Require 2 separate Okta sessions for 2 separate Okta users across browser tabs

Questions
1

Hi,

I have been racking my brains on this one and the only option I can think of is to have the 2 separate Okta users in two separate Okta tenants.

Our usecase is:

  • We have a group of apps belonging to business unit 1 and another group of apps belonging to business unit 2.
  • Apps belonging to both business units are stored in the one Okta tenant.
  • Okta user 1 belongs to business unit 1 and is assigned to business unit 1 apps. Okta user 2 belongs to business unit 2 and is assigned business unit 2 apps.
  • Okta user 1 and Okta user 2 are stored in the one Okta tenant.
  • Okta user 1 signs on to the Okta tenant in tab 1 of a browser and merrily enjoys the SSO experience to apps belonging to business unit 1.
  • Okta user 1 opens tab 2 of the browser and decides he/she wants to log into the Okta tenant as Okta user 2 so he/she can enjoy the SSO experience to apps belonging to business unit 2.
    However, he/she is unable to unless they first sign out of Okta as Okta user 1.
    This is because as we know the session cookie corresponding to authenticated Okta session for Okta user 1 is still held and submitted by the browser in tab 2.

Anyone have any better ideas than creating two separate Okta tenants representing business unit 1 and business unit 2 respectively? Or ensuring that the app’s/gateway’s custom code detect a tab switch and sign-out Okta user 1 silently via Okta api?

Thanks,
Kapil.

2

A basic question on the use case - if the user is the same, why are different logins used for business units? Shouldn’t a user having access to both business units be able to login with just one set of creds? What would the need be to have separate login creds? If it’s just for access then you should use one user, one tenant and Okta groups to ensure access to BU1 or BU2 set of apps. If there is a profile field to identify the access to a BU, you can even use Okta groups rules to make this automatic.

Assuming there is such a need (which I cannot understand), it’s not possible without 2 Okta tenants since there is no way to identify tab switch to logout and even if you could identify, considering user from BU 1 could just open one of the BU1 apps in a new tab and you obviously do not want them to re-login just because they opened a new tab, you should not even look at that approach.