SSO using Okta with multiple deployment zones
Application Type
Traditional Web, Reactive
Platform Version
11.14.0 (Build 34092)

We have an OnPrem infrastructure and have SSO configure using Okta (via the Users module).  This is working.

We since have added a second deployment zone.

I hadn't really thought too much about the impact this would have for SSO. I assumed we would just need to configure Okta for the new front-end server by cloning the existing and changing the hostname specific settings.

Well obviously (in hindsight) these two servers are in the same environment, which means they share the same Outsystems DB, which means that "/Users" has only one set of configuration parameters.

Long story short, things don't work when we run applications on our new front-end server that use SSO.  They redirect to Okta correctly, but when Okta does its callback it tries to callback to the wrong URL and that causes a failure because of hostname mismatch.

I have contacted our SSO team and shared with them the issue, but they don't understand Outsystems at all so I wanted to "ask the experts" how this is typically handled from the Outsystems side and if there is anything I needs to share with our SSO guys so they know what to do on their end.

Thanks for sharing any knowledge and/or guidance on this topic!


As using 2 front end server, means its like same application will treat like 2 different applications due to different URLs.

But now issue is both applications use same Users. So I think you should use Idp component to configure different SSO settings for both frontend servers.


Won't I run into the same problem with and Idp Forge Component?  It would just end up being the same application regardless of which front-end server hosts it, so it will only have one configuration.

We looked at the "Idp" Forge Component in the past and it seemed to work the same as using /Users and configuring it for Okta. With Users having the added benefit that Outsystems supports it.

Surely we are not the only ones that have multiple deployment zones in our production environment and are using the Users module to perform SSO through a SAML provider?  This seems like it would be commonplace.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.