How to setup a web app on a remote customer's Okta dashboard that works with our existing nodejs web site using JWTs?

We have a nodejs web service that uses JWTs with a backend postgres DB.

We have a customer that uses Okta and would like us to show up as an app on their dashboard so they can login to our app without setting up credentials with us.

What is the best way to architect this?

Current Idea:
I have a test Okta account and a test Auth0 account. I setup a web app for the Okta account and linked it to an Auth0 application. For the application, I established a SAML enterprise connection on Auth0 and linked it to a SAML connection on the Okta account.

I’m trying to track the process and get the client to go to Auth0 with an Okta token so that Auth0 can give them a token and redirect them to my app so that my app can interpret the Auth0 token (using nodejs-auth0) and then redirect them to the app with a local app JWT that will work like the application works today (currently only with accounts and passwords for clients in order to get a token).

Would you please help point me in the right direction on how I should think about getting a web app working from a remote client’s Okta dashboard that will allow an integration with our app without requiring them to create new accounts and credentials?

I REALLY appreciate any pointers that you can offer for this problem space!

In exploring the community, I found this post which could be relevant and be what I’m looking for. I’m evaluating the steps I took to see if I used the wrong redirect URL and need to instead use one that points at the SAML path:

Based on the instructions above from @lihua.zhang, I updated the URLs I was using and I can now see when I “try” the Auth0 link from the SAML connection that the following is happening:

  1. GET
  1. GET http://office.localhost:3001/auth-oidc/auth-code/login?SAMLRequest=fZFPb8IwDMXPXX
  • 200 OK response (SAML connection established)
  1. SAML - API Read Operation - Get Connection
  2. SAML - API Read Operation - Get Client by ID

I end up at the login page for my app (which is only meant for local creds user/pass). I need to look at how to interpret the incoming request since I’m not seeing an Auth header with a “Bearer ” like the app is expecting.

I need to understand how I end up at the /auth-oidc/auth-code/login page when I only have a configuration for /auth-oidc/auth-code/callback in the Auth0 configuration.

I’m seeing that some of the work with the nodejs-auth0 client seems to be where I end up with and it isn’t working properly. Working through the code to make sure that it will handle validation properly.

I saw notes for the OIN integration process

It looks like a simple front-end SPA redirect page that Okta users could click to could help retrieve a token from Okta via OIDC/OAuth2.0 - if I extend that by using the okta-auth-js library, I should be able to receive that token and redirect the user to the application with a JWT issued by our service in the end without much extra work.

I’ll continue along this path since it is simpler than setting up the SAML integration as well.