I’ve followed this tutorial: https://auth0.com/docs/protocols/saml/identity-providers/okta in order to set up an Auth0 as SP/Okta as IdP integration with SAML as the protocol.
I had to create a new application in Okta and use the Sigle Sign On Url provided by Auth0 (https://YOUR_AUTH0_DOMAIN/login/callback) and also the Audience URI (urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME). Since I didn’t have these values at the moment, I just put placeholders until I got them.
When creating a new connection in Auth0, I needed to provide the X509 certificate and the Sign In URL I obtained from Okta. After the Auth0 connection configuration was finished; I went back to Okta and replaced the placeholders with the proper values.
I created a Auth0 application and enabled the connection for it. I also enabled the SAML2 WebApp add-on for the application.
The integration works fine. My issue is the following: both the Sign In URL and the X509 certificate from Okta changes per application instance. In other words, there may be only one application in Okta, but when a customer adds it, a new Sign In Url is generated for that specific customer/application combination. That means I’d need to add a new connection in Auth0 for each customer, since the Sign In URL is different for each one.
However, the Okta application needs the connection’s name in order for it to work. It needs it for the Audience URI (urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME) and even for the SSO Url when support for IdP Initiated SSO is wanted (by appending a
?connection=CONNECTION_NAME to it).
So I don’t see how this works out unless I ask each customer to add their own custom app in Okta. Is there an alternative to this?