Okta as SAML IdP, while delegating auth to other IdP

I have an application that uses SAML with Okta for authentication; in this context, Okta is the IdP and my application is the SP. At the same time, I also want Okta to be the SP to other federated IdPs, where the other IdP is determined dynamically at runtime.

Illustration:

Application <—[SAML]----> Okta <----[SAML]----> Other IDP

I think you can do something like that with OIDC between application and Okta, where you can specify an idp argument on the URL: /oauth/authorize?idp=xxx
Is there a way to do this for SAML as well?

@wrschneider did you find an answer to this? It seems like it should possible, but I’ve not been able to figure it out.

I think I found a solution.

The IdP metadata for Okta specifies that the SAML login URL for a particular application is something like

https://{myOktaDomain}.com/app/:app-location/:appId/sso/saml

From the documentation about SAML deep linking, it looks like there is also a way to specify an IdP in a longer form of the URL:

https://{myOktaDomain}.com/sso/saml2/:idpId/app/:app-location/:appId/sso/saml

where :idpId is the ID of the third-party/federated identity provider as configured in Okta.

See: https://developer.okta.com/docs/api/resources/idps#redirecting-with-saml-deep-links

Thanks for your reply! Were you able to get this to work? I get an error 500 from it.

Yes. Are you able to get the default SAML redirect URL to work first?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.