OIDC SSO for external organisations

I’m trying to create a OIDC single sign on in my web up for users that use Okta. i.e A “Sign in with Okta” button, or tile users can click on.

I have this set up and working in my dev account, but am trying to make it available to all external organisations by submitting it through the OIN submission process.

My issue is they keep asking me how do they set it up in their test org and what information do they need in terms of client id and consumer key. I can’t find any information about what they’re referring to! Do they not just enable the app within their org and it’s set up to go?

Thanks.

2 Likes

Bumping as I have the same question

Hi egrabs, I’ve managed to move mine on a bit so thought I’d share my issue.

My thinking of how Okta works was a little off. I was thinking I create the app, I have my client ID and secret to do the integration and other orgs would just “add it”.

In fact an app on their OIN is essentially the just information required to create an instance of the app. So when they “add it”, it creates their own client ID and secret, which will be different for every organisation. So, in my case anyway, they were asking what information I needed, it was their client ID and secret (as well as the issuer in my case). They added my app to their org, which created those credentials, and they sent them to me to use when getting a user to login or or exchanging for a token.

What really made it click for me was seeing what an organisation goes through to add the app. Here is a link to our (still unapproved by Okta) configuration guide, which may help: https://docs.google.com/document/d/1pF2Dp3cmGjOWuR0OwRaML--2160EFA5YT51SuHp8l84/edit?usp=sharing (at time of writing it’s still no approved so you won’t actually be able to find our app, but should give you an idea)

I found the whole process very painful and frustrating, and not much support from their side. Getting information from them was difficult. If none of that makes sense, I’m happy to discuss more as I wish I could have got 10min of someones time a week or so ago which would have saved me SO much time!

Best, Damien

Damien, thank you so much! Your reply is super helpful. That is the understanding I was trending towards – having our customer create an app w/ a unique client id + secret within their own org; I couldn’t figure out how to make this work any other way. But it’s very reassuring to hear that even in the case where the app is published on the OIN that’s still the official procedure.

Originally I was under the assumption that somehow we could use the client id + secret for the app created in our Okta org but the authorization server URL of our customer’s org.

I found the whole process very painful and frustrating, and not much support from their side. Getting information from them was difficult.

Right? I spent an inordinate amount of time reading the docs before I could wrap my head around what’s going on here. There’s a bunch of questions on this forum that seem to be asking the same thing that I was hoping to figure out, but no answers :weary:

Hi Damien, this question sounds very close to the issue that I am also having, but perhaps is a bit different. We have a developer account that we have been working with (a just recently a full prod account). We would like to use OIDC to SSO to an app from an external organization. They have given us their client_id and client_secret, but they are not on the OIN list of application, and I believe have no intention of putting their application on the OIN. I cannot seem to add their application to my list of applications (using Add Application button), as I cannot change the generated client_id and client_secret for an app that I manually add myself. Is there a way to set those id and secret values for application you add, or does their app need to be on the OIN application list?