Using okta to support a new multi-tenant application

I’m considering using Okta to support a new application we’re building that will be multi-tenanted. For half of my tenants, they’ll want us to store their authentication information (and we would use Okta as the provider in these cases), but the other half will want us to connect to their identity providers. If we assume those providers support OAuth2 or OpenId, can my developers use the Okta tools for both types of clients or do they need to code the 2 cases differently?

1 Like

You need a particular feature that is on our roadmap, which is a generic OAuth 2.0 / OpenId IdP. Once we get this in place, you would be able to use the IdP Discovery feature (username first, reroute the user to their IdP to login, Okta mints a token with the IdP in the claim so your application can know which IdP they logged in through).

If your tenants are using Google Apps, we have support for that IdP today. We also have support for SAML IdPs as well for multi-tenancy.

Thanks and let me know any questions,

Dear Tom,

Have you implemented OAuth 2.0 / OpenId to allow multi-tenanted apps?



1 Like

Is there any update on this feature? We also have the same use case and would like to use the same OAuth2 code for Okta and other providers like Google. Google supports generic OAuth2.

Hi @ning

The feature has been released and you should be able to add successfully an OpenID Connect identity provider by going in your administrative panel to Security >> Identity Providers or (Users >> Social & Identity Providers if using the developer console).

Hi @dragos,

Maybe I misunderstood. I think the intention of the original question, and my question as well, in this thread is whether Okta can act as a multi-tenant OAuth2 provider so that applications using Okta OAuth2 for authentication can use a single set of auth URL and client ID/key pair for all organizations. Google does this.

As far as I can find, it seems that if my application wants to authenticate someone via Okta OAuth2, I have to know which organization the person belongs to and have the corresponding client ID/key pair in order to initiate the process. Is this still the case?



Any update on the multi-tenant support for Users and OAuth Clients?