SAML Autentication and email validation

Our SaaS application currently allows for Google Authentication. We let anyone from their domain access our application. In other words, if bob@company[dot]com and sally@company[dot]com sign in our application using Google Auth, they can both access the same organization account.

We want to add Okta as an authentication method, however, because any email address can be added to any Okta organization, we are not able to verify that bob@company[dot]com is really coming from the company[dot]com Okta account.

For example I can create a new Org on Okta, add bob@company[dot]com with a username and password, and Bob would be able to successfully authenticate to Okta, but it doesn’t mean that he is the real bob@company[dot]com, just that the combo username/password on Okta is valid.

What is the common pattern to verify ownership of the email address so that we can let bob@company[dot]com authenticate to our application without trusting Okta?

There probably is not a definitive answer for this since Okta is tenant based and the type of restrictions each tenant places on their Org will vary. Some may only allow accounts they create which all have the same email domain, others may allow self service registration where any email address can be used.

If you want to restrict each tenant to only allow one specific email domain then you could use the issuer (will be unique for each Org) and map that within your application to the allowed email domain(s). Or perhaps add a custom SAML attribute for each tenant that specifies the domain it is for.

Note it is possible for accounts to be created without having to prove their email, but in the case of self service registrations the user would need to prove their email unless an Okta Administrator intervened and activated the account without verification.

I do recommend possibly speaking with the Okta professional services team as they may have setup similar use cases in the past.