Skip to main content
This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read Create and configure your Okta tenant.
This page walks through configuring Okta as the OIDC enterprise identity provider for Cross App Access (XAA). You’ll set up an Okta tenant, register the Resource and Requesting Apps in Okta, and configure a Workforce Enterprise connection so Auth0 can federate with Okta.

Create and configure your Okta tenant

To set up your end-to-end test environment for the Resource App, you need to create and configure your Okta tenant for Cross App Access.
  • On the Okta Developer website, sign up for an Okta Integrator Free Plan. Once you sign up, you should be redirected to your new Okta tenant.
  • To enable Cross App Access, email developers@okta.com to request XAA enablement for your Okta tenant. Once approved, the Okta team can provide links to any available XAA Requesting and Resource Apps.

Register the Requesting App in Okta

Create Requesting App in Okta

In a production environment, the Requesting App developer registers the Requesting App in the Okta Integration Network (OIN). Enterprise customers will install the Requesting App from the OIN catalog during their IdP setup.
You must register the application in the Okta Integration Network (OIN) for it to be considered a valid XAA Requesting App when using Okta as the enterprise IdP.
  • During XAA Requesting App install, configure Issuer URL to point to your Auth0 tenant and Client ID to point to your Agent0 application in Auth0.
Since the Requesting App authenticates enterprise employees with Okta, you need to configure the application’s sign-on policy in Okta.
  1. Go to Applications > Applications and select the application (e.g. Agent0).
  2. Under Sign On, select Edit and add the Requesting App’s callback URL in the Redirect URI field. Adjust the Redirect URI’s value depending on the testing application you want to use. To learn more, read Test the end-to-end XAA flow.
  3. Select Save.

Assign Requesting Application to Test Users

Finally, allow your test user to log into the Requesting App in Okta. In the Okta Admin Console:
  1. Navigate to Applications and select the requesting application you created.
  2. Select Assign > Assign to People and select your test user.
  3. Select Save.

Register the Resource App in Okta

Create Resource App in Okta

You must register your SaaS application in the Okta Integration Network (OIN) for it to be considered a valid Resource App.
  • During XAA Resource App install, configure Issuer URL to point to your Auth0 tenant.
  • You can also request the registration of a new application in the OIN from your Okta tenant. To learn more, read the Submission process for SSO and SCIM integrations. To accelerate the registration process, contact your Auth0 or Okta representative.
In a production environment, your enterprise customers will install your SaaS application from the OIN catalog during their IdP setup.
  • Since the Resource App authenticates enterprise employees with Okta, you need to configure the application’s sign-on policy in Okta.
  1. Go to Applications > Applications and select the application.
  2. Under Sign On, select Edit and add your Auth0 Tenant’s callback URL in the Redirect URI field.
  3. Select Save.

Assign Resource Application to Test Users

Finally, allow your test user to log into the Requesting App in Okta. In the Okta Admin Console:
  1. Navigate to Applications and select the resource application you created.
  2. Select Assign > Assign to People and select your test user.
  3. Select Save.

Establishing connections between Requesting and Resource App

  1. From the Applications page, select the XAA Requesting app
  2. Go to the Manage Connections tab
  3. Under App granted consent, select Add requesting apps, select XAA Resource App, then Save
  4. Under Apps providing consent, select Add resource apps, select XAA Resource App, then Save

Configure an Okta Workforce Enterprise connection in Auth0

Use your Resource App’s client_id and client_secret to create an Okta Workforce Enterprise connection in your Auth0 tenant.
When creating the Okta Workforce Enterprise connection, activate the Cross App Access - Resource Application role. This enables your Resource App to accept ID-JAGs issued by the enterprise IdP associated with that connection, in this case, your Okta tenant.
After creating the Okta Workforce Enterprise connection, check that the Callback URL provided by Auth0 in the connection’s settings, matches the Redirect URI configure the sign-on policies of the Resource App in your Okta tenant.

Testing Connection in Auth0

In the Auth0 Dashboard:
  • Navigate to Authentication > Enterprise > Okta Workforce:
    • Enter the Okta Workforce Enterprise connection you created and select the Applications tab. Then, enable the Requesting App you created for the connection.
    • Go back to the list of Okta Workforce connections. Select the three dots on the right for your connection and select Try. You will be redirected to authenticate in your Okta tenant to complete the login with your test user.
  • Login with the user you assigned to XAA Resource Applications
  • Verify login was successful