This application allows two disparate account, a pre-existing account on a Okta Hub IdP and one on an external IdP, to be linked through verifying account ownership on the Hub side. In addition, this can support either SAML or OIDC, and is completely dependentant on the federation between the two, configured through Okta.
Typical use-cases include:
- Just-in-Time creation is not allowed on the Hub
- The external IdP has matching attributes
- Factor verification is required to link the accounts
- Requires SAML 2.0 Section 5.4.2 functionality
While the application is simple to standup, this does require some configuration on the Spoke tenant and Hub tenants and is best to speak with your Okta representative.
This is built with the Serverless Framework, and will require the CLI tooling in order to perform the actions listed below.
In order to deploy the example, you need to run the following command:
$ serverless deploy
After running deploy, you should see output similar to:
After successful deployment, you can invoke the deployed function by using the following command:
serverless invoke --function createLink --path mocks/createLink.json
Update the mock stubs accordingly with your correct tokens, then you can locally test each lambda.
serverless invoke local --function createLink --path mocks/createLink.json
serverless invoke local --function linkRedirect --path mocks/redirect.json