Okta as SAML IdP, while delegating auth to other IdP

I have an application that uses SAML with Okta for authentication; in this context, Okta is the IdP and my application is the SP. At the same time, I also want Okta to be the SP to other federated IdPs, where the other IdP is determined dynamically at runtime.

Illustration:

Application <—[SAML]----> Okta <----[SAML]----> Other IDP

I think you can do something like that with OIDC between application and Okta, where you can specify an idp argument on the URL: /oauth/authorize?idp=xxx
Is there a way to do this for SAML as well?

@wrschneider did you find an answer to this? It seems like it should possible, but I’ve not been able to figure it out.

I think I found a solution.

The IdP metadata for Okta specifies that the SAML login URL for a particular application is something like

https://{myOktaDomain}.com/app/:app-location/:appId/sso/saml

From the documentation about SAML deep linking, it looks like there is also a way to specify an IdP in a longer form of the URL:

https://{myOktaDomain}.com/sso/saml2/:idpId/app/:app-location/:appId/sso/saml

where :idpId is the ID of the third-party/federated identity provider as configured in Okta.

See: https://developer.okta.com/docs/api/resources/idps#redirecting-with-saml-deep-links

Thanks for your reply! Were you able to get this to work? I get an error 500 from it.

Yes. Are you able to get the default SAML redirect URL to work first?