Organizations often need to provide application access to users from partner companies or different business units managed in separate Okta tenants. Okta Org2Org enables secure cross-tenant authentication using SAML 2.0, allowing users in one Okta organization to access applications hosted in another.
This guide demonstrates configuring cross-tenant access to Dropbox Business using one Okta organization as the Identity Provider (IdP) and another as the Service Provider (SP).
Prerequisites
- Two Okta Organizations:
- Identity Provider: Paid or partner account (Org2Org not available on developer accounts)
- Service Provider: Can be developer, paid, or partner account
- Administrative Access: Super Admin permissions on both Okta tenants
- Target Application: SaaS application supporting SAML 2.0 (Dropbox Business in this example)
Architecture Overview
Identity Provider (Org1): Manages user identities and authentication Service Provider (Org2): Hosts applications and receives federated users Flow: User → Org1 (authenticate) → Org2 (provision/access) → Application
Step 1: Configure Service Provider Application
Add Target Application
- In Service Provider Okta tenant, navigate to Applications > Browse App Catalog
- Search for “Dropbox Business” and click Add Integration
- Complete the application wizard and click Done
Configure Application Settings
General Configuration:
- Go to Applications > Dropbox Business > General
- Enter descriptive Application Name
- Click Save
SAML Configuration:
- Navigate to Sign-On tab
- Copy the following for Dropbox configuration:
- Sign-on URL
- Signing Certificate (download)
Configure Dropbox Business
- Log into Dropbox Admin Console
- Navigate to Settings > Security
- In Single sign-on section:
- Upload the Signing Certificate from Okta
- Paste the Sign-on URL from Okta
- Save configuration
Configure Provisioning Settings
Advanced Sign-On Settings:
- In Okta Dropbox app, go to Sign-On > Advanced Settings
- Configure:
- Silent Provisioning: Enabled
- Username: Okta username
- Actions: Create and Update selected
Provisioning Configuration:
- Navigate to Provisioning > To App
- Enable:
- ✓ Create Users
- ✓ Update User Attributes
- ✓ Deactivate Users
Test Application Access
- Go to Assignments tab
- Assign a test user or group
- Login as test user and verify Dropbox tile appears on dashboard
- Click tile to confirm successful SSO to Dropbox
Step 2: Configure Identity Provider Relationship
Create SAML Identity Provider (Service Provider Side)
- In Service Provider tenant, navigate to Security > Identity Providers
- Click Add Identity Provider > SAML 2.0
- Click Next to begin configuration
Note: You’ll need information from the Identity Provider tenant to complete this configuration.
Install Org2Org App (Identity Provider Side)
- In Identity Provider tenant, go to Applications > Browse App Catalog
- Search for “Okta Org2Org” and add integration
- In configuration wizard:
- Base URL: Enter the Service Provider tenant URL (e.g.,
https://dev-12345.okta.com) - Complete installation
- Base URL: Enter the Service Provider tenant URL (e.g.,
Gather IdP Configuration Details
- In Identity Provider tenant, go to Applications > Okta Org2Org > Sign-On
- Click More Details to access:
- Issuer URI
- Sign-on URL
- Signature Certificate (download)
Complete SAML IdP Configuration (Service Provider Side)
Return to Service Provider SAML 2.0 configuration:
Identity Provider Settings:
- Name:
Org1 IdP(or descriptive name) - IdP Username:
idpuser.subjectNameId - Match Against:
Okta Username - Account Link Policy:
Automatic - Auto-Link Restrictions: None
- Provisioning Action:
Create user if one does not exist
SAML Protocol Settings:
- IdP Issuer URI: From Org2Org app
- IdP Single Sign-On URL: From Org2Org app
- IdP Signature Certificate: Upload from Org2Org app
Click Finish to complete IdP configuration.
Configure Org2Org App (Identity Provider Side)
- Copy Assertion Consumer Service URL and Audience URI from completed IdP
- Return to Identity Provider tenant > Okta Org2Org > Sign-On
- Paste the copied URLs into corresponding fields
- Save configuration
Step 3: Configure Cross-Tenant Provisioning
Generate API Token (Service Provider)
- In Service Provider tenant, navigate to Security > API > Tokens
- Click Create Token
- Enter descriptive name and click Create Token
- Copy token immediately (it won’t be shown again)
Configure Provisioning (Identity Provider)
- In Identity Provider tenant, go to Applications > Okta Org2Org > Provisioning
- Click Configure API Integration
- Enter:
- Base URL: Service Provider tenant URL
- API Token: Token from Service Provider
- Click Test API Credentials and verify success
Enable Provisioning Actions
Navigate to Provisioning > To App and enable:
- ✓ Create Users
- ✓ Update User Attributes
- ✓ Deactivate Users
Step 4: Assign Users and Test Complete Flow
Assign Users to Org2Org (Identity Provider)
- Go to Applications > Okta Org2Org > Assignments
- Click Assign > Assign to People or Assign to Groups
- Select target users/groups and assign
Test Cross-Tenant Provisioning
- Login as assigned user to Identity Provider tenant
- Click Org2Org tile on dashboard
- Complete any required authentication (MFA, etc.)
- Verify successful login to Service Provider tenant
- Confirm user appears in Service Provider > Directory > People
Assign Federated Users to Applications (Service Provider)
- In Service Provider tenant, navigate to Applications > Dropbox Business > Assignments
- Assign the federated users to Dropbox application
- Users can now access Dropbox through the cross-tenant flow
Step 5: End-User Experience Validation
Complete User Journey
User Perspective (Sarah example):
- Login: Sarah logs into Identity Provider (Org1) dashboard
- Cross-Tenant Access: Clicks Org2Org tile → redirected to Service Provider (Org2)
- Authentication: Completes any required Service Provider authentication
- Application Access: Clicks Dropbox Business tile
- First-Time Setup: Completes Dropbox team joining process
- Application Use: Successfully accesses Dropbox Business
Verification Checklist
- ✓ User successfully authenticates to Identity Provider
- ✓ Cross-tenant redirect functions properly
- ✓ User provisions correctly in Service Provider
- ✓ Application assignment works for federated users
- ✓ End-to-end SSO flow completes without errors
Troubleshooting Common Issues
SAML Configuration Problems
Invalid SAML Response:
- Verify Issuer URI matches exactly
- Check certificate upload and validity
- Confirm Sign-on URL accuracy
User Matching Failures:
- Review username format mapping
- Check NameID attribute configuration
- Verify user exists in Identity Provider
Provisioning Issues
API Integration Failures:
- Validate API token permissions and expiration
- Check network connectivity between tenants
- Review Service Provider API rate limits
User Creation Problems:
- Verify provisioning settings enabled
- Check user attribute mapping requirements
- Review Service Provider user schema requirements
Access Flow Problems
Application Assignment Issues:
- Confirm users assigned to both Org2Org and target application
- Verify group membership propagation
- Check application-specific requirements
Security Considerations
Trust Relationship Management
- Regularly review and audit cross-tenant access
- Implement least-privilege access principles
- Monitor unusual authentication patterns
Token and Certificate Security
- Rotate API tokens regularly
- Monitor certificate expiration dates
- Use strong authentication policies on both sides
User Lifecycle Management
- Implement automated deprovisioning processes
- Regular access reviews for federated users
- Coordinate user lifecycle events across tenants
This Org2Org configuration enables secure, scalable cross-tenant application access while maintaining centralized identity management and comprehensive audit trails across both Okta organizations.
Okta Org2Org: Cross-Tenant Application Access with SAML 2.0
