SSO Okta setup for multiple environments

[Yi Ding]

Hi team,

I'm exploring the single sign-on (SSO) set up with a third party IdP -- Okta, and I have some questions around it.

Right now our company have a organization setup called companyx.com with GCP for example. It's like a Lab environment for developers. And it's connected to our Lab Okta instance called okta.lab.companyx.com. All company users could use their company credentials to log in to GCP console and do their work if they have the lab user account.

The thing I want to achieve is to set up another Production environment. Only people have prod user account could log in GCP and act on production projects. We have a different Prod Okta instance called okta.prod.companyx.com. 

My question is can I setup both Lab and Prod SSO for the same organization companyx.com in this case? I checked the settings at https://admin.google.com/ac/security/sso and it looks like that only 1 entry could be accepted. And I'm not sure if this is a good practice to combine lab and prod environments to the same organization?

Otherwise should we set up a different organization for the Production environment? If that's the case, when a user goes here https://console.cloud.google.com/ and use their company email address ci...@companyx.com to log in, how GCP knows which environment/organization they are trying to access?

Thank you in advance!

Best,

Cindy Ding

[Gautham Bathmanaban]

Hi 

Okta SSO setup is not really within the scope of this board, Google groups is meant for architectural and outages based discussions. I would recommend posting this question on Serverfault.com [1] or Stackoverflow[2].

 [1] https://serverfault.com/

[2] https://stackoverflow.com/

[Yi Ding]

Hi Gautham,

Thank you for your reply. Actually I know the way to setup Okta and we already have one working. But I'd like to seek some advice on high level architecture about multi domains. Please let me know if below questions is ok to ask in this Google Group.

Is it possible to set up multiple "SSO with third party Idp" for a single organization because we want to isolate different domains(for us it's lab and prod domains)? I tried to find some materials online but couldn't. Not sure if you have any Best Practices documentation available?

Thank you,

Cindy

[Ahmad Parsaei]

Hi Cindy,

I'd recommend raising these questions with OKTA support. Also you can contact the Google Workspace support in different ways if they are related to Google.

FYI

I reviewed OKTA's documentation to determine if they support multiple domains for a single Google Workspace account, but couldn't find any evidence that they do.

I found a third party (provided only for information, and not supported by Google, or OKTA) blog post, which confirmed that you can't configure two identity providers for your Google Workspace account, but provides some sample expressions that you can use to configure OKTA to perform email substitution if a user matches a specific criteria. Using such an approach, you could use a single OKTA configuration, and substitute the secondary domain for specific users. OKTA provides a list of functions, and expression language for email templates. They indicate that you should contact support for these templates, and I'd recommend asking them for additional guidance in that are also, as IdP configuration is outside my scope of support.