Please suggest correct approach

Please let me describe the situation

  1. we have web application and our new potential customer wants to use SSO with their on-premise AD to start use our app

  2. customer already has Okta organization in which this AD is integrated

Which should be correct approach to implement SSO?
As far as I can see there are two ways:

  1. Customer adds Okta application to their Okta organization to process requests from our web application (we provide callback url and necessary attributes to him, he provides us with Sign-On url and certificate for this Okta app)

  2. We create our own Okta organization and add their Okta app (SAML or OpenId) as External IdP.

Any suggestions, do you miss something?

Are you talking that a customer wants to do SSO into your application from Okta? Then the question is what type of SSO can you support: OIDC? SAML? If any of those, it’s a pretty straight-forward integration for Okta

Customer has his own users database is AD and wants to use Okta with SSO to sign on my application.

Again, it’s just a matter of what type of SSO your application support. Does your application support SAML or OIDC? If yes, then just create an application in Okta and configure it accordingly to send you assertion/id_token. If no, you will have to invent a bike and come up with some sort of validation of username and password (login page with Okta AuthJS), before letting Okta users into your application.

Customer will have delegated authentication in Okta against their AD, so nothing really complicated from this perspective.