Claims sharing #5295
Merged
Claims sharing #5295
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
|
Netlify Preview URL for the changes: https://preview-5295--reverent-murdock-829d24.netlify.app |
susanharper-okta
force-pushed
the
sdh-okta846184-claimssharing
branch
from
8833ee4 to
84259b9
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
| @@ -0,0 +1 @@ | |||
| When you use SAML 2.0 with claims sharing, the data shared between an Okta IdP and an Okta SP is included in the SAML response in a new reserved tag in the `Extension` section called `OktaAuth`. This content is communicated in JSON within the `Assertion` response and contains information about authentication performed at the Okta IdP org. The entire assertion is securely encrypted with a published encryption key from the SP org. | |||
There was a problem hiding this comment.
Suggested change
| When you use SAML 2.0 with claims sharing, the data shared between an Okta IdP and an Okta SP is included in the SAML response in a new reserved tag in the `Extension` section called `OktaAuth`. This content is communicated in JSON within the `Assertion` response and contains information about authentication performed at the Okta IdP org. The entire assertion is securely encrypted with a published encryption key from the SP org. | |
| When you use SAML 2.0 with claims sharing, the data that's shared between an Okta IdP and an Okta SP is included in the SAML response in a new reserved tag in the `Extension` section called `OktaAuth`. This content is communicated in JSON within the `Assertion` response and contains information about authentication performed at the Okta IdP org. The entire assertion is securely encrypted with a published encryption key from the SP org. |
| @@ -0,0 +1 @@ | |||
| When you use OpenID Connect with claims sharing, the data shared between an Okta IdP and an Okta SP is included in the ID token under a new reserved claim name called `okta_auth`. The `okta_auth` payload within the ID token response contains information about authentication performed at the Okta IdP org. | |||
There was a problem hiding this comment.
Suggested change
| When you use OpenID Connect with claims sharing, the data shared between an Okta IdP and an Okta SP is included in the ID token under a new reserved claim name called `okta_auth`. The `okta_auth` payload within the ID token response contains information about authentication performed at the Okta IdP org. | |
| When you use OpenID Connect with claims sharing, the data that's shared between an Okta IdP and an Okta SP is included in the ID token under a new reserved claim name called `okta_auth`. The `okta_auth` payload within the ID token response contains information about authentication performed at the Okta IdP org. |
| #### What you need | ||
|
|
||
| * An Okta SP org and an Okta IdP org configured for an [Okta-to-Okta](/docs/guides/add-an-external-idp/oktatookta/main/) use case. This guide covers how to configure authentication claims sharing for this scenario. | ||
| * The **Okta-to-Okta Claims Sharing** feature enabled for both orgs. To enable, go to **Settings | Features**, locate the feature, and enable. |
There was a problem hiding this comment.
Suggested change
| * The **Okta-to-Okta Claims Sharing** feature enabled for both orgs. To enable, go to **Settings | Features**, locate the feature, and enable. | |
| * The **Okta-to-Okta Claims Sharing** feature enabled for both orgs. Go to **Settings | Features**, locate the feature, and then enable it. |
|
|
||
| ### Accepted authenticators | ||
|
|
||
| All authenticators that are natively performed on the Okta IdP are accepted. This includes authenticators such as WebAuthn, password, Okta Verify, Okta FastPass, SMS, Email, and so on. Claim sharing doesn't currently support the use of any Custom Authenticators for MFA, such as using another IdP or smart card. |
There was a problem hiding this comment.
Suggested change
| All authenticators that are natively performed on the Okta IdP are accepted. This includes authenticators such as WebAuthn, password, Okta Verify, Okta FastPass, SMS, Email, and so on. Claim sharing doesn't currently support the use of any Custom Authenticators for MFA, such as using another IdP or smart card. | |
| All authenticators that are natively performed on the Okta IdP are accepted. This includes authenticators such as WebAuthn, password, Okta Verify, Okta FastPass, SMS, email, and so on. Claim sharing doesn't currently support the use of any Custom Authenticators for MFA, such as using another IdP or smart card. |
| * **Disallow specific authentication methods**: If you specify authentication methods to disallow, then the SP org disallows those methods. | ||
| * **Allow specific authentication methods**: If you specify authentication methods to allow, then the SP org only considers those methods. | ||
|
|
||
| After you define these conditions, if you still haven't met the policy requirement, then the SP org redirects you to verify any locally configured authenticator. If there's no local authenticator available, or the enrollment policy for a particular authenticator is disabled, then the SP org displays an error. |
There was a problem hiding this comment.
Suggested change
| After you define these conditions, if you still haven't met the policy requirement, then the SP org redirects you to verify any locally configured authenticator. If there's no local authenticator available, or the enrollment policy for a particular authenticator is disabled, then the SP org displays an error. | |
| After you define these conditions, if you still haven't met the policy requirement, then the SP org redirects you to verify any locally configured authenticator. If there's no local authenticator available, or the enrollment policy for a particular authenticator is disabled, then the SP org displays an error. |
|
|
||
| ### Global session policy example | ||
|
|
||
| This same concept applies for the global session policy. Without trust claims enabled, if you have only the password authenticator configured in the SP org, you can't save a global session policy rule that requires MFA. |
There was a problem hiding this comment.
Suggested change
| This same concept applies for the global session policy. Without trust claims enabled, if you have only the password authenticator configured in the SP org, you can't save a global session policy rule that requires MFA. | |
| This same concept applies to the global session policy. Without trust claims enabled, if you have only the password authenticator configured in the SP org, you can't save a global session policy rule that requires MFA. |
| Configure a simple routing rule for the IdP in the Okta SP org. | ||
|
|
||
| * Click **Add Routing Rule**. | ||
| * Name it and leave the defaults. |
There was a problem hiding this comment.
Suggested change
| * Name it and leave the defaults. | |
| * Enter a name. Don't change the default values. |
| 1. Access your Okta SP org using your browser's privacy or incognito mode to avoid false positive or negative results. | ||
| 1. Click **Sign in with {Name of IdP}** on the Okta sign-in page. | ||
|
|
||
| If everything is configured properly: |
There was a problem hiding this comment.
Suggested change
| If everything is configured properly: | |
| This is the result if everything is configured properly: |
| * The authenticators configured in the authentication policy prompt the user for more authentication. | ||
| * After successful authentication, the user is redirected to the <StackSnippet snippet="redirect" inline /> specified in the Okta IdP org app. | ||
|
|
||
| If something is configured incorrectly, the authorization response contains error information to help you resolve the issue. See the [FAQ](#faq) section next. |
There was a problem hiding this comment.
Suggested change
| If something is configured incorrectly, the authorization response contains error information to help you resolve the issue. See the [FAQ](#faq) section next. | |
| If something is configured incorrectly, the authorization response contains error information to help you resolve the issue. See the [FAQ](#faq) section. |
Acrolinx scoreA minimum Acrolinx Score of 80 is required. The total score is an average of the subscores. Select Total score to review the Acrolinx scorecard for your article. Try to increase your individual scores, for example: Correctness. Your content will be clearer and more consistent.
|
barbaravo-okta
approved these changes
Jan 29, 2025
susanharper-okta
added
the
docs release
Merged
annejuan-okta
added a commit
that referenced
this pull request
Jan 30, 2025
* [OKTA-844514] 2025.01.2 Release Notes (#5300) * First pass at RN * Fix formatting and add IGA RN item * Update packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md Co-authored-by: Brian Duffield - Okta <[email protected]> * Update packages/@okta/vuepress-site/docs/release-notes/2025-okta-identity-engine/index.md Co-authored-by: Brian Duffield - Okta <[email protected]> * Update packages/@okta/vuepress-site/docs/release-notes/2025/index.md * Update packages/@okta/vuepress-site/docs/release-notes/2025/index.md --------- Co-authored-by: Brian Duffield - Okta <[email protected]> * Claims sharing (#5295) * update * updates * update * request response * example updates and more * update doc to make stack selector guide * Venkat updates and oidc examples * new files for new URL for claims sharing and complete first draft of content * save * policies * first shot at PR * framework * review comments * lars and ansu reviews * review comments * faqs moved * more review updates * acrolinx love * Lars updates * finalreviews * editorial review * Link fix and missing feature in classic --------- Co-authored-by: Brian Duffield - Okta <[email protected]> Co-authored-by: Susan <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Netlify link: https://preview-5295--reverent-murdock-829d24.netlify.app/docs/guides/configure-claims-sharing/oktaoidc/main/
Resolves: