We have an existing web application that uses OIDC to authenticate organizational clients against each client’s own tenant. For example, a client using Microsoft 356 can simply “login with Microsoft” and use their corporate credentials.
To achieve this we had to create an application in our tenant, and use that application as the OIDC provider, and enable it to authenticate against other/any tenant. For example, with Microsoft, we create the application in our M365 tenant, and enable logins from users in any other M365 tenant.
We have now been asked by a new client to support OKTA. The client uses OKTA Workforce, and I’m trying to see what the equivalent procedure is to enable “login with OKTA” without having to do something that is specific to this particular client.
I expect this is straightforward, but I’m struggling to navigate the setup. Please could someone point me at a good walkthrough of how to achieve this perhaps?
Hello,
Certainly! To enable “login with OKTA” for your web application, follow these steps
Log in to Okta Admin Console: Sign in to your Okta organization as an administrator.
Create an OIDC App Integration:
Go to Applications > Applications.
Click Create App Integration.
Select OIDC - OpenID Connect as the sign-in method.
Choose Web Application for the application type.
Configure Settings:
Set up the necessary details for your app integration.
Save the app, and you’ll receive a Client ID and Client Secret.
Integrate with Your Web Application:
Use the provided Client ID and Client Secret to enable “login with OKTA” in your application.
Implement the OIDC flow to authenticate users against OKTA Workforce.
This process should allow seamless authentication using OKTA for your clients. Happy integrating.
Many thanks @esther598 - if I understand you correctly, that requires registering a new app in every OKTA tenant that wants access? Your instructions are very helpful for that - thank you.
However, my question was whether it is possible to register a single app that allows any OKTA tenant to authentication, as is possible with Google and Microsoft OIDC implementations. Do you know if this is supported by OKTA?
No, this is not supported, Okta is not a social authentication provider and cross-tenant access to the same application is not possible.
If you expect other Okta orgs to want to use your integration, the easiest way for them to set this up is if you were to submit your integration to the OIN. That will allow any Okta customer to add the integration to their org with minimal set-up required. Note that these OIN app instances will still be tied to the specific Okta domain/org in use and they will each have their own set of credentials.
More information on submitting an OIDC app to the OIN found in our guides: