We have developed a client web application (Angular Single Page Application) registered as an SPA application in Okta configured with the mandatory settings for an SPA of Implicit flow and OpenID Connect sign on method.
We want to enable Single Sign On to our application for our external customer using the Okta Sign-In Widget (@okta/okta-signin-widget@2.10.0
, GitHub - okta/okta-signin-widget: Okta SignIn widget that renders the new login/auth/recovery flows).
Our customer has configured a SAML application in Google and we have configurd the Google SAML application as a SAML 2.0 Identity Provider in our Okta instance and have successfully tested the interaction between Google (Identity Provider) and Okta (Service Provider).
We may soon want to use Identity Provider Discovery (currently an Early Access Feature in Okta) to enable use to support a different Identity Provider for each customer, but we are not ready for this yet operationally and at present we only have one customer ready to use the application so right now we only need to provide access to their users and our internal users.
Q: Is use of a SAML IdP via OpenID Connect a supported scenario for a Single Page Application using the Okta Sign-In Widget, and if so, how do we achieve this, and where is that documented?
I believe that the Okta Sign-In Widget must support this, at least internally, since presumably it forms part of the Identity Provider Discovery feature after the relevant Identity Provider has been discovered.
We have followed the guidance in the OpenID Connect configuration section for the Okta Sign-In Widget (GitHub - okta/okta-signin-widget: Okta SignIn widget that renders the new login/auth/recovery flows), specifying the IdP ID of the SAML 2.0 Identity Provider in Okta, and this all appears to work as expected, with customer users assigned to the SAML application confgured in Google able to sign in and access our application, and although it is strange that we have explicitly specified Google as the provider here since it is integrated with Okta as a SAML 2.0 Identity Provider, everything appears to work as expected:
idps: [{type: 'GOOGLE', id: '0oaaix1twko0jyKik0g4'}]
In our SPA Angular application, we are using the following npm packages as our Okta integration setup:
@okta/okta-angular
@okta/okta-auth-js
@okta/okta-signin-widget
We use the OktaCallbackComponent from the okta-angular SDK which expects the okta-oath-redirect-params cookie and when we tried to use the Okta authorize URL via a custom button this cookie is not set so the flow fails once redirected back to our Application:
https:// <your_okta_url> /oauth2/v1/authorize?idp= <IDP_ID> &client_id= <Client ID> &response_type=id_token&response_mode=fragment&scope=openid&redirect_uri=< redirect_url>