OIDC Multi-tenancy SSO subjectIDs

We are working on our OIDC SSO integration and at pretty much complete we believe, but there’s some descriptions of multi tenancy that’s causing me concern and I’m not sure how to best set up and test with our developer account.

With this description given at OIDC and the OIN - Multi-tenancy | Okta Developer
As an example, alice.doe@example.com is a registered Okta user in both the Company1 and Company2 Okta tenants, accessed at https://company1.okta.com and https://company2.okta.com . Your application aims to provide different services for users, but specific to each tenant. You can’t assume that the user information is identical for a given user across both tenants.

Is this trying to tell us that the resulting id_token for alice.doe@example.com will have the same subjectID with different user information (such as the issuer), or that they will also have a different subjectID?

If the subject is different which is what we expect for this situation, then we are fine as that would result in logging into different accounts and we meet the requirements. But if the subjectID is same, then they would log into the same account for both company1 and company2 which would be a problem?

To be specific, if alice.doe@example.com is a Okta user in 3 different Okta tenants, and each of those 3 tenants integrates our application, when alice.doe@example.com initiates sign in through the Okta end user dashboard, should alice.doe@example.com end up in the same application account with us, or 3 different accounts? And During those 3 different sign ins, will the id_token.sub be the same, or different for all 3?

sub will be different. The document tries to tell you that you can’t just have the same username to represent the same user in 3 different Okta tenants, as services might be different for each tenant in your application/service model. So you need to know from which environment that user came each time.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.