Automated SAML Authentication

My organization has an application protected by Okta – the app acts as the Service Provider, with Okta (backed by Google Apps) serving as the Identity Provider. Unauthenticated users accessing the app are directed through the SP-initiated SAML login flow: redirect to https://{OKTA_DOMAIN}.com/apps/{APP_NAME}/sso/saml, Okta processes the SSO request, the browser sends the response to the application’s ACS URL, and the user is logged in. This works great for human users with a web browser user-agent, but I want a Python script to be able to access the application with a service account without human intervention. What would be the best way to handle the authentication for a programmatic/automated workflow when SAML is required?

not a python guy, but… if you have a session with okta, represented by okta session cookie, you can hit IdP initiated flow URL and it will redirect you to the application with the assertion.

Does it sound like you can achieve this?

I think getting the session with Okta is the part that I’m unsure about. Everything works fine if I’m a web browser, but not if I’m a script. A simple user-agent like cURL or Requests doesn’t execute the Javascript on the page that renders the login form, so I can’t submit data through it as if I were using Chrome / Firefox / Edge / whatever. (Additionally, the IdP-initiated flow isn’t working for this app, though I’ve notified the team who maintains our app, so maybe that will be an option eventually.)

If you look at Okta Session API, you will find methods to perform the following:

  1. authenticate your user and get session token
  2. exchange session token for session cookie by hitting your application embedded link - https://developer.okta.com/docs/guides/session-cookie/overview/#retrieving-a-session-cookie-by-visiting-an-application-embed-link

That should do a trick, I think