❓ This question came from a member of the Persona community - a team manager who was trying to configure use of Persona for their employees. This question is useful for those who want to understand how to manage Okta single sign-on for multiple Persona instances with the same set of users or employees.
Question: How do I enable employees to access multiple Persona organizations configured with Okta single sign-on?
Answer
Thank you for your question, we can definitely help with this one. As a prerequisite, you'll need to have Okta single sign-on enabled for both (or all, if more than two) of the Persona organizations/instances that you'd like to configure access for.
Example setup
- In the following setup instructions, we’ll be using the following references
- Email: alex@domain.com
- Persona Organization One: First Acme Fintech
- Persona Organization Two: Second Acme Fintech
With this setup, user with the email alex@domain.com can log into two Persona Orgs using the following:
Organization Name | Login Email |
---|---|
First Persona Organization | alex+firstacme@domain.com |
Second Persona Organization | alex+secondacme@domain.com |
Configure Application username
- Using your Okta admin account, navigate to the Applications section of the email’s Okta account
- With the prerequisites, you should have an application called, First Persona Application set up with SSO, click on the First Persona Application > General
- Under the SAML Settings, click on Edit to modify the configuration
- Click Next to land on the Configuration SAML section
- Modify the Application username to Custom
Existing New Application username Email Custom - In the Enter a custom rule field use the following expression
substringBefore( user.email, "@") + '+{COMPANY}@' + substringAfter( user.email, "@")
- First Persona Organization Example:
substringBefore( user.email, "@") + '+firstacme@' + substringAfter( user.email, "@")
- Save the updated changes.
- Repeat the same steps from 1 - 7 with Second Persona Application
- Second Persona Organization Example:
substringBefore( user.email, "@") + '+secondacme@' + substringAfter( user.email, "@")
- Second Persona Organization Example:
- To finish the provisioning Alex (the employee or user who you are setting this up for) needs to perform the following
- Option 1 — Login to the respective Persona Org via Okta Tiles
- Option 2 — Login to both Persona Orgs using the Persona Organization Slug at least once
- You are done, Alex can now use either email to log in to their desired Persona Organization.
⚠️ Note: This does not impact the Okta username that the end user uses to log into their Okta Dashboard, nor does it impact the email address in other downstream applications tied to Okta.