Okta as an external OIDC IdP

Hi, I’d like to confirm if my understanding of the “external OIDC IdP” is correct

I work at org A, which is a subsidiary of org B. We both use Okta, but have completely separate Okta orgs. While I have full control of our (A) Okta instance, we cannot add groups or apps to B’s Okta instance. I would like to be able to give members of B’s Okta seamless access to our apps. I’m thinking that I can add B’s Okta as an external OIDC IdP in our (A) Okta. I think this would let me:

  • Create groups and apps within A Okta
  • When a user from B tries to access one of our apps, they sign in through their org’s Okta
  • I can assign groups and apps to users from B within A’s Okta (as long as they’ve logged in so that their user can be JITed).
  • If a user is deactivated/removed from B, they automatically loose access to A
  • I can still add users manually to A if I want to (in particular, for service accounts)
  • Our (A) apps only ever need to talk to Okta A (they don’t need to verify tokens from the Okta B)

Is this correct, or am I missing something? Are there any pitfalls in this sort of setup?


From what I can tell, yes, using the second Okta org (Org B) as an external IdP for the first Okta Org (Org A, the one with the applications the users in Org B need access to) should work well for your use case.

If you set up this IdP to JIT users from Org B into Org A (so there will be a user within each org for these users), you can also indicate what group(s) these users should be assigned to, which you can use to grant them access to the necessary application(s). Beyond that, they’re more or less the same as any other local user in Org A and you can continue to create users within Org A itself as needed.

If a user is deactivated in Org B, they will not be able to access Org A’s applications anymore because they will not be able to login via their IdP (Org B) anymore either.

And finally, yes, your applications only need to worry about Org A. Once the users log into Org A (after federating through Org B), the tokens they are issued will always come from Org A. In the background Okta will check that the user is able to login successfully to Org B, but short of where they have to go to login, they’re the same as any other user in Org A.

Awesome, thank you very much!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.