Using Org2Org to log into Okta Service Accounts

An interesting post in the #okta channel on MacAdmins Slack came up the other day which brought up an old topic about how to keep Okta service accounts safe and logging who is authenticating into them.

The traditional way requires using separate credentials and then safeguarding those credentials. If your password safe supports it, you might have audit trails to see when a password was accessed and by whom, but unless you rotate Okta passwords after each use then they can save the password for use later. Also, you have to set up MFA for your service accounts, setting up MFA requires tight orchestration with have someone with a second factor log in and then approve your MFA enrollment.

Org2Org solves the audit trail and MFA troubles by tying all of it to your personal Okta identity.

Okta doesn’t seem to support creating an Org2Org application to the same organization URL if you use the OIN app. Luckily, we can just make our own SAML app, but there are still a few gotchas.

I’m not going to cover step by step how to set up an Org2Org app or adding Identity Providers. sdf

• matching true ? '' : idpuser.name