We have created an OpenID Connect app that uses Okta for SSO, but I’m confused about something. It seems to only be allowing Okta users from our org to sign in. We would like to allow any user with an Okta account to sign in, without having to make a prior arrangement with their org. Our app seems to be in Federation Broker Mode, which seems like it should allow this, but it is not working (when we try to log in with an account from another Okta org, we get a generic “unable to sign in” from Okta. The url we are redirecting to is tied to our organization - could that be the problem? What else might be wrong here? It should be possible to have it work this way, correct?
What you are seeing is expected. Okta does not function as a Social Identity Provider like Google or Facebook, only users within your own Okta org can be assigned/access any applications within that org.
I don’t understand how we’re supposed to implement “login with Okta” functionality to our customers who use Okta. Can you explain how this flow is supposed to work?
The only way this would be possible would be if you created External Identity Provider connections for each Okta org, which would require the admins for those other Okta orgs to set up applications on their side to facilitate these connections. This is not something you can do purely from your own org
We have tried to set this up, but it is not working - the users in the external identity provider account are unable to log in. They are prompted to create Okta Verify connections for our organization, but then when they try to do that, they get an error that says that the “security method can’t be set up at this time” and instructions to contact support for assistance. I tried to create a support case about this, but I get an error message saying that I do not have access to the create a case page, even though I am logged in with the account that is the owner of our integrator account. Is there some other way to get support on this issue?
You may need to review the Authenticator Enrollment policies in your org to configure which authenticators these users are required/allowed to enroll in and ensure that the Global Session Policies/Authentication Policies for them allow access using the configured authenticators.
For additional help with your policy configurations, you could reach out on the main Okta Community forum (this one is more developer-centric and is more focused on custom implementations) for additional advice
The configuration for the app allows for Okta Verify, but it is still not working. I did originally ask in the community forum, and they sent me here. is there any way for me to contact your support team about this?
Only paying customers qualify for direct support and they will be able to access the Help Center. Anyone else only qualifies for community support.
Have you tried resetting the users’ authenticators yet? You can also try deactivating and removing the impacted device from Directory → Devices in the admin dashboard and try re-enrolling after that.
Just so I’m clear on this, we’re trying to build an integration feature that lets your customers use your product to log into our system, and even though it doesn’t work as documented, you’re expecting us to pay for access to your support team to try to make it work?
We did reset the authenticators for the account and the authenticator enrollment policies appear to be configured correctly.
I’m wondering if your use case is a better fit for the Okta Integration Network. That way users don’t need to log into your own Okta org, but will instead set-up the application within their own Okta org and can log into your application that way. That is how most vendors that are not Okta customers themselves integrate with us.
You can find information about submitting to the Okta Integration Network (OIN) in the below guides: