How to use Okta as SP for SP Initiated SSO

commentator8 · June 18, 2023, 6:12am

Hi,

We are in the process of setting up SSO via okta and would like to have our (external) users authenticate with their IDP which will redirect them to our Okta and finally redirect them to our app after authentication (by our Okta).

To do so we have created an “Identity Provider” under Security per customer - including their certificate - and provided back then ACS URL. This means that each customer has their own ACS URL.

Is this the correct way to set up SSO? How can we then have them do the SP Initiated flow - I understand from the docs that the routing rule that can be used to direct them to their IDP based on their email’s domain should not be used if there are 100’s of rules as it is too slow.

There is also a reference in the setup of the Identity Provider to using a “Trust Specific” or “Organisation” Okta Assertion Consumer Service URL. But on selecting the organisation one no other options appear - and I can’t understand how that would work considering that the certificate is supplied by the customer.

Thanks!

phi1ipp · June 19, 2023, 10:22am

Why can’t they do IdP initiated flow which will save 1 hop for them
If you use OIDC app in Okta, you can specify an additional parameter idp=<external_IdP_id> during a call to /authorize endpoint, which will trigger an SP flow from Okta to the respective IdP

commentator8 · June 19, 2023, 12:06pm

Hi @phi1ipp, thanks for your input!

Re your first point, we intend to use the Idp initiated flow. I am inquiring partially as part of a sanity check, since if I cant see how to make something as essential as sp initiated fit with okta I figure I must be doing something wrong. And partly because the sp initiated flow has both security (prevent mitm) and usability benefits.

Regarding point number 2 - I was not aware of that actually, thanks! But I can’t see how I would make use of it. When the user wants to perform a SP init login, I need to obtain from them (or from their domain) which idp they are using. The Routing Rules allow for this - but not at scale. Even if I could redirect to the /authorize endpoint with the idp param - I would need to obtain it first.

From reading this my impression is that we do need a way to delineate the different tenants (and certificates etc) and okta seems only to support this via multiple Identity Provider Objects. But then it is possible that the Routing Rules are the only mechanism to allow for the SP init flow and as such a ISV scenario is not supported. I wonder how to get an official statement on whether that is the case.

Any thoughts?

phi1ipp · June 19, 2023, 12:27pm

You are right about both things, but at this time I don’t think there is anything Okta can support your requirements with

Routing rules or idp parameter are the only options, which I know, to start SP flow. Maybe other/Okta folks can suggest something else to help you with your use case.