Integrating multiple Okta directories into the same AADB2C tenant

Question

My application is a multi-tenant SaaS product that uses AADB2C for auth. To date we've allowed folks to log in with Google, Office 365 (i.e. OrgIds) and email+password.

We're now getting customers who want to light up SSO, specifically with Okta. I found information online which talked about integrating with SAML providers and was able to use that to connect to a test directory that I set up in Okta. This single integration with an Okta directory works as expected.

What's not clear to me is how to properly scale this up to more customers (i.e. more of my tenants). The directory-specific Okta metadata URL is embedded in the PartnerEntity item in the Metadata section for the TechnicalProfile, so it seems I'll need to duplicate the TechnicalProfile for each new customer (i.e. each new Okta directory). And because the UserJourney references the TechnicalProfile, it seems that I'll need to duplicate the UserJourney as well.

Ideally I'd be able to somehow pass in the metadata URL at sign in / sign up time, but it isn't clear to me that this is possible. The SAML integration examples that I've found online seem to be focused on doing a single integration, and in this scenario passing in the metadata isn't really necessary.

Is there a way to pass metadata into a TechnicalProfile like this? Or to somehow call into a web service to obtain the information at sign in / sign up time?

Answer 1

At design time, you must declare a claims provider for each identity provider; that is, one for each Okta organization.

However, at runtime, you can pass the domain_hint parameter to direct to the identity provider that is required to sign a specific tenant in or up.