SSO Backend Architecture + Sample Apps

Hi there,
I went through the SSO tutorial here: Overview | Okta Developer

However, the tutorial unfortunately doesn’t tell you anything about what to do on the backend side. I download the sample app (in Go) and I think it’s more geared towards basic OAuth as opposed to SSO? samples-golang/okta-hosted-login at master · okta/samples-golang · GitHub

I am left with a few questions:

  1. When a user wants to be redirected to the log in page, shouldn’t the “issuer” here be whatever organization they belong to? If you click on the following link, it’s getting the issuer from the environment which would be hardcoded to the app’s original organization: samples-golang/main.go at c7a168ec4d1eac295bf8325f9577ab0de133b72b · okta/samples-golang · GitHub

  2. When the oauth callback endpoint is called, the “exchange code” function is again using the hard-coded issuer which is my app’s original Okta organization. Which I’m okay with here, since we are passing the client id/secret. However, will it know which organization the user is actually signing on to and would it return it in the claims properly? samples-golang/main.go at c7a168ec4d1eac295bf8325f9577ab0de133b72b · okta/samples-golang · GitHub

  3. Given the confusion above, is there a way for me to test multiple organizations using my app before officially submitting my app to OIN? I’d like to make sure that my backend code can correctly handle distinguishing organizations before going to production.

Thanks,

I don’t think the Okta sample app is designed for your specific use case. I remember reading in their docs that they don’t recommend using the SDKs for OIN submissions.

Due to the OIN restrictions of using an org authorization server and the authorization code flow, the SDKs provided by Okta should not be used for app integration development, since they cannot validate the access tokens.

https://developer.okta.com/docs/guides/oin-oidc-guide/integration-best-practices/#software-development-kits

My attempt at answering your questions:

  1. Yes, for an OIN app your app needs to be able to handle multiple orgs/clients. For the sample, they’re assuming there’s only one client/org.

  2. For an OIN app, you will probably need to ask the user what Okta org they belong to. If you offer your customers dedicated subdomains, then maybe you will already know which Okta org the user should be authenticated against. Again, the sample app is assuming there’s only one client/org here.

  3. Good question. I’m not too sure but I imagine there should be a testing process after the app is submitted. Maybe someone else can chip in here.

Thank you for your prompt response!

Does that mean I need to create a new client id/secret for every organization that wants to use my app? That seems…not right.

I have spent hours reading so much Okta documentation and I still cannot figure out how I can implement SSO for multiple organizations.

The multi tenancy section here is incredibly short and doesn’t give you any guidelines: Multi-tenancy | Okta Developer

All I am trying to do is implement a simple OAuth flow where if I can check what organization a user belongs to, and if I have this organization registered in my database, then I can authorize them to use my app and show them the correct resources for said organization.

I am:

  1. An application with one domain name (no sub domains)
  2. I’d like to implement an Okta integration so that various companies could use my application without having to manage users.

I was able to successfully implement OAuth with Okta, but I cannot find any documentation about what my backend should do to manage multiple organizations.

Thanks

I believe Okta will be the one in charge of creating the client id/secret for every org. (client credentials are created when you create new app). You will need a way for your customer to provide those credentials to you and possibly store them.

This is how I imagine the login process would look like if you are able to store the customer’s client credentials:
On the app login page the user can choose to either authenticate using username/password or SSO (button). The user clicks on the SSO button and your app would prompt them to enter a value that you can use to identify them as one of your customers. Your app would then lookup the client credentials and issuer associated with that unique value.

I’m not sure clients want to give their credentials over. Is this the standard way of doing SSO with Okta? I can’t find any documentation that mentions an app should be storing different organizations’ client id/secrets. Thanks!

It sounds like Okta uses the authorization code flow so you definitely need the client secret to make a /token request to retrieve tokens.

For OIDC applications destined for the OIN, Okta recommends building a “web” application with a dedicated server-side back end that is capable of securely storing a Client Secret and exchanging information with an authorization server through trusted back-channel connections.

https://developer.okta.com/docs/guides/oin-oidc-guide/protocol-level-requirements/#authorization-code-flow