I’m following, line by line, the instructions from here(https://github.com/emanor-okta/saml-assertion-flow-samples/blob/main/Manual_SAML_Assertion_Flow.md#common-problems), and keep on getting ‘assertion is not a valid SAML 2.0 Assertion’ error.
Does the instruction work for anyone recently? if not, can anybody throw me some hints or tips on how I might circumvent this issue? Many thanks.
Can anyone explain the above mentioned walkthrough in the light of this(Implement authorization by grant type | Okta Developer) official document? I can’t understand which is which. For instance, what do SP and IdP correspond to in the link in the diagram?
Hello,
Are you able to provide your Okta Org details so we can check if the logs give more details?
If not you can open a support case so you can provide the details.
Thank You,
This is a simple demonstration that works where your Okta Org acts as the SAML IdP and OAuth2 Provider. The SP would basically be you since you receive the SAML Response, manually strip out the SAML Assertion, and then use it for the SAML Assertion Token Exchange Flow. Where the assertion is sent right back to the same Org that generated it.
In a real world scenario these 2 entities (SAML IdP / OAuth provider) would be distinct, otherwise there would be no reason to so a SAML Assertion flow, instead you could do an authorization code flow.
Can you detail the implementation you are working on which requires the SAML Assertion flow? It would help us understand what it is you are trying to setup.
Thank you for your replies.
I’m doing exactly as what is written in the link(https://github.com/emanor-okta/saml-assertion-flow-samples/blob/main/Manual_SAML_Assertion_Flow.md#common-problems), and it keeps on failing with the same error message as mentioned above.
What I eventually want to achieve is this. I’d like my app to have one SAML assertion, and use it to retrieve tokens from multiple apps that were SSO configured in okta. With those tokens I want to fetch specific data the resource owners can provide; for example, users and the number of users, pricing plans, and more things that resource owners allow with the assertion. Is there such a use case?
The SP would basically be you since you receive the SAML Response, manually strip out the SAML Assertion, and then use it for the SAML Assertion Token Exchange Flow. Where the assertion is sent right back to the same Org that generated it.
I found the content of the github link to be confusing. Below is where I got lost.
I can’t map the outcomes of each sections to client, IdP, auth server, and SP. For instance, I can’t get why ‘configuring SP’ produces IdP SSO endpoint. Same goes for when ACS url was created after configuring IdP. Does SP here mean resource owner? Where is auth server and when is it configured?
Later I got to think that the flow described in the github link is not actually same as one described in here(Implement authorization by grant type | Okta Developer), but just a SP initiated flow. Is this right?