You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read [Create and configure your Okta tenant](/docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp#create-and-configure-your-okta-tenant).
19
-
20
-
</Callout>
21
-
22
16
Connecting third-party apps and AI agents in an enterprise creates two key problems: poor IT visibility into data sharing and repetitive consent flows for users.
23
17
24
18
Cross App Access (XAA) addresses these challenges by allowing IT admins to centrally define access controls for how SaaS applications, like AI agents, connect on a user's behalf. Admins manage these connections in a central dashboard, like the Okta Admin Console, which eliminates disruptive OAuth consent prompts for end-users. The result is improved organizational security, governance, and user experience.
@@ -58,7 +52,7 @@ In the following diagram, Acme is the enterprise customer whose employees authen
58
52
- The Requesting App (Agent0) is registered with the Resource App Authorization Server as an OAuth 2.0 client with a valid client_id and credentials to request access tokens from the Resource App Authorization Server.
59
53
- The Acme IT admin has defined XAA access controls between Agent0 and Todo0.
60
54
61
-
The Auth0 resource Authorization Server and the enterprise IdP are configured separately: see [Set up Auth0 XAA Environment](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment) for the Auth0 side, and [Configure Okta as OIDC IdP](/docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp)under **XAA IdP Setup**for the IdP side.
55
+
The Auth0 resource Authorization Server and the enterprise IdP are configured separately: see [Set up Auth0 XAA Environment](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment) for the Auth0 side, and [Configure Okta as OIDC IdP](/docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp) for the IdP side.
62
56
63
57
## End-to-end XAA flow
64
58
@@ -67,14 +61,12 @@ With our Acme example in mind, the end-to-end XAA flow has the following steps:
67
61
1. The Acme employee logs into the Requesting App (Agent0) using SSO with the enterprise IdP. The Requesting App obtains an ID token to verify the Acme employee’s identity.
68
62
2. The Requesting App makes a token exchange request to the IdP to exchange the ID token for a cross-domain Identity Assertion JWT Authorization Grant, also known as ID-JAG. The IdP validates the request and checks the XAA policy defined by the Acme IT Admin.
69
63
3. If the XAA policy allows for it, the IdP returns the ID-JAG to the Requesting App.
70
-
4. The Requesting App makes a token request using the ID-JAG to the Resource App (Todo0) Authorization Server.
64
+
4. The Requesting App makes a token request using the ID-JAG to the Resource App Authorization Server.
71
65
5. The Resource App Authorization Server validates the ID-JAG using the public key it also uses for its OpenID Connect flow with the IdP. If valid, the authorization server returns an access token.
72
66
6. The Requesting App makes a request with the access token to the Resource App’s API.
73
67
74
68
Leveraging the XAA flow, Acme’s IT admin policies govern access from Agent0 to Todo0, requiring no end-user redirection or interaction.
75
69
76
-
To set up this end-to-end flow, complete the Auth0 side via [Set up Auth0 XAA Environment](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment) and the IdP side via [Configure Okta as OIDC IdP](/docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp) under **XAA IdP Setup** in the sidebar.
This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read [Create and configure your Okta tenant](/docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp#create-and-configure-your-okta-tenant).
19
+
20
+
</Callout>
21
+
16
22
This page walks through configuring Okta as the OIDC enterprise identity provider for Cross App Access (XAA). You'll set up an Okta tenant, register the Resource and Requesting Apps in Okta, and configure a Workforce Enterprise connection so Auth0 can federate with Okta.
Copy file name to clipboardExpand all lines: main/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment.mdx
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,13 +13,14 @@ import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
13
13
terms="true"
14
14
/>
15
15
16
-
This section explains how to set up the end-to-end test environment for the Resource App. By configuring your Auth0 tenant as the Resource App Authorization Server, your SaaS application can start accepting incoming ID-JAG requests without requiring any code changes. This enables your SaaS API to generate access tokens in response to these requests, allowing AI agents and other applications to seamlessly consume your API.
16
+
By configuring your Auth0 tenant as the Resource App Authorization Server, your SaaS application can start accepting incoming ID-JAG requests without requiring any code changes. This enables your SaaS API to generate access tokens in response to these requests, allowing AI agents and other applications to seamlessly consume your API.
17
17
18
-
To set up your end-to-end test environment for the Resource App:
18
+
To set up your end-to-end test environment in Auth0:
19
19
20
-
- Configure and register your Resource App: This includes configuring your Auth0 tenant and registering your SaaS application as a Resource App with Okta. To learn more, read [Resource App setup](#resource-app-setup).
21
-
- Configure the Requesting App to test the end-to-end: This includes registering a test Requesting App in your Auth0 tenant and updating Okta to link it with your Resource App. To learn more, read [Requesting App setup](#requesting-app-setup).
22
-
- Configure how your Auth0 tenant federates with your customer’s enterprise IdP: In our test environment, the enterprise IdP will be your Okta test tenant, representing one of your enterprise customers. To learn more, read [Add Organization Support to XAA IdP](/docs/secure/call-apis-on-users-behalf/xaa/idp/federate-with-enterprise-idp).
20
+
- Configure and register your API in Auth0. To learn more, read [Create the API in Auth0](#create-the-api-in-auth0)
21
+
- Configure and register your Resource App: This includes configuring your Auth0 tenant and registering your SaaS application as a Resource App with IdP (e.g. Okta). To learn more, read [Resource App setup](/docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp#register-the-resource-app-in-okta).
22
+
- Configure the Requesting App to test the end-to-end: This includes registering a test Requesting App in your Auth0 tenant and updating IdP (e.g. Okta) to link it with your Resource App. To learn more, read [Requesting App setup](#requesting-app-setup).
23
+
- Configure how your Auth0 tenant federates with your customer’s enterprise IdP: In our test environment, the enterprise IdP will be your Okta test tenant, representing one of your enterprise customers. To learn more, read [Configure an Okta Workforce Enterprise connection in Auth0](docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-oidc-idp#configure-an-okta-workforce-enterprise-connection-in-auth0).
23
24
24
25
{/* The following image maps the responsibilities of the different personas in a production-ready XAA flow: */}
0 commit comments