Question

Integration with OKTA for SSO and Provisioning - recommended approach when using a [TEST] workspace

  • 5 December 2022
  • 4 replies
  • 59 views

Hi all.

 

We are trying to enable the integration with OKTA (firstly for SSO, secondly for SCIM provisioning).

 

The problem we are facing is due to the fact that we have enabled a TEST workspace (separate workspace ID, separate url -> separate app in OKTA).

 

The issue is the following:

* If we enable SSO in OKTA only for the primary (production) workspace - the users will be authenticated when going to this workspace. But once they switch to the [test] one - they are being redirected to a login page where the are requested to login with their local user/pass (as OKTA cannot authenticate them).

 

 

COMPLICATIONS:

1. If we create a second app in OKTA for the TEST workspace - the authentication will most probably work, but we will be facing other problems on OKTA side (having to administer 2 apps, 2 set of user groups and respectively - having to add/remove people from both apps).

While at the same time the user base on Intercom is one for the both workspaces (the primary and the TEST one) and the users cannot be managed through the [test] workspace.

2. If we want to use OKTA also to provision the users (SCIM provisioning) - how should this work if there will be 2 applications in OKTA (production, test) but only one user base on the Intercom platfrom? Wouldn't this cause any conflicts?

 

What is the recommended approach when dealing with SSO and User provisioning while having a [test] workspace?

 

 


4 replies

Userlevel 4
Badge

Hey @galina s​ Racheal from the support engineer team here👋 

 

I can see you're working with my teammate Matt on this, but to post for visibility here:

 

With our current SCIM design you will have to set up as many Okta apps as you have workspaces. So, if you want to use SCIM provisioning in your [test] workspace and prod workspace, you will have to have an Okta app for each workspace. Your users will need to be provisioned into both workspaces.

 

Hi Racheal.

Thanks for following up.

 

Setting up multiple OKTA apps is not the big issue.

BUT having to provision the users separately to PROD and TEST (as per Matt's answer "So, if you want to use SCIM provisioning in your [test] workspace and prod workspace, you will have to have an Okta app for each workspace. Your users will need to be provisioned into both workspaces.") does not seem logical for various reasons.

  • SEATs - how are they to be controlled cross PROD and TEST?
  • adding/inviting teammates to a test workspace is restricted but we can provision them?!? Why the difference?
  • if we invite/provision a user on the PROD workspace - it will automatically become a user also in the TEST one, right? Why shall we have it provisioned once again then?
  • if we provision a user to the TEST workspace - will it also become a user on the PROD space?

 

Again - this all looks really confusing, having in mind that the user base (the teammates) of Intercom is one (serving both PROD and TEST workspaces), but the authentication and the SCIM provisioning should be split against OKTA.

 

 

Anyone else having the same thoughts?

How did you guys resolve this one?

TIA!

Galina

 

Userlevel 3
Badge +2

Looping in @user1207​ in case he has some thoughts on that 👍

Badge +1

Thanks for looping me in @diana t12​!

 

👋 @galina s​! Is there a specific reason you need to add everyone onto the test workspace through Okta? I recommend provisioning all of your agents onto the production workspace and only adding those who really need test access onto a "test agent" Okta user group.

 

Also as Racheal pointed out, I would suggest just adding the Okta app onto each workspace to provision your users as there is not a way to sync them between workspaces to my knowledge.

 

If I'm missing something on this, feel free to send back a reply and I'll take a look!

Reply