How to configure External IDP (OKTA, CyberArk etc) as an Authorization server for ForgeRock . How do we route user authentication to different idp based on user domain ?
If I’m understanding your question correctly, you’d like use Okta as an external IDP. I will reach out to the team and see if I can get an answer for you.
You should be able to use the AM Social Authentication for this if the IDP supports OAuth 2.0 or OIDC (ForgeRock Access Management 7.1.2 > Authentication and Single Sign-On Guide > Social Authentication). If you have further requirements to route the user, you could embed that logic into your authentication tree - so maybe prompt the user for email address, then use a scripted decision node to route to the appropriate social provider based on those you have configured.
In your scripted decision node, you could have something like:
Adding to @Brad Tarisznyas suggestion - I would suggest to look into Federation whether it’s via SAML2 or OAuth2 + OIDC. Most of the external IDP vendors including ForgeRock AM and Okta support this out of the box. Hope this helps!