If users are mastered in an Auth0 tenant and you would like to provide those users access to an Okta tenant, then this is how you can configure Auth0 as an external IDP using OIDC.
Step 1 – Configure Auth0
Perform the following steps in your Auth0 tenant:
- In the Auth0 administration console, create a new application of type Regular Web Application.
- Take note of the generated Client ID and Client Secret as these will be required when we configure Okta.
- Scroll to the bottom of the settings page and expand Advanced Settings and open the Endpoints tab. Take note of the OAuth endpoints as these will be required when we configure Okta.
- Copy the OpenID Configuration URL and paste it in a new tab. This will display the complete OAuth configuration. Take note the issuer URL from the top of the display as this will be required when we configure Okta. Note: Remove the training forward slash from the URL as this will cause an error.
Step 2 – Configure Okta
Perform the following steps in your Okta tenant:
- In the Okta administration console, go to Security > Identity Providers and click on Add Identity Provider. Choose a type of OpenID Connect IDP. Then add the following configuration:
- The Client ID and Client Secret copied from Step 1
- The Endpoints copied from Step 1
- Adjust the Authentication and JIT settings as required. IdP Username should be idpuser.email
- Save the settings and ensure the new Identity Provider is now active.
- On the Identity Providers summary page, expand the IDP you just created and copy the Redirect URI
Step 3 – Update Auth0
In the Auth0 administration console, open the application you created in Step 1. Add the Redirect URI copied from the previous step to the Allowed Callback URL’s.
Step 4 – Create Routing Rule in Okta
In order to channel users through this connection, you will need to either create a routing rule or customize the sign in widget. You can find more about customizing the sign in widget here: Enterprise Identity Provider | Okta Developer
Here is an example of how to create a routing rule:
- In the Okta administration console, go to Security > Identity Providers and select the Routing Rules tab
- Click on Add Routing Rule and provide a meaningful name.
- Define the rules on how users will be routed through this IDP. A common way is to use domain name matching. As an alternative, I have used an attribute value (auth0_mastered = True) to route users.
- In the field Use this identity provider, remove the Okta provider and add your newly created provider
- Click save and ensure the routing rule is Active
The configuration is now complete. Now try logging into Okta with a user that matches the routing rules. The same user needs to exist in your Auth0 tenant.