I setup a SAML application in OKTA pointing to an external SP, and this works fine when we are manually going through the flow.
- navigate to SP
- redirected to okta login page
- login to okta
- redirected to SP
However, we do not want to explicitly make the user login to the okta page and would rather do this behind the scenes with a service account.
I am using Authentication API to login the service account from our Web Application (behind the scenes, not transparent to user) and then will reach out to our other external SP that supports SAML. So far we have the authn API working just fine, and it returns us a session token.
From there we are having problems using that session token to programmatically establish a SAML SSO session.
The okta docs suggest appending relay state and sessionToken to some arbitrary path. It is unclear if that should be the SP base domain, or something else entirely.
I was expecting that appending these parameters to our external SPs base url would redirect back to okta, and okta would give our SP a session cookie without having to login again.
What’s happening instead is that after authenticating, appending parameters to SP url and navigating to said URL, we are redirected to the okta login page and have to manually login.
Can someone provide a more concrete example of what the OKTA docs describe below, perhaps with an SP base url of mysp.com for example? Docs show this but having trouble making sense of it
GET /home/appwizardsaml_1/0oalkgr25YMb5reZp0g4/alnlkriVMi9J5WYmk0g4?RelayState=%2Fcustom%2Fdeep%2Flink&sessionToken=0HsohZYpJgMSHwmL9TQy7RRzuY HTTP/1.1 Host: your-domain.okta.com Accept: */*
Referring to documentation at below url:
Using this section: