Mano Rangasamy posted 02-23-2022 08:03
Hi Everyone ,
I have a question.
Thanks in Advance
Lori Goldman posted 02-25-2022 08:08
Hi, Mano. The use case we currently have uses Identity Cloud as the auth server: https://community.forgerock.com/t/using-forgerock-identity-cloud-as-an-identity-provider-for-okta
If I’m understanding your question correctly, you’d like use Okta as an external IDP. I will reach out to the team and see if I can get an answer for you.
Brad Tarisznyas posted 03-07-2022 04:49
HI Mano,
You should be able to use the AM Social Authentication for this if the IDP supports OAuth 2.0 or OIDC (ForgeRock Access Management 7.1.2 > Authentication and Single Sign-On Guide > Social Authentication). If you have further requirements to route the user, you could embed that logic into your authentication tree - so maybe prompt the user for email address, then use a scripted decision node to route to the appropriate social provider based on those you have configured.
In your scripted decision node, you could have something like:
var username = sharedState.get("username");
var domain = username.substring(username.lastIndexOf("@") +1);
if(domain=="example.com"){
nodeState.putShared("selectedIdp", "Google");
outcome = "Google";
}else{
nodeState.putShared("selectedIdp", "Facebook");
outcome = "Facebook";
}
Hope that helps.
Jatinder Singh posted 03-25-2022 10:45
Adding to @Brad Tarisznyas suggestion - I would suggest to look into Federation whether it’s via SAML2 or OAuth2 + OIDC. Most of the external IDP vendors including ForgeRock AM and Okta support this out of the box. Hope this helps!