SSO Implementation for MVC

Hi,
We have MVC application with in-premises authentication. Now we need to implement SSO in our application. We are checking different options available which can fit our requirement.
Basically we want to have implement in such a way that authentication is done by client identity provider. Suppose we have 2 clients ClientA and ClientB; each client is having 2 users
ClientA users - User1, User2
ClientB users - User3, User4
each client will have their own IdP. And there are few internal users User5 and User6
Now in login screen if user5 or User6 has put email then on click of next we will show screen with password and our internal authentication will work.
But is user1 or User2 put their email as user name and on click of next they should be redirected to Okta login screen where authentication will be done from their side. It should not ask us to create users in our IdP. Once authenticated then they will be redirected to our application.
Same for User3 and User4.
I have gone through documentation and found below articles. Identity Provider routing rules can be used in this case along with SAML IdP as per my understanding. But when I check SAML configuration documentation there is no much clarity given
https://help.okta.com/en/prod/Content/Topics/Security/Identity_Provider_Discovery.htm
https://help.okta.com/en/prod/Content/Topics/Security/idp-add-saml.htm
https://saml-doc.okta.com/SAML_Docs/Configure-SAML-2.0-for-Org2Org.html

Please let me know if Okta has any solution for our scenario in first place. If yes then please confirm if SAML Org to Org should be used. Then also help us to understand from where should we get below details?
IdP Issuer URL - Are we supposed to create these values in our IdP? If yes, then how? If no, then who can give these details and from where?
IdP single sign-on url - Are we supposed to create these values in our IdP? If yes, then how? If no, then who can give these details and from where?
IdP signature cert

For our scenario we might need to ask our clients for few details as we will be using their IdP so which all info we need from them?

Too big of a question, which would require an architecting session.

In couple words, you org should have 2 external IdPs (SAML) for Client A and Client B, assuming, that you can create routing rules (can distinguish easily external users, maybe by their email domain?).

If Clients have their own Okta tenants, then they just create SAML applications there and share their metadata with you. Those will be your IdP metadata (ACS, Audience, certificate)

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.