understand it support only reading users, and their groups, etc.

Any insights, documentation, or guidance you could provide would be greatly appreciated.

Thank you in advance! :heart:

Hi @Damian,

It sounds like the best fit for what you want is to submit an app to the Okta Integration Network. If you want it to interact with Okta API scopes and internal APIs the best shot is to submit a Service App integration: Publish an OIN integration | Okta Developer

You can also do another type if you’d like, such as a standard SSO app through SAML or OIDC and using Profile Sourcing: Profile sourcing | Okta

If these look like a good fit for you I’d encourage you to run through the process and work with our Integration Network specialists to set up your app.

Hi,

I have a question regarding Okta OIN integration that I believe is simpler than my previous ones.

When my OIN app is added to an organization, a new client ID and secret pair are generated for that organization. Currently, the client must pass these credentials to my service to authorize requests to their organization.

Is it possible to configure my OIN app in such a way that my service can access all organizations where the app is added, without generating new client IDs and secrets for each instance? Essentially, I want the admin to simply add my app, agree to the access permissions, and be done with it - so the client ID and secret are only managed between my service and my Okta OIN app, without generating new credentials for every organization.

Thanks in advance for your help!