Let us see we use Okta as our enterprise IDP with Microsoft AD as Identity Store. We have configured Okta to support SSO, user provisioning and de-provisioning for our Salesforce installation. We also have another custom build web application. We want to use Okta for its SSO, user provisioning and de-provisioning as well. Our scenario is that only active Salesforce users can access the custom web application. What is the most efficient way to set it up?