Okta Org2Org Cross-Tenant Integration
Enable secure cross-tenant authentication between separate Okta organizations
Organizations often need to provide application access to users from partner companies or different business units managed in separate Okta tenants. Okta Org2Org enables secure cross-tenant authentication using SAML 2.0, allowing users in one Okta organization to access applications hosted in another.
Prerequisites
- Two Okta Organizations
- Identity Provider: Paid or partner account (Org2Org not available on developer accounts)
- Service Provider: Can be developer, paid, or partner account
- Super Admin permissions on both Okta tenants
- Target application supporting SAML 2.0 (Dropbox Business in this example)
Architecture Overview
- Identity Provider (Org1): Manages user identities and authentication
- Service Provider (Org2): Hosts applications and receives federated users
- Flow: User → Org1 (authenticate) → Org2 (provision/access) → Application
Step 1: Configure Service Provider Application
Add Target Application
# In Service Provider Okta tenant
1. Navigate to Applications > Browse App Catalog
2. Search for "Dropbox Business" and click Add Integration
3. Complete the application wizard and click DoneConfigure Application Settings
# SAML Configuration
1. Go to Applications > Dropbox Business > Sign-On tab
2. Copy the following for Dropbox configuration:
- Sign-on URL
- Signing Certificate (download)
# Configure Dropbox Business
3. Log into Dropbox Admin Console > Settings > Security
4. In Single sign-on section:
- Upload the Signing Certificate from Okta
- Paste the Sign-on URL from Okta
- Save configurationConfigure Provisioning Settings
# Advanced Sign-On Settings
Silent Provisioning: Enabled
Username: Okta username
Actions: Create and Update selected
# Provisioning Configuration
Navigate to Provisioning > To App
Enable:
✓ Create Users
✓ Update User Attributes
✓ Deactivate UsersStep 2: Configure Identity Provider Relationship
Install Org2Org App (Identity Provider Side)
# In Identity Provider tenant
1. Go to Applications > Browse App Catalog
2. Search for "Okta Org2Org" and add integration
3. In configuration wizard:
Base URL: Enter Service Provider tenant URL (e.g., https://dev-12345.okta.com)
4. Complete installationCreate SAML Identity Provider (Service Provider Side)
# In Service Provider tenant
1. Navigate to Security > Identity Providers
2. Click "Add Identity Provider" > "SAML 2.0"
3. Click Next to begin configurationExchange Configuration Details
Gather IdP Configuration
# Identity Provider tenant
Go to Applications > Okta Org2Org > Sign-On
Click "More Details" to access:
- Issuer URI
- Sign-on URL
- Signature Certificate (download)Complete SAML Configuration
# Service Provider tenant
Name: Org1 IdP
IdP Username: idpuser.subjectNameId
Match Against: Okta Username
Account Link Policy: Automatic
Provisioning: Create user if neededStep 3: Configure Cross-Tenant Provisioning
Generate API Token (Service Provider)
# In Service Provider tenant
1. Navigate to Security > API > Tokens
2. Click "Create Token"
3. Enter descriptive name and click "Create Token"
4. Copy token immediately (won't be shown again)Configure Provisioning (Identity Provider)
# In Identity Provider tenant
1. Go to Applications > Okta Org2Org > Provisioning
2. Click "Configure API Integration"
3. Enter:
Base URL: Service Provider tenant URL
API Token: Token from Service Provider
4. Click "Test API Credentials" and verify success
# Enable Provisioning Actions
Navigate to Provisioning > To App and enable:
✓ Create Users
✓ Update User Attributes
✓ Deactivate UsersStep 4: Assign Users and Test Complete Flow
Assign Users to Org2Org
# In Identity Provider tenant
1. Go to Applications > Okta Org2Org > Assignments
2. Click "Assign" > "Assign to People" or "Assign to Groups"
3. Select target users/groups and assignTest Cross-Tenant Provisioning
# Test Federation Flow
1. Login as assigned user to Identity Provider tenant
2. Click Org2Org tile on dashboard
3. Complete any required authentication (MFA, etc.)
4. Verify successful login to Service Provider tenant
5. Confirm user appears in Service Provider > Directory > People
# Assign Federated Users to Applications
6. In Service Provider tenant: Applications > Dropbox Business > Assignments
7. Assign the federated users to Dropbox applicationStep 5: End-User Experience Validation
Complete User Journey
# User Experience Flow
1. Login: User logs into Identity Provider (Org1) dashboard
2. Cross-Tenant Access: Clicks Org2Org tile → redirected to Service Provider (Org2)
3. Authentication: Completes any required Service Provider authentication
4. Application Access: Clicks Dropbox Business tile
5. First-Time Setup: Completes Dropbox team joining process
6. Application Use: Successfully accesses Dropbox BusinessVerification Checklist
- ✓ User successfully authenticates to Identity Provider
- ✓ Cross-tenant redirect functions properly
- ✓ User provisions correctly in Service Provider
- ✓ Application assignment works for federated users
- ✓ End-to-end SSO flow completes without errors
Troubleshooting Common Issues
SAML Configuration Problems
- Invalid SAML Response: Verify Issuer URI matches exactly
- User Matching Failures: Review username format mapping
- Check certificate upload and validity
Provisioning Issues
- API Integration Failures: Validate API token permissions
- User Creation Problems: Verify provisioning settings enabled
- Check network connectivity between tenants
Access Flow Problems
- Application Assignment: Confirm users assigned to both Org2Org and target app
- Group Membership: Verify group membership propagation
- Check application-specific requirements
Conclusion
This Org2Org configuration enables secure, scalable cross-tenant application access while maintaining centralized identity management and comprehensive audit trails across both Okta organizations. Users can seamlessly access applications across multiple Okta tenants without managing separate credentials.
Best Practice: Implement automated deprovisioning processes, regular access reviews for federated users, and coordinate user lifecycle events across both tenants to maintain security.
Okta Org2Org SAML 2.0 Configuration
