Okta hub and spoke model and end user registration


I am trying to implement Okta Hub and spoke model with two Okta tenants where the user registration and authentication happens at the hub level and application is integrated at spoke.

Few questions:

  1. Self Registration - When accessing an application that is integrated in spoke (SP initiated flow), the end user gets redirected to hub url:
    /app/spokeappname//sso/saml where the login screen (sign in widget) is displayed for the user to enter the email to sign in. However, the sign up link is not displayed but when directly navigated to the sign up link is available. The problem with directly going to hub url to register, user lands on the okta hub dashboard once registered and then end user needs to separately access to the application URL to access the application.
    Can this be configurable to add sign up link on the login page(sign in widget) when coming from spoke to hub?

  2. If the sign up link can’t be configurable, what is the workaround or any other options this can be accomplished for the user to register?

Thank you!

  1. As far as I know it can’t be acheived
  2. You can go the opposite route actually:
  • have all your users registered at your current spoke
  • have all your apps configured at hub
  • when a user is created at spoke they can be provisioned to a hub with certain attributes, which will assign them to a group and to an app
  • in a spoke you can create a SAML app which will kick off IdP flow to sign into a hub’s application
1 Like