# Introduction

This is the design architecture documentation for the "Delegated Admin Console" aka okta-dac sample project and its companion project: "End-user Dashboard" aka byob-dashboard.

Using native Okta capabilities, we:

  1. Add a "tenant" layer to an Okta Org using custom setup of Groups and Roles
  2. Provide tenant self-service administration by leveraging OAuth for Okta.
    • Users in any particular tenant can have 1 of 2 roles: User and Tenant Admin. Tenant Admins can access the Delegated Admin Console app. And all users can access the End-user Dashboard app.
  3. Support "bring your own IdP" using Okta's Inbound Federation functionality
  4. Protect API resources with Okta's API Access Management
    • We configure Okta to generate JWTs embedding tenant info; We design our API endpoints to implement tenant-namespace in the request url; And we implement a custom authorizer to restrict access to the tenant-namespaced route based on tenant info embedded in the JWT (the Bearer token of the API request).

# Delegated Admin Console

This App displays two different UX depending on the user's role, which can be one of either 2 (Super Admin or Tenant Admin)

# Super Admin

The Okta org must be configured to have a SUPERUSERS group. Any user assigned to this group will see the Super Admin UI upon logging in to okta-dac:

alt text

Super Admins:

  • Add new Tenants
  • Create the Tenants' first user (the first Tenant Admin)
  • Designate which Apps the Tenant can access
  • Designate email Domains that belong to the Tenant

# Tenant Admin

alt text

The Tenant Admin role allows users to self manage their tenants:

  • Manage Users
    • Add Users
    • Update users' profile
    • Update user statuses (Activate, Deactivate, Suspend, etc.)
    • Assign Tenant Admin roles to other users
    • Assign/Unassign Applications to users
  • Self-configure an IdP for SAML Authentication
  • Self-verify email Domains

# End-user Dashboard

alt text

The End-user Dashboard is the companion app to okta-dac. Users login to this application to:

  • Access SSO Applications assigned to them
  • Manage their own profile:
    • Update profile
    • Change password
    • Enroll/unenroll other factors

# Next Steps

These three user experiences may seem simple on the surface, but leverage very powerful Okta concepts and functionality that we will discuss in the next section. Architecture ->

Last Updated: 6/23/2020, 6:08:29 PM