Add SAML to Authenticate to OIDC Application

I have an existing web application correctly configured as an OIDC client and allowing for authentication and JIT user creation to our Okta Developer tenant via the org level sign-in widget hosted by okta using both direct Okta OIDC and Social Authentication (via Google).

I’d like to add an additional authentication flow from an external customer SAML IDP through the use of IDP routing rules, though I’d still like to retain the existing OIDC client configuration for the application. Thus, the app-initiated login flow would resemble:

  1. User visits our application (httx:// and clicks “Login”
  2. Browser calls application (httx:// endpoint,
  3. Application redirects to Okta authorization server endpoint with OIDC parameters
  4. User submits username email address for applicable domain for SAML IDP routing rule, and clicks Next
  5. User is redirected to external IDP with SAML request
  6. External IDP generates SAML assertion and browser relays back to Okta
  7. Okta SAML App authenticates user
  8. Okta generates OIDC code and redirects to Okta OIDC authorization server callback
  9. Finally Okta redirects user back to application (httx:// endpoint with code parameter

Is something like this possible? Various previous posts here suggest similar configuration but it is unclear.

You would need to double check the OIDC flow you use in your application, but for me it worked for implicit flow, even when a target user doesn’t exist in your Okta org

1 Like

I have the exact same scenario and I’m struggling to make it working. Any finding here please ?

Apologies for lack of follow up here.

Okta handles more than I assumed here initially and will appropriately authenticate user and redirect them back to OIDC Application without specifically configuring the redirect. The Oauth2 flow includes enough information for Okta to handle this. We now accomplish the desired functionality by:

  1. Add a unique Saml2 IDP for partner using temporary values for Issuer IdP Issuer URI, IdP SSO URL, IdP Certificate.
  2. Provide the generated ACS URL, and Audience URI to partner for use in adding a SAML App to their IdP.
  3. Request the partner to provide back their IdP Issuer URI, IdP SSO URL, IdP Certificate and replacing temporary values from step 1.
  4. Add a routing rule which points to this new identity provider given pattern matching for partner username. This is commonly email domain.

This of course requires that either the username exists and is given access to the OIDC application, or is allowed JIT in IdP configuration in a way which would automatically give them access (Group Assignment presumably)

Thanks for your reply. I already configured this use case. But when I tried it on my React application it fails. here’s my exact problem in this forum.

Thank you very much Russ !

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.