Okta as a SAML to OpenID connect bridge

dragos · July 29, 2019, 2:19am

Hi @santoshdas1984

Yes, this is possible. There are two main steps that need to be done here: configuring the SAML app to connect to APP-A and configuring the OIDC IDP in Okta for IDP-A.

Configure first the SAML application in order to be able to SSO successfully in APP-A using the guide available here. Once this is done, copy the Embed Link that is available under “General” tab (it looks something like https://company.okta.com/home/org_saml_app_1/0oa22vp8gfvmFQ7Dc2p7/aln22vsfl2OHm163M2p7).

After that, please take the following steps to configure the OIDC IDP:

1 In your IDP, you will need to have an OIDC application that has a client ID and client secret in order for Okta to do authorization code flow
2 In Okta, you will need to set up the following
2.1 An OIDC web application that has login redirect URI set to the SAML Embed URL and assign your user to it (you can follow the steps from here to create the OIDC app)
2.2 An OIDC IDP with the following settings:

Name: Any name that you would like to use for the OIDC IdP
Client ID: the client ID from the IDP that you got at step 1
Client Secret: the client secret from the IDP that you got at step 1
Issuer: the issuer for the IDP (eg. “https://idp-a.com”)
Authorization endpoint: the authorization endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/authorize”)
Token endpoint: the token endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/token”)
JWKS endpoint: the keys endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/keys”)
Userinfo endpoint (optional): the userinfo endpoint for the IDP’s authorization server (eg. “https://idp-a.com/oauth2/v1/userinfo”)

2.3 Once the IDP is configured in Okta, please expand the section and copy the “Redirect URI” (it looks something like “https://dev-123456.oktapreview.com/oauth2/v1/authorize/callback”)
2.4 Copy this redirect URI and add it in your IDP OIDC app created at step 1 in the redirect uri section
2.5 Access the login page on your Okta org with a link like the following:

https://{yourOktaDomain}/oauth2/v1/authorize?idp={idp}&client_id={clientId}&response_type=code&response_mode=query&scope=openid+profile+email&redirect_uri={redirectUri}&state=abc&nonce=abc

where

${yourOktaDomain} is your current Okta domain (eg. company.okta.com)
${idp} is the IDP ID created at step 2.2 (you can expand the IDP and see “IdP ID”, it should look something like “0oakimanxklDGwQic0h7”)
${clientId} is the client id of the application created at step 2.1
${redirectUri} is the redirect uri of the application configured at step 2.1, the SAML Embed URL

To automatize the process of logging in via the OIDC IdP, you can leverage the routing rules to redirect all users that access APP-A to IDP-A.