I have an application that uses SAML with Okta for authentication; in this context, Okta is the IdP and my application is the SP. At the same time, I also want Okta to be the SP to other federated IdPs, where the other IdP is determined dynamically at runtime.
Illustration:
Application <—[SAML]----> Okta <----[SAML]----> Other IDP
I think you can do something like that with OIDC between application and Okta, where you can specify an idp argument on the URL: /oauth/authorize?idp=xxx
Is there a way to do this for SAML as well?
@wrschneider did you find an answer to this? It seems like it should possible, but I’ve not been able to figure it out.
I think I found a solution.
The IdP metadata for Okta specifies that the SAML login URL for a particular application is something like
https://{myOktaDomain}.com/app/:app-location/:appId/sso/saml
From the documentation about SAML deep linking, it looks like there is also a way to specify an IdP in a longer form of the URL:
https://{myOktaDomain}.com/sso/saml2/:idpId/app/:app-location/:appId/sso/saml
where :idpId is the ID of the third-party/federated identity provider as configured in Okta.
See: https://developer.okta.com/docs/api/resources/idps#redirecting-with-saml-deep-links
Thanks for your reply! Were you able to get this to work? I get an error 500 from it.
Yes. Are you able to get the default SAML redirect URL to work first?