Is it possible to use Org2Org to authenticate OIDC applications from different organizations?
I’m having trouble finding documentation on how to set up OIDC applications with Org2Org.
With Org2Org, the users will be federated into the target org (where your OIDC application lives and where you have configured the Org2Org Identity Provider) from the source org (where the Org2Org application is). Once they have a session in this target org (after logging in through their source org), they should be able to access any applications they are assigned in said target org, including your OIDC app.
AKA, if they were to make an /authorize request to https://{{targetOrg}}/oauth2/v1/authorize?client_id={{targetApp}}
they will be logged in automatically if they have an existing Okta session or they will be prompted to authenticate. If the latter occurs and you do not want/are able to use Routing Rules to automatically redirect the user to their IdP (source org) to login there, you can instead add the idp
parameter to the /authorize request, with the value set as the id
for the target IdP ( gathered from the target org where the IdP resource was created)
Final reminder to make sure these user’s get assigned to the application in question or have the application configured to be available for all users (Federation Broker Mode). You can easily do this by having the users that log in through O2O to be added to a specific group (as part of the IdP config in the target org) and assigning that group to the OIDC application.
Thanks for the explanation.
If the latter occurs and you do not want/are able to use Routing Rules to automatically redirect the user to their IdP (source org) to login there, you can instead add the idp parameter to the /authorize request, with the value set as the id for the target IdP ( gathered from the target org where the IdP resource was created)
I have a question, how do you identify and redirect users from the source org who try to log in to the target org OIDC app?
To do this, do we need to push the source organization’s user information to the target org beforehand?