I am implementing Okta Authentication for a multi tenant app and authentication works well. My question is:
To Support multi tenant in Okta, Okta provides different url for different tenant so as far as I understand, it is the responsibility for the application to create or navigate to a specific url. So does the user needs to enter their email address multiple times for us to find which tenant they belong to?
For example: If a user clicks on Sign in with Okta, We still do not know which url we have to navigate them to. So we show them a box to enter their email address and once we do that, then we navigate them to Okta Sign In page where they have to enter their email address again.
Is that the correct flow where user needs to add their email address multiple times if we have different tenants or am I missing something?
Unless you configure all tenants to act as external IdPs for one, where you will send all your users to, and you have a clear way to route to those external IdPs based on Okta external IdP routing rules, I don't see how you can make your architecture work.
Each Okta tenant is an identity provider. So you need to have N buttons "Login with Okta xx" otherwise