Auth0 Home Blog Docs

Okta multiple organizations with auth0

I need some assistance with the following:

Multiple Okta organizations wish to sign in to our website using their Okta logins/passwords. Our website uses the auth0 lock login

the auth0 login page needs to redirect to the correct Okta url depending on the users organization

What kind of setup does the Okta admin have to do to allow for their users to login to our website?

Any suggestions are welcome!

Hi @ink, thanks for this question! Help me out here, I’m trying to build a mental model:

  • there are multiple organizations
  • they use Okta as their identity provider
  • they want to login to your website using their Okta credentials (?)
  • after a user is logged in to your website with their Okta credentials, they need to be redirected to their org’s website (?)

Did I get it right? I’d think this might be the case of a custom OAuth2 connection: https://auth0.com/docs/connections/social/oauth2. Could you give it a try please? if it works for you, we could see how to make redirects work as well (I’d assume, custom app per org with a corresponding redirect_uri, maybe)

Yes they would login using their Okta credentials. Then they would be redirected to my company’s SPA website. Sorry about the confusion there I should clarify some things:

The issue I’m having is that the custom auth connection is unique to a single Okta app. The custom connection uses a unique token and authorization url. It is my understanding that 100 different Okta apps would require 100 custom social connections.

Ideally there would be a single login with Okta button instead of 100 different custom connections.

Ah, I see… Let me ask around and dig a bit further. I suppose you’ve already checked out this article, and it’s not going to work for you.

Honestly, I’m not sure how to make this work with 100 different Okta applications without setting up individual custom connections with each of them. Let’s try and summon all-knowing @nicolas_sabena, perhaps he could point us in the right direction :wink:

This scenario seems better suited to SAML enterprise connection. You’ll need to create one SAML connection per Okta organization (each will have its own sign-in URL), and for each connection you’ll configure one or more IdP domains:

When you have a domain associated to a connection, Lock will be able to do “home realm discovery”: it will know where to send the user based on the email address that the user types. So, in the example above, any “@acme.com” email address will redirect the user to the enterprise connection where that domain was configured.

Does that help?

I created a custom ui login using auth0-js. I’m using the lock code as an example for home realm discovery.

The issue I see with saml is that it requires a cert. I’m not sure if I can use the /api/v2/connections endpoint to create a saml connection. Ideally I would want to automate the setup process so that the okta admin would upload their cert and info to our service and have it instantly work.

Ideally there would be a single login with Okta button instead of 100 different custom connections.

I’m honestly not sure if Okta supports a global entry point for people coming in from different directories, otherwise you’ll need to create one connection per each (can be a SAML connection or an OpenID Connect enterprise connection as well).

Azure AD, for instance, lets you create a “multi-tenant” application registration, and they offer a “common” login endpoint, where home realm discovery is done by Azure AD for all of their known domains. This combination lets you create an Azure AD connection in Auth0 that lets users from any Azure AD domain to log in. But, again, don’t know if Okta provides a similar feature.

The issue I see with saml is that it requires a cert. I’m not sure if I can use the /api/v2/connections endpoint to create a saml connection. Ideally I would want to automate the setup process so that the okta admin would upload their cert and info to our service and have it instantly work.

/api/v2/connections lets you create any connection type, just like you’d do from the dashboard.

If you don’t want to deal with certificates, maybe Enterprise OIDC connections can help. If the service supports OIDC discovery, then Auth0 will get the data directly from the discovery endpoint and the necessary information to set up the connection is minimal.