I have an okta instance A, that has an authorization server that returns custom claims with its role scope.
I have another okta instance B, that servers as a federation gateway that connects okta instance A as an external idp using OIDC.
Okta instance B also has an authorization server. I want to return the roles scope from okta instance A when a user from Okta A logs into Okta B. How do I do this ?
In the OIDC setup to Okta A, i have added the role scope.
It seems like I need to update claim expression on the authorization server on okta B ?
Essentially to accomplish what I think you are looking to do, all you would need would be to make sure that the claims/attributes that you want to pass make every step of the process. So in other words, there needs to be an attribute in both orgs that is properly mapped to the app/IdP respectively, and you’ll need JIT Provisioning to be enabled on the IdP settings.
All things being equal, what this will do is have your app send the attribute in its’ token, which would be picked up by the IdP settings on the org that you are attempting to sign in using, and retrieve the data from that org and pass it back down through the IdP token to the app’s org, then supplied to the app itself via the claim.
I know that’s a little abstract, but if it helps I believe this is just a fancy way of saying yes to your question, and here is some information about JIT Provisioning: External Identity Providers | Okta Developer