Our clients are asking us if they can log into our apps using their Okta IDP. They’re asking specifically about SAML integration, but I’m not sure if that’s a hard requirement.
I’ve had an Okta/auth0 representative on the phone who told me there are two options
be part of the Okta Integration Network
use Auth0 to integrate their IDP
The sales rep told me that if we used the latter, we would need to subscribe to Auth0 and migrate all our users there. We are currently using Keycloak for identity and access management.
I’m not sure about a few things
what is the preferred approach for that use case (OIN, Auth0)
can we really not use Auth0 as external IDP as suggested by the rep ? Because my understanding is that this should be possible
I am a little confused regarding the requirements that your client has, if I am wrong about anything, feel free to correct me and let me know!
So, as far as I understand, the client requires you to integrate a connection in your application in order to log in via their OKTA IdP. What do you mean by the OKTA IdP? Is the IdP Okta (as in an Okta Workforce connection) or do they have a 3rd party IdP set up through Okta?
If you would need to integrate the 3rd party IdP within Auth0 as a SAML connection, that is possible by creating a custom SAML Enterprise Connection within the Dashboard. However, as you have been advised, this is a feature available through an Enterprise Plan, this also covers the use of your own Database in order to migrate users to Auth0.
A custom database would be required if you want to either use Keycloak’s stored users or to migrate the users to Auth0.
You can read more about that on our pricing page.
what is the preferred approach for that use case (OIN, Auth0)
Since your application would be an SaaS B2B one as far as I understand, Both OIN and Auth0 would be suitable on the matter. It would really come down to what specific conections does your application requires and if the integrations are available/possible within the platform.
can we really not use Auth0 as external IDP as suggested by the rep ? Because my understanding is that this should be possible
Yes, you can set up Auth0 to be an external IdP for your application.
If you need extra clarification about anything, if I missed something or if you have extra questions, please let me know!
I need to clarify that with them, the requirement is “to be compatible with the authentication solution OKTA (SAML v2 compatibility)”
If I understand correctly, I have a few options here, which will be more or less relevant depending on my client requirements
Join the OIN
Create a custom SAML Enterprise Connection (which would require migrating users to Auth0 through the use of a custom database)
Set up Auth0 to be an external IdP for my application
On the third option : my understanding is that I could connect to Auth0 as an external IdP using SAML, is that understanding correct ? What would be the limitations of this approach ?
I need to clarify that with them, the requirement is “to be compatible with the authentication solution OKTA (SAML v2 compatibility)”
Basically, yes, you can create an SAML connection to an OKTA IdP.
Create a custom SAML Enterprise Connection (which would require migrating users to Auth0 through the use of a custom database)
By creating a SAML Enterprise connection, you do not need to migrate the users since Auth0 will create an user on their side as well once authentication is performed, meaning that you can keep the original OKTA IdP and the Auth0 users created through the specific connection.
Set up Auth0 to be an external IdP for my application
If you are going to authenticate users against an OKTA IdP using a SAML connection, that is not needed, unless you want your application to register users on Auth0 without authenticating against the OKTA.
Otherwise, you can set up Auth0 to act as an IdP using both SAML and OIDC connections.