Can anyone suggest the best way Okta can help me in configuring Salesforce and ABC App(my SAML application) with the below requirements?
Need SP initiated login flow for ABC App.
When a non-authenticated user enters ABC App URL in the browser, the user should be directed to any login page served by either Okta/Salesforce and should be authenticated with existing Salesforce credentials.
User login/logout in Salesforce should also login/logout from ABC application.
I have been trying this for so long by now. No luck yet. Things I have done are listed below.
Integrated Salesforce as a SAML application in Okta.
Completed User Provisioning from Saml to Okta and activated these users in Okta.
Created an Okta SAML Application for my ABC App.
Assigned the users imported from Salesforce to ABC App in Okta.
But with this configuration, I am not able to authenticate my users by using a Salesforce password. Instead, I have to use the Okta password.
Am I going in the wrong direction? Please do help me with this.
SAML integration doesn’t suppose to use passwords. Instead it relies on trusted assertions sent by an identity provider.
You need to integrate your ABC App with Salesforce, and Salesforce will be an identity provider for your app. Google for “Salesforce as Identity Provider”. Not sure which role you leave for Okta, but in case you need it for whatever, you can integrated Okta with Salesforce, where in Okta you’d create External Identity Provider for Salesforce (rather than application, like you have now)
Thank you very much for the response @phi1ipp. Looks like this is what I have to configure, adding Salesforce as an IdP and then mapping my ABC application in Identity Providers > Routing rules section of this new Salesforce IdP. So by this out of all the applications that I have in Okta console I can allow to use Salesforce IdP only while accessing ABC application.