Handling IdP-Initiated SSO Redirection After Session Timeout

Background

• We have integrated with a partner Identity Provider (IdP) that only supports IdP-initiated SSO
• Okta is our Service Provider (SP) and supports IdP-initiated SSO
• Users currently access SP applications without seeing Okta login pages

Current Setup

• SP applications manage their own sessions (with Okta session as primary)
• IdP-init SSO URL is available in:
  • Incoming SAML assertion
  • Stored in to Okta user profile

Challenge

When both Okta and SP application sessions timeout, we need to handle user redirection gracefully.

Current Flow

1. User attempts to access SP application (after a coffee break)
2. SP detects no active session
3. User is redirected to Okta sign-in page
4. User enters username
5. Process breaks here as IdP doesn’t support SP-initiated SSO

Question

Is there a way to implement graceful redirection to the IdP-init URL when both sessions have expired? Looking for best practices or recommended approaches to handle this scenario.

Additional Context

• Partner IdP does not support SP-initiated SSO
• Need to maintain seamless user experience

Thanks!

Would this work or a proper solution. Lets say in Okta sign-in widget, hook up with onReady event that would get ‘idp_initiated_sso_url’ from a cookie and redirect the user to? I could define a REST API to add the cookie to the browser when the user first authenticates and remove it on logout.

Snippet below

const onReady = oktaContext => {
                const value = `; ${document.cookie}`;
                const parts = value.split(`; idp_initiated_url=`);

                if (parts.length === 2) {
                    const idpInitiatedSSOUrl = decodeURIComponent(parts.pop().split(';').shift());
                    console.log('IdP cookie found, redirecting...')
                    window.location.href = idpInitiatedSSOUrl;
                }                
            };