Our SaaS application currently allows for Google Authentication. We let anyone from their domain access our application. In other words, if bob@company[dot]com and sally@company[dot]com sign in our application using Google Auth, they can both access the same organization account.
We want to add Okta as an authentication method, however, because any email address can be added to any Okta organization, we are not able to verify that bob@company[dot]com is really coming from the company[dot]com Okta account.
For example I can create a new Org on Okta, add bob@company[dot]com with a username and password, and Bob would be able to successfully authenticate to Okta, but it doesn’t mean that he is the real bob@company[dot]com, just that the combo username/password on Okta is valid.
What is the common pattern to verify ownership of the email address so that we can let bob@company[dot]com authenticate to our application without trusting Okta?