Okta as a SAML to OpenID connect bridge

santoshdas1984 · July 26, 2019, 11:08am

I have a scenario that has an IDP(IDP-A) that is an open id connect provider and doesn’t support SAML based SSO
and an APP(APP-A) that supports SAML SSO and is not open id connect compliant.

Now the question is can Okta help in acting as a bridge and help in orchestrating the SSO?

APP-A sends a SAML request to Okta
Okta processes the SAML request and initiates an openid connect request to IDP-A
IDP-A issues ID token, Okta processes the ID token and gets user info, then exchanges the ID token with a SAML token and returns the SAML token to Assertion consumer service of the APP-A.
App-A processes the token and logs the user in.

Is this something possible using Okta?

dragos · July 29, 2019, 2:19am

Hi @santoshdas1984

Yes, this is possible. There are two main steps that need to be done here: configuring the SAML app to connect to APP-A and configuring the OIDC IDP in Okta for IDP-A.

Configure first the SAML application in order to be able to SSO successfully in APP-A using the guide available here. Once this is done, copy the Embed Link that is available under “General” tab (it looks something like https://company.okta.com/home/org_saml_app_1/0oa22vp8gfvmFQ7Dc2p7/aln22vsfl2OHm163M2p7).

After that, please take the following steps to configure the OIDC IDP:

1 In your IDP, you will need to have an OIDC application that has a client ID and client secret in order for Okta to do authorization code flow
2 In Okta, you will need to set up the following
2.1 An OIDC web application that has login redirect URI set to the SAML Embed URL and assign your user to it (you can follow the steps from here to create the OIDC app)
2.2 An OIDC IDP with the following settings:

Name: Any name that you would like to use for the OIDC IdP
Client ID: the client ID from the IDP that you got at step 1
Client Secret: the client secret from the IDP that you got at step 1
Issuer: the issuer for the IDP (eg. “https://idp-a.com”)
Authorization endpoint: the authorization endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/authorize”)
Token endpoint: the token endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/token”)
JWKS endpoint: the keys endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/keys”)
Userinfo endpoint (optional): the userinfo endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/userinfo”)

2.3 Once the IDP is configured in Okta, please expand the section and copy the “Redirect URI” (it looks something like “https://dev-123456.oktapreview.com/oauth2/v1/authorize/callback”)
2.4 Copy this redirect URI and add it in your IDP OIDC app created at step 1 in the redirect uri section
2.5 Access the login page on your Okta org with a link like the following:

https://{yourOktaDomain}/oauth2/v1/authorize?idp={idp}&client_id={clientId}&response_type=code&response_mode=query&scope=openid+profile+email&redirect_uri={redirectUri}&state=abc&nonce=abc

where

${yourOktaDomain} is your current Okta domain (eg. company.okta.com)
${idp} is the IDP ID created at step 2.2 (you can expand the IDP and see “IdP ID”, it should look something like “0oakimanxklDGwQic0h7”)
${clientId} is the client id of the application created at step 2.1
${redirectUri} is the redirect uri of the application configured at step 2.1, the SAML Embed URL

To automatize the process of logging in via the OIDC IdP, you can leverage the routing rules to redirect all users that access APP-A to IDP-A.

dattatraya11 · February 17, 2020, 7:24pm

Dragos
Continuing the discussion from Okta as a SAML to OpenID connect bridge:

I have an exact opposite scenario where I have a SP which uses OIDC and while Okta is bridge, the IDP is using SAML. I am sure similar can be achieved but if you can suggest and outline then that would be great; Okta also needs to add few enrichments so will be using inline hook to update the id-token before sending it back to the SP.

Thanks for your response.

dragos · February 18, 2020, 4:56am

Hi @dattatraya11

You can set up the SAML identity provider in Okta under Admin >> Security >> Identity Providers (or Admin >> Users >> Social & Identity Providers if using the Developer Console). You can find here the guide to set up the SAML identity provider.

When sending the SAML response to Okta from the identity provider, the RelayState sent needs to be the link to the authorization endpoint, containing all the query parameters for a successful OIDC flow.

isnp · February 25, 2021, 5:09pm

For OIDC to SAML, can you please provide directions with exact details? For example, the answer above has very clear instructions for SAML to OIDC, but it’s not clear how to do OIDC to SAML. Please provide clear, line-item instructions.

system · March 29, 2021, 5:40pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.