Hi, I’d like to confirm if my understanding of the “external OIDC IdP” is correct
I work at org A, which is a subsidiary of org B. We both use Okta, but have completely separate Okta orgs. While I have full control of our (A) Okta instance, we cannot add groups or apps to B’s Okta instance. I would like to be able to give members of B’s Okta seamless access to our apps. I’m thinking that I can add B’s Okta as an external OIDC IdP in our (A) Okta. I think this would let me:
- Create groups and apps within A Okta
- When a user from B tries to access one of our apps, they sign in through their org’s Okta
- I can assign groups and apps to users from B within A’s Okta (as long as they’ve logged in so that their user can be JITed).
- If a user is deactivated/removed from B, they automatically loose access to A
- I can still add users manually to A if I want to (in particular, for service accounts)
- Our (A) apps only ever need to talk to Okta A (they don’t need to verify tokens from the Okta B)
Is this correct, or am I missing something? Are there any pitfalls in this sort of setup?