Oidc IdP best practice

Hi experts, I am playing oidc IdP; from existing docs Create an App at the Identity Provider | Okta Developer, I dont see it can be configured with IdP routing rule; the doc only shows how to route to IdP login page by a direct link instead of using webfinger to route to IdP login page via routing rule. Did I miss anything? Is there any best practice recommended from Okta how an enterprise application should be configured with OIDC IdP?

Any IdP you create can have be used with IdP Discovery Routing Rules, that guide is just walking you through hitting the IdP directly (in an OIDC app) instead of using routing rules.

Enterprise applications should have users login through the Okta hosted sign in page. As long as you have your routing rules configured for the application and users in question, they can be routed to the appropriate IdP automatically.

Docs for Idp Discovery and Routing Rules found here:
https://help.okta.com/en/prod/Content/Topics/Security/Identity_Provider_Discovery.htm
https://help.okta.com/en/prod/Content/Topics/Security/configure-routing-rules.htm

Thanks @andrea for the reply!

I followed the instruction posted in Add an external Identity Provider | Okta Developer and tried creating the poc env (one okta tenant as external OIDC Connect IdP, another Okta tenant host my application); though, I got below error. Could you please help?

Identity Provider: OIDC

Error Code: invalid_social_token

Description: Could not acquire access token from authorization code.

1st Okta tenant showed the user login successfully
2nd Okta tenant showed below debugging:
com.saasure.platform.services.idp.exception.IdpAuthenticationException: Issuer is invalid in id_token

Does your other okta tenant (the one being used as an IdP) have a custom url domain?

This mismatch may be caused by the token (issued by the Okta org serving as an external IdP) containing an issuer that doesn’t match the one you provided when you set up the idp. You’ll want to make sure that the authorization server/app is configured to use the domain you are trying to use in your idp configuration, see Update other Okta settings | Okta Developer.

Hi @andrea, that’s exactly the issue; I fixed it a few days ago by trial but thinks for posting the approach so others may have same question; I actually created another thread with the same question so you can link this answer to that thread

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.