Using okta to support a new multi-tenant application

mmestemaker · March 6, 2018, 10:22pm

I’m considering using Okta to support a new application we’re building that will be multi-tenanted. For half of my tenants, they’ll want us to store their authentication information (and we would use Okta as the provider in these cases), but the other half will want us to connect to their identity providers. If we assume those providers support OAuth2 or OpenId, can my developers use the Okta tools for both types of clients or do they need to code the 2 cases differently?

tom · March 9, 2018, 12:17am

You need a particular feature that is on our roadmap, which is a generic OAuth 2.0 / OpenId IdP. Once we get this in place, you would be able to use the IdP Discovery feature (username first, reroute the user to their IdP to login, Okta mints a token with the IdP in the claim so your application can know which IdP they logged in through).

If your tenants are using Google Apps, we have support for that IdP today. We also have support for SAML IdPs as well for multi-tenancy.

Thanks and let me know any questions,
Tom

TomE · October 24, 2018, 1:50pm

Dear Tom,

Have you implemented OAuth 2.0 / OpenId to allow multi-tenanted apps?

Thanks,

Tom

ning · March 1, 2020, 2:29am

Is there any update on this feature? We also have the same use case and would like to use the same OAuth2 code for Okta and other providers like Google. Google supports generic OAuth2.

dragos · March 2, 2020, 6:03am

Hi @ning

The feature has been released and you should be able to add successfully an OpenID Connect identity provider by going in your administrative panel to Security >> Identity Providers or (Users >> Social & Identity Providers if using the developer console).

ning · March 2, 2020, 4:20pm

Hi @dragos,

Maybe I misunderstood. I think the intention of the original question, and my question as well, in this thread is whether Okta can act as a multi-tenant OAuth2 provider so that applications using Okta OAuth2 for authentication can use a single set of auth URL and client ID/key pair for all organizations. Google does this.

As far as I can find, it seems that if my application wants to authenticate someone via Okta OAuth2, I have to know which organization the person belongs to and have the corresponding client ID/key pair in order to initiate the process. Is this still the case?

Thanks,

Ning

Kalai · July 31, 2020, 9:03pm

Any update on the multi-tenant support for Users and OAuth Clients?

questioneer · November 23, 2021, 10:16am

Any updates on this?

@dragos Are you saying that a service provider has to create an Okta organization and add all their clients as “IDPs”?

Do we have to create a hub-spoke setup to handle this?

system · February 10, 2024, 1:12am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.