auth0 · abbaspour · Jun 12, 2026
@@ -329,7 +329,14 @@
           "pages": [
             "docs/secure/call-apis-on-users-behalf/xaa",
             "docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment",
-            "docs/secure/call-apis-on-users-behalf/xaa/manage-xaa-in-okta",
+            {
+              "group": "XAA IdP Setup",
+              "pages": [
+                "docs/secure/call-apis-on-users-behalf/xaa/idp/manage-xaa-in-okta",
+                "docs/secure/call-apis-on-users-behalf/xaa/idp/configure-okta-as-saml-idp",
+                "docs/secure/call-apis-on-users-behalf/xaa/idp/federate-with-enterprise-idp"
+              ]
+            },
             "docs/secure/call-apis-on-users-behalf/xaa/test-xaa-flow"
           ]
         },

@@ -15,7 +15,7 @@ import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
 
 <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
 
-This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read [Create and configure your Okta tenant](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment#create-and-configure-your-okta-tenant).
+This guide assumes you use Okta as your enterprise identity provider (IdP) and have administrative access to an Okta tenant you can use for testing. If you don’t have one, read [Create and configure your Okta tenant](/docs/secure/call-apis-on-users-behalf/xaa/idp/manage-xaa-in-okta#create-and-configure-your-okta-tenant).
 
 </Callout>
 
@@ -58,6 +58,8 @@ In the following diagram, Acme is the enterprise customer whose employees authen
 - The Requesting App (Agent0) is registered with the Resource App Authorization Server as an OAuth 2.0 client with a valid client_id and credentials to request access tokens from the Resource App Authorization Server.
 - The Acme IT admin has defined XAA access controls between Agent0 and Todo0.
 
+The Auth0 resource Authorization Server and the enterprise IdP are configured separately: see [Set up Auth0 XAA Environment](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment) for the Auth0 side, and [Configure Okta as OIDC IdP](/docs/secure/call-apis-on-users-behalf/xaa/idp/manage-xaa-in-okta) under **XAA IdP Setup** for the IdP side.
+
 ## End-to-end XAA flow
 
 With our Acme example in mind, the end-to-end XAA flow has the following steps:
@@ -71,6 +73,8 @@ With our Acme example in mind, the end-to-end XAA flow has the following steps:
 
 Leveraging the XAA flow, Acme’s IT admin policies govern access from Agent0 to Todo0, requiring no end-user redirection or interaction.
 
+To set up this end-to-end flow, complete the Auth0 side via [Set up Auth0 XAA Environment](/docs/secure/call-apis-on-users-behalf/xaa/set-up-xaa-test-environment) and the IdP side via [Configure Okta as OIDC IdP](/docs/secure/call-apis-on-users-behalf/xaa/idp/manage-xaa-in-okta) under **XAA IdP Setup** in the sidebar.
+
 ## Beta limitations
 
 XAA Beta has the following limitations:

@@ -0,0 +1,7 @@
+---
+description: Configure Okta as a SAML identity provider for Cross App Access (XAA). Documentation coming soon.
+sidebarTitle: "Configure Okta as SAML IdP"
+title: "Configure Okta as SAML IdP"
+---
+
+<Info>Documentation for configuring Okta as a SAML IdP is coming soon.</Info>
@@ -0,0 +1,30 @@
+---
+description: Add Organization support to a Cross App Access (XAA) IdP — federate your Auth0 tenant with the enterprise IdP and configure Organizations to associate access tokens with org_id.
+sidebarTitle: "Add Organization Support to XAA IdP"
+title: "Add Organization Support to XAA IdP"
+---
+
+import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
+
+<ReleaseStageNotice 
+  feature="Cross App Access (XAA)"
+  stage="beta"
+  contact="Auth0 Support"
+  terms="true"
+/>
+
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+
+In a production environment, you configure each of your enterprise customers once to federate it with your Auth0 tenant. Auth0 will add support for [Self-Service SSO](/docs/authenticate/enterprise-connections/self-service-enterprise-configuration) in later versions, enabling you to delegate XAA configuration to your enterprise customers as part of SSO setup.
+
+</Callout>
+
+## Configure an Organization
+
+Optionally, if you want an enterprise customer to use Organizations, [create an Organization](/docs/manage-users/organizations/configure-organizations/create-organizations) and [enable the Okta Workforce Enterprise connection](/docs/manage-users/organizations/configure-organizations/enable-connections) for that Organization. This automatically associates access tokens generated using XAA, in the scope of this connection, to the corresponding `org_id` if the target user is a member of the Organization.
+
+<Frame>![](/docs/images/xaa/xaa_enable_connection.png)</Frame>
+
+You can also configure the Requesting App’s [Organization behavior](/docs/manage-users/organizations/configure-organizations/define-organization-behavior) to set whether it is required or allowed to use Organizations. We recommend that you start testing with **Both**, which allows users to log in as an Organization member or sign up with a personal account.
+
+<Frame>![](/docs/images/xaa/xaa_organizations_both.png)</Frame>
@@ -0,0 +1,149 @@
+---
+description: Learn how to configure Okta as an OIDC identity provider for Cross App Access (XAA).
+sidebarTitle: "Configure Okta as OIDC IdP"
+title: "Configure Okta as OIDC IdP"
+---
+
+import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
+
+<ReleaseStageNotice 
+  feature="Cross App Access (XAA)"
+  stage="beta"
+  contact="Auth0 Support"
+  terms="true"
+/>
+
+This page walks through configuring Okta as the OIDC enterprise identity provider for Cross App Access (XAA). You'll set up an Okta tenant, register the Resource and Requesting Apps in Okta, and configure a Workforce Enterprise connection so Auth0 can federate with Okta.
+
+## Create and configure your Okta tenant
+
+To set up your end-to-end test environment for the Resource App, you need to create and configure your Okta tenant for Cross App Access.
+
+- On the [Okta Developer website](https://developer.okta.com/signup/), sign up for an Okta Integrator Free Plan. Once you sign up, you should be redirected to your new Okta tenant.
+- In the Okta Admin Console, navigate to **Settings > Features**. Under Early access features, enable **Cross App Access**.
+
+<Frame>![](/docs/images/xaa/okta_enable_xaa.png)</Frame>
+
+## Register the Requesting App in Okta
+
+### Create Requesting App in Okta
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+
+In a production environment, the Requesting App developer registers the Requesting App in the Okta Integration Network (OIN). Enterprise customers will install the Requesting App from the OIN catalog during their IdP setup.
+
+</Callout>
+
+You must register the application in the Okta Integration Network (OIN) for it to be considered a valid XAA Requesting App when using Okta as the enterprise IdP.
+
+To register the Requesting App in Okta, you have two options:
+
+- For a quick test setup, we recommend using the **XAA Requesting App** that is already registered in the OIN. In the Okta Admin Console, go to **Applications > Applications > Browse App Catalog** and search for `XAA Requesting App`. Select it and add the integration.
+
+<Frame>![](/docs/images/xaa/xaa_okta_browse_req_app_in_oin.png)</Frame>
+
+- During XAA Requesting App install, configure **Issuer URL** to point to your Auth0 tenant and **Client ID** to point to your **Agent0** application in Auth0.
+
+<Frame>![](/docs/images/xaa/xaa_okta_req_app_install.png)</Frame>
+
+- You can also request the registration of a new application in the OIN. To learn more, read the [Submission process for SSO and SCIM integrations](https://developer.okta.com/docs/guides/submit-app-overview/#submission-process-for-sso-and-scim-integrations). To accelerate the registration process, contact your Auth0 or Okta representative.
+
+Since the Requesting App authenticates enterprise employees with Okta, you need to configure the application’s [sign-on policy](https://help.okta.com/en-us/content/topics/security/policies/policies-home.htm) in Okta.
+
+1. Go to **Applications > Applications** and select the application (e.g. Agent0).
+2. Under **Sign On**, select **Edit** and add the Requesting App’s callback URL in the **Redirect URI** field. Adjust the Redirect URI’s value depending on the testing application you want to use. To learn more, read [Test the end-to-end XAA flow](/docs/secure/call-apis-on-users-behalf/xaa/test-xaa-flow).
+3. Select **Save**.
+
+<Frame>![](/docs/images/xaa/xaa_okta_req_app_sign_on_policy.png)</Frame>
+
+### Assign Requesting Application to Test Users
+Finally, allow your test user to log into the Requesting App in Okta.
+
+In the Okta Admin Console:
+
+1. Navigate to **Applications** and select the requesting application you created.
+2. Select **Assign > Assign to People** and select your test user.
+3. Select **Save**.
+
+<Frame>![](/docs/images/xaa/xaa_okta_req_app_user_assignment.png)</Frame>
+
+## Register the Resource App in Okta
+
+### Create Resource App in Okta
+You must register your SaaS application in the Okta Integration Network (OIN) for it to be considered a valid Resource App.
+
+To register your SaaS application as a Resource App in Okta, you have two options:
+
+- For a quick test setup, we recommend using the **XAA Resource App** that is already registered in the OIN. In the Okta Admin Console, go to **Applications > Applications > Browse App Catalog** and search for `XAA Resource App`. Select it and add the integration.
+
+<Frame>![](/docs/images/xaa/xaa_okta_browse_resource_app_in_oin.png)</Frame>
+
+- During XAA Resource App install, configure **Issuer URL** to point to your Auth0 tenant.
+
+<Frame>![](/docs/images/xaa/xaa_okta_resource_app_install.png)</Frame>
+
+- You can also request the registration of a new application in the OIN from your Okta tenant. To learn more, read the [Submission process for SSO and SCIM integrations](https://developer.okta.com/docs/guides/submit-app-overview/#submission-process-for-sso-and-scim-integrations). To accelerate the registration process, contact your Auth0 or Okta representative.
+
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+
+    In a production environment, your enterprise customers will install your SaaS application from the OIN catalog during their IdP setup.
+
+</Callout>
+
+- Since the Resource App authenticates enterprise employees with Okta, you need to configure the application’s sign-on policy in Okta.
+
+1. Go to Applications > Applications and select the application.
+2. Under Sign On, select Edit and add your **Auth0 Tenant’s callback URL** in the **Redirect URI** field.
+3. Select Save.
+
+<Frame>![](/docs/images/xaa/xaa_okta_resource_app_details.png)</Frame>
+
+Additionally, you must provide Okta with the issuer URL of your Auth0 tenant, which is associated with your Resource App. Requesting Apps use the issuer URL to request connecting to your Resource App. To learn more, read [Test the end-to-end XAA flow](/docs/secure/call-apis-on-users-behalf/xaa/test-xaa-flow).
+
+### Assign Resource Application to Test Users
+Finally, allow your test user to log into the Requesting App in Okta.
+
+In the Okta Admin Console:
+
+1. Navigate to **Applications** and select the resource application you created.
+2. Select **Assign > Assign to People** and select your test user.
+3. Select **Save**.
+
+<Frame>![](/docs/images/xaa/xaa_okta_resource_app_user_assignment.png)</Frame>
+
+### Establishing connections between Requesting and Resource App
+
+1. From the Applications page, select the XAA Requesting app
+2. Go to the Manage Connections tab
+3. Under App granted consent, select Add requesting apps, select XAA Resource App, then Save
+4. Under Apps providing consent, select Add resource apps, select XAA Resource App, then Save
+
+<Frame>![](/docs/images/xaa/xaa_okta_req_res_apps_connection.png)</Frame>
+
+### Configure an Okta Workforce Enterprise connection in Auth0
+
+Use your **Resource App**’s `client_id` and `client_secret` to [create an Okta Workforce Enterprise connection](/docs/authenticate/identity-providers/enterprise-identity-providers/okta) in your Auth0 tenant.
+
+<Frame>![](/docs/images/xaa/xaa_auth0_new_okta_workforce_connection.png)</Frame>
+
+When creating the Okta Workforce Enterprise connection, activate the **Cross App Access - Resource Application** role. This enables your Resource App to accept ID-JAGs issued by the enterprise IdP associated with that connection, in this case, your Okta tenant.
+
+<Frame>![](/docs/images/xaa/xaa_auth0_connection_xaa_enabled.png)</Frame>
+
+After creating the Okta Workforce Enterprise connection, check that the **Callback URL provided by Auth0** in the connection's settings, matches the **Redirect URI** configure the sign-on policies of the **Resource App in your Okta** tenant.
+
+### Testing Connection in Auth0
+In the Auth0 Dashboard:
+
+- Navigate to **Authentication > Enterprise > Okta Workforce**:
+	- Enter the Okta Workforce Enterprise connection you created and select the **Applications** tab. Then, enable the Requesting App you created for the connection.
+	- Go back to the list of Okta Workforce connections. Select the three dots on the right for your connection and select **Try**. You will be redirected to authenticate in your Okta tenant to complete the login with your test user.
+
+<Frame>![](/docs/images/xaa/xaa_auth0_try_okta_connection.png)</Frame>
+
+- Login with the user you assigned to XAA Resource Applications
+
+<Frame>![](/docs/images/xaa/xaa_okta_login.png)</Frame>
+
+- Verify login was successful
+
+<Frame>![](/docs/images/xaa/xaa_auth0_try_success.png)</Frame>