SSO Integration - OIDC user enumeration

we have an Okta SSO integration published to OIN a couple of years ago. It was created as a Web “application type” with “Login initiated by App” setting. Now, we’d like to support the login flow initiated from Okta’s side. After doing some tests, we noticed that a malicious user could use the “Initiate login URI” with random Okta domains to try guessing if a customer has set up our App on their Okta’s tenant. As we have to identify the ssi param value somehow to send the auth request, we’re not sure of what to do on malicious login attempts (user-enumeration vulnerability).
As far as we know, all the threads/posts mentioning “user-enumeration” solutions refer to SPA Apps; so we were wondering if there’s any strategy/workaround that we’re missing (without creating a new App).


Whats the concern in this scenario? The application should still be generating its own authorize request to check that the user is logged into the appropriate Okta org and is assigned to the application in question.