Add SAML to Authenticate to OIDC Application

I have an existing web application correctly configured as an OIDC client and allowing for authentication and JIT user creation to our Okta Developer tenant via the org level sign-in widget hosted by okta using both direct Okta OIDC and Social Authentication (via Google).

I’d like to add an additional authentication flow from an external customer SAML IDP through the use of IDP routing rules, though I’d still like to retain the existing OIDC client configuration for the application. Thus, the app-initiated login flow would resemble:

  1. User visits our application (httx://app.example.com) and clicks “Login”
  2. Browser calls application (httx://app.example.com/oauth2/authorization/oidc) endpoint,
  3. Application redirects to Okta authorization server endpoint with OIDC parameters
  4. User submits username email address for applicable domain for SAML IDP routing rule, and clicks Next
  5. User is redirected to external IDP with SAML request
  6. External IDP generates SAML assertion and browser relays back to Okta
  7. Okta SAML App authenticates user
  8. Okta generates OIDC code and redirects to Okta OIDC authorization server callback
  9. Finally Okta redirects user back to application (httx://app.example.com/login/oauth2/code/oidc) endpoint with code parameter

Is something like this possible? Various previous posts here suggest similar configuration but it is unclear.

You would need to double check the OIDC flow you use in your application, but for me it worked for implicit flow, even when a target user doesn’t exist in your Okta org