Issue when using Okta as a proxy between SAML identity providers and an OIDC application when using ADFS

I am working on a project where we are testing using the Okta platform to allow users to sign on from their respective IDP platforms to our own OIDC supporting application with Okta acting as a proxy.

The flow we are using as documented here works fine on multiple IDP’s tested except when using ADFS (only tested on adfs 3.0 so far)

When redirecting back to the ADFS IDP it seems to loose the redirect URL (the OIDC app sso link) and ends up taking the user to the Okta user dashboard page instead causing the required flow to not work.

However, if the Okta session is already establish the URL is tried again, the user goes to the right destination when it’s not required to redirect the user back to adfs for authentication. This coupled with a packet trace suggests the adfs is loosing the redirect URL.

Our current thoughts are to cheat and configure the Adfs IDP sso url to be one containing a relay state equal to the redirect URL but this is a bit of a faff as it requires relay state to be enabled in the customers adfs (and not actually tested to see if it works)

Anyone had this issue before or any thoughts to solve it?

Thanks,

James

This sounds like a bug or a misconfiguration. Mind shooting us an email at developers@okta.com?

Thanks,
Tom