Integrate Okta Org2Org with Okta
You can use the Okta Org2Org integration to authenticate and optionally provision users from a source Okta org to a target org. The integration is installed and configured in the source org. You can use Okta Org2Org to connect multiple source orgs to a single Okta target org. This integration enables the source orgs to push users to the target org.
If you choose to use the provisioning features of the Org2Org app, you can use OAuth 2.0 or an API token to secure the connection between the orgs.
A common scenario where Org2Org is used is the hub-and-spoke model. In these scenarios, the spoke orgs are the source orgs and the hub org is the target org.
The Org2Org integration isn't available in Okta Developer Edition orgs. If you need to test this feature in your Developer Edition org, contact your Okta account team.
Configure federation between orgs
This procedure assumes you're configuring Okta Org2Org in an Okta source org.
- In the source org, open the Admin Console and go to .
- Click Browse App Catalog.
- In the search field, enter Org2Org, and then select Okta Org2Org.
- Click Add Integration.
- Complete the fields on the General Settings page, and then click Next.
- Select a sign-on option. If you select SAML 2.0, click View Setup Instructions and follow the steps.
- Click Done.
- Go to
- Open the Org2Org app and switch to the Sign On tab.
- Click View SAML setup instructions. Follow the directions to create an IdP in the target org to work with the Org2Org app. For details and security best practices, see Add a SAML Identity Provider.
- Copy the value of the IdP Single Sign On URL to use in a later step.
. - Switch to the Assignments tab of the Org2Org app. Assign users and groups to the Org2Org app by completing these steps:
- Click Assign, and then select Assign to People or Assign to Groups.
- Click Assign next to a user or group name, or use the search field to locate a user or group, and then click Assign.
- Configure one or more apps in the target org to allow source org users to access.
- Create and configure an application in the target org.
- In the General tab of the app, copy the Embed Link value from the App Embed Link section.
- In the source org, Create a Bookmark App integration.
- Create the URL for the bookmark app by concatenating these values:
- The IdP Single Sign On URL (for example, https://sourceorg.okta.com/app/okta_org2org/app_ext_id/sso/saml)
- ?RelayState=
- The Embed Link value for the app (for example, https://targetorg.okta/home/app_name/instance_id/app_id)
For example, concatenate the preceding values to create the following URL for your bookmark app: https://sourceorg.okta.com/app/okta_org2org/app_ext_id/sso/saml?RelayState=https://targetorg.okta/home/app_name/org_id/app_id
- Optional. Enable provisioning from the source org to the target org using OAuth 2.0 (preferred) or an API token.
Enable provisioning from source to target
If you need provisioning but don't need real-time sync of users, user profile attributes, and groups, manually create source org users in the target org:
- In the source org, export a list of active users. In the Admin Console, go to Reports and click Okta Password Health. The report is generated and sent to your email address. You can also download the report. Open the CSV file and filter the Status column to show active users.
- In the target org, import the users from the CSV file. Assign them to the groups for their source orgs and to any groups for apps that they need access to.
- Manually link the newly created users to the IdP configured for the source org.
If you need provisioning and real-time sync of users, choose one of the following methods:
Use OAuth 2.0 for provisioning
To enable OAuth 2.0 provisioning between orgs, you must use a combination of the Okta APIs and the Admin Console.
- In the source org, open the Admin Console and go to
- Open the Org2Org app.
- Copy the app ID from the URL. For example, in the URL <sourceorg>/admin/app/okta_org2org/instance/0oa78guhzaGH4KHZt1d7/#tab-import, the ID is 0oa78guhzaGH4KHZt1d7.
. - List the key credentials for the Org2Org app, passing the application ID from the previous step.
- Create an OAuth 2.0 service app in the target org, using the key credentials from the previous step as the keys entry in the jwks object.
- In the target org, open the Admin Console and go to . Open the OAuth 2.0 service app.
- On the Admin roles tab, click Edit assignments.
- Click + Add assignment and then select Group Administrator from the Role dropdown list.
- Click + Add assignment and then select Group Membership from the Role dropdown list.
- Click Save Changes.
- Grant consent for the API scopes that enable the service app to create users and manage user profiles and credentials.
- In the target org, open the Admin Console and go to . Open the OAuth 2.0 service app.
- On the Okta API Scopes tab, grant the okta.groups.manage and okta.users.manage scopes.
- Assign admin roles to the OAuth 2.0 service app.
- Optional. Enable provisioning to automate account creation, updates, and deactivation.
- In the target org, open the Admin Console and go to General tab. . Open the OAuth 2.0 service app and copy the client ID from the
- In the source org, use the Okta API to enable OAuth 2.0-based provisioning.
- In the source org, configure the provisioning settings for the Org2Org app.
- In the Admin Console, go to .
- Open the Org2Org app.
- On the Provisioning tab, go to the Okta Org2Org Attribute Mappings section and find the initialStatus attribute. Click Edit. The most common configuration for the initial status Attribute value is Same value for all users and active_with_pass.
- Choose your desired settings.
- Click Save.
- Optional. Test your Org2Org provisioning.
- In the Provisioning to App section, click Edit, and then select Create Users, Update Users, and Deactivate Users. Save your settings.
- Assign the app to a group. On the Assignments tab, click , select a group and click Save and Go Back. Click Done. Filter your assignments by people to view the list of users who belong to the group that you configured.
- Go to the Admin Console on the target org. Go to and confirm that the users assigned to the Org2Org app in the source org have been provisioned.
Use API token for provisioning
- Create the API token on the target Okta org:
- In the Admin Console, go to .
- Click the Tokens tab, and then click Create token.
- Enter a descriptive name for the token, and then click Create token.
- Copy the token value to your clipboard or a text editor.
- Click OK, got it.
- In the source org, open the Admin Console and go to .
- Select Okta Org2Org from the list of applications.
- Click the Provisioning tab, click Configure API Integration, and then select Enable API integration.
- Complete these fields:
- Security token: Paste the security token that you copied earlier.
- Prefer Username Over Email: Optional. Select this option if you don't want to use an email address as the username.
- Import Groups: Optional. Clear the checkbox if you don't want to import groups from the connected org.
- Optional. Click Test API Credentials to test the API integration.
- Click Save.
-
Optional. Change the provisioning settings from the target Okta org to the source org:
- Click the Provisioning tab, and then select To App under Settings.
- Click Edit.
- Select the Create Users, Update User Attributes, Deactivate Users, or Sync Password checkboxes.
- Click Save.
- Optional. Change the provisioning settings from the source org to the target Okta org:
- Click the Provisioning tab, and then select To Okta under Settings.
- Click Edit in the General, User Creation & Matching, Profile & Lifecycle Sourcing, or Import Safeguard areas to edit the settings.
When you select Allow Okta Org2Org to source Okta users in the Profile & Lifecycle Sourcing area, the source org is the source for user profile data. When you import Okta users into your target org, updates made to user properties in the source org are applied to other apps that the user is assigned.
- Click Save.
- Select an option for Initial status (initialStatus). This attribute determines the status of the user in the connected org when they're created, linked, or reactivated. When active_with_pass or pending_with pass is selected, a temporary password is generated for the user. When Okta Password Sync is enabled, the temporary user password is overwritten when the user signs in. The most common configuration for the initial status Attribute value is Same value for all users and active_with_pass. Click Edit. Choose your desired settings, and then click Save.
- Optional. Push new Okta groups to the connected org. See Manage Group Push.