I have been racking my brains on this one and the only option I can think of is to have the 2 separate Okta users in two separate Okta tenants.
Our usecase is:
- We have a group of apps belonging to business unit 1 and another group of apps belonging to business unit 2.
- Apps belonging to both business units are stored in the one Okta tenant.
- Okta user 1 belongs to business unit 1 and is assigned to business unit 1 apps. Okta user 2 belongs to business unit 2 and is assigned business unit 2 apps.
- Okta user 1 and Okta user 2 are stored in the one Okta tenant.
- Okta user 1 signs on to the Okta tenant in tab 1 of a browser and merrily enjoys the SSO experience to apps belonging to business unit 1.
- Okta user 1 opens tab 2 of the browser and decides he/she wants to log into the Okta tenant as Okta user 2 so he/she can enjoy the SSO experience to apps belonging to business unit 2.
However, he/she is unable to unless they first sign out of Okta as Okta user 1.
This is because as we know the session cookie corresponding to authenticated Okta session for Okta user 1 is still held and submitted by the browser in tab 2.
Anyone have any better ideas than creating two separate Okta tenants representing business unit 1 and business unit 2 respectively? Or ensuring that the app’s/gateway’s custom code detect a tab switch and sign-out Okta user 1 silently via Okta api?