I have the following setup.
Okta Main is the IdP (Identity Provider) for Okta Sub
Azure Active Directory is the IdP for Okta Main
When I login into Okta Sub, the flow goes as
Okta Sub → Okta Main → AAD , I get an error from Azure Active Directory
I have checked the Request Binding attribute is set to HTTP POST in the IdP.
If I login into Okta Main, the flow works (Okta Main → AAD)
Did anyone ever face this , and any solutions ?
Is it POST for all steps of the process? I have a feeling, like it’s sent in GET request
Hi,
I have checked all the Okta IdP , it is configured as POST. I am not sure if AAD matters in this case.
a tool like SAML tracer extension can easily show how things are passed really. Not sure though, how to change things from GET to POST though 
I’ve used the saml tracer extension , nothing stands out. Also it works over one hop. Okta to aad or okta to okta.
If someone else has set up a similar IdP scenario where they go Okta → Okta → Azure maybe they can point out what needs to be configured .
I was just trying different things, and it started working once I unchecked the Sign SAML Authentication Requests under Advanced Settings.
Looks like Azure AD does not support signature verification: Azure Single Sign On SAML Protocol - Microsoft identity platform | Microsoft Docs
It does make sense to some degree, as Signature exclusion decreases the overall length of an assertion. Still the issue would be visible, if you go with three redirects before AAD.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.