Generating SAML assertion for a different application

We have two applications configured to use SAML authentication. SSO fo both the applications works properly when accessed through the browser. We have a scenario where application 1 needs to invoke REST APIs on application 2. This was initially done by configuring application 2 to have a OKTA authentication handler using the metadata from the OKTA configuration of application 1. When the user logs in to application 1 using OKTA, the SAML assertion in the response was used to get an access token from application 2 and the API integration used to work.

With a recent update to the application 2, this reuse of the SAML assertion has been disabled to prevent SAML replay attacks. We are now unable to get the token for invoking the REST APIs.

We have been advised to follow the procedure described in the following document to get the SAML assertion for the second application.

Retrieving a session cookie by visiting an application embed link

For doing this, we will have to popup a form for the user to enter his username and password in order to get the session token, which will then be used to invoke the application embed link to get the SAML assertion for application 2.

Following this process will be counter intuitive for single-sign-on. Is there any other approach in which this issue can be resolved?

@pkg For this SAML issue, can you please open a support ticket through an email to with this issue? One of our Tier 2 Support Engineers will take the case and assist you in narrowing down the cause of the issue. Thanks