Access Token from Saml Authentication -> OIDC APP

Hello,

Im using saml auth for employees at my company…and they goal is to be able to have them login to a OIDC application.

I have got it to the point where okta does the authentication redirects me to my OIDC application, but it only gives me a ID_token. I need a access token so I can load data from my API.

Not sure what the best solution is here. I could start using the id_token to validate API calls, but I hear that is the wrong approach.

Any solutions?

Thanks

Hey @kdavis - can you provide some detail on how you have this set up? More info on your configuration, or a network trace of the authentication redirect would be helpful.

The goal is to have employees login to our customer application. I have two Okta Orgs. One for our employees and one for our customers. I’ve set up Okta Org2Org from Employee org -> customer org (inbound saml).

On our customer org, we have a OIDC application. On this application I’ve set up Login Initiated by ‘Either Okta or App’. And for the login flow I have ‘Send ID Token directly to app (Okta Simplified)’. I then use the App Embed link it gives me for my Relay state on my saml auth from my other org.

Our customer application is a SPA application. We us Okta js to sign in customers and retrieve access tokens via the authorize route using the sessionToken okta gives us. I would like to do the same thing if possible for employees.

Any ideas? Thanks

Thanks for the detailed explanation. If I’m understanding correctly:

  • Customers (users in the customer org) log into the SPA by visiting the SPA directly and logging in using Auth.js
  • You want employees (users in the employees org) to be able to click a chiclet on their employee dashboard and be redirected/automatically logged in to the SPA
  • This is working, but you’re landing on the SPA with only an ID token (not an access token)

Is that right?

That’s correct. I do API authorization using access tokens, and since I dont have one no data can be loaded. Not sure if i should just switch to using id_tokens on api authorization.

Maybe I need to be using id_token’s on my internal api’s to do authorization, since all I care about is who is logged in. Access Tokens from what i’m reading are used to have access to resource servers?