We are working on our OIDC SSO integration and at pretty much complete we believe, but there’s some descriptions of multi tenancy that’s causing me concern and I’m not sure how to best set up and test with our developer account.
With this description given at OIDC and the OIN - Multi-tenancy | Okta Developer
“As an example,
firstname.lastname@example.org is a registered Okta user in both the Company1 and Company2 Okta tenants, accessed at
https://company2.okta.com . Your application aims to provide different services for users, but specific to each tenant. You can’t assume that the user information is identical for a given user across both tenants.”
Is this trying to tell us that the resulting id_token for email@example.com will have the same subjectID with different user information (such as the issuer), or that they will also have a different subjectID?
If the subject is different which is what we expect for this situation, then we are fine as that would result in logging into different accounts and we meet the requirements. But if the subjectID is same, then they would log into the same account for both company1 and company2 which would be a problem?
To be specific, if
firstname.lastname@example.org is a Okta user in 3 different Okta tenants, and each of those 3 tenants integrates our application, when
email@example.com initiates sign in through the Okta end user dashboard, should
firstname.lastname@example.org end up in the same application account with us, or 3 different accounts? And During those 3 different sign ins, will the id_token.sub be the same, or different for all 3?