Authenticating a SAML request in order to download content from an app

Hi

I’m building a script to download video files from our Zoom account and then upload them to a team drive.

The Zoom API returns a download URL for the video file, but as we have SAML enabled, it’s necessary to authenticate before you’re redirected to the file.

I’ve been messing around with a bunch of okta’s authentication APIs, but I’m not really getting anywhere.

My current flow is as follows:

  1. Get a session token from okta’s auth api /api/v1/authn
  2. Exchange the session token for a session cookie using api/v1/sessions?additionalFields=cookieToken'
  3. Pass this cookie to the URL request.

It obviously isn’t working, but I’m not sure if this is because the flow is wrong or because there is an issue with the authentication.

Any help is appreciated!

You should be able to skip step #2 and directly append the sessionToken returned from #1 to the SSO AppLink URL.

Example: https://acme.okta.com/home/zoomus/0oa19haaispwJfdWi1d8/3427?sessionToken=20111V1ruvFwqnyaH4U13GK5PHHBs0qPfnCSnLzHHHjyhV-f27P

You can obtain the SSO AppLink URL from your end-user dashboard via your browser devtools for the chicklet, the app settings (under embed link ) in the admin app, or via the AppLinks API (e.g. /api/v1/users/me/appLinks)

Thanks for the reply.

So, should I then be using the cookies I get back from the AppLink request in the request i send to download the video files?

I’m still not really getting anywhere on this :confused:.

I’m using the python requests module.

The problem I’m having is that after I post the session token to the applink url, and then scrape the url and samlResponse from the html response i get back then post it to the url, I appear to be successfully logged in.

However, even after extracting the cookies from this response, and performing all of this from within a requests.Session(), when I then try to get the url with the video, it just pushes me back to the original login screen.

What am I missing here?

Your use case is really outside of the intended product scenarios as you are trying to use a browser-based SSO protocol with cookies via a headless API client. The AppLink URL is intended to be used only by a browser. I would maybe investigate using something more like https://github.com/GoogleChrome/puppeteer if you want to use SAML-based authentication in a scriptable way.