Documentation Question: Sessions API - SAML Set Cookie

I setup a SAML application in OKTA pointing to an external SP, and this works fine when we are manually going through the flow.

  1. navigate to SP
  2. redirected to okta login page
  3. login to okta
  4. redirected to SP

However, we do not want to explicitly make the user login to the okta page and would rather do this behind the scenes with a service account.

I am using Authentication API to login the service account from our Web Application (behind the scenes, not transparent to user) and then will reach out to our other external SP that supports SAML. So far we have the authn API working just fine, and it returns us a session token.

From there we are having problems using that session token to programmatically establish a SAML SSO session.

The okta docs suggest appending relay state and sessionToken to some arbitrary path. It is unclear if that should be the SP base domain, or something else entirely.

I was expecting that appending these parameters to our external SPs base url would redirect back to okta, and okta would give our SP a session cookie without having to login again.

What’s happening instead is that after authenticating, appending parameters to SP url and navigating to said URL, we are redirected to the okta login page and have to manually login.

Can someone provide a more concrete example of what the OKTA docs describe below, perhaps with an SP base url of for example? Docs show this but having trouble making sense of it

GET /home/appwizardsaml_1/0oalkgr25YMb5reZp0g4/alnlkriVMi9J5WYmk0g4?RelayState=%2Fcustom%2Fdeep%2Flink&sessionToken=0HsohZYpJgMSHwmL9TQy7RRzuY HTTP/1.1
Accept: */*

Referring to documentation at below url:

Using this section:

Initiate SAML SSO with the session token

When using your SAML applications embed link found under the General tab of the application in the Okta Admin dashboard along with a valid sessionToken it should work,


Make sure that your SAML application does not have an application level MFA policy setup. If you are doing this programmatically you may need to follow a couple of redirects, but it should end with a POST (if using POST) to your SAML app with a SAMLResponse and the Okta session cookie should be set.

Thank you! By using that URL it now seems to be setting our OKTA session cookie so we are not presented with a login page.

We see a different issue now, in that our RelayState url seems to be getting ignored and we arrive at the home page of our SP. Will create a new topic for that.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.