Hi,
I am trying to automate the Okta SAML integration for an app. I am able to create the SSO app succesfully using the api/v1/apps endpoint. However, the response does not include the IDP SSO URL, and the IDP Issuer URL.
Where can I retrieve this data without going through the UI?
Thanks,
One way is to grab from XML, if you hit https://your_okta_domain/app/your_app_id/sso/saml/metadata
Maybe people can suggest something else to get those values directly. But to be honest, they always follow the same rule:
where your_app_name = application name from API call for your_app_id
here’s what we do with Ruby
like @phi1ipp mentioned, you can grab the metadata. I then use a library from onelogin to parse out the xml into a Hash
# frozen_string_literal: true
require 'oktakit'
require 'ruby-saml'
module Osso
class OktaConfiguration
attr_accessor :client, :identity_provider
def self.perform(args)
new(**args).perform
end
def initialize(access_token: ENV['OKTA_ACCESS_TOKEN'], identity_provider:)
@identity_provider = identity_provider
@client = Oktakit.new(access_token: access_token, organization: 'dev-162024')
end
def perform
app = create_app
assign_user(app)
configure_identity_provider(app)
end
private
def configure_identity_provider(app)
metadata, status = client.preview_saml_metadata_for_application(app[:id], { content_type: 'application/xml', accept: 'application/xml'})
idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
settings = idp_metadata_parser.parse_to_hash(metadata)
# { :idp_cert => '', :idp_sso_target_url => '' }
identity_provider.update(
sso_url: settings[:idp_sso_target_url],
sso_cert: settings[:idp_cert]
)
end
def assign_user(app)
user = client.get_user('me')&.first
client.assign_user_to_application_for_sso(app[:id], { id: user[:id]})
end
def create_app
response = client.add_application(
label: 'Custom SAML via API',
signOnMode: 'SAML_2_0',
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
}
},
"settings": {
"signOn": {
"defaultRelayState": "",
"ssoAcsUrl": identity_provider.acs_url,
"idpIssuer": "http://www.okta.com/${org.externalKey}",
"audience": identity_provider.sso_issuer,
"recipient": identity_provider.acs_url,
"destination": identity_provider.acs_url,
"subjectNameIdTemplate": "${user.userName}",
"subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"responseSigned": true,
"assertionSigned": true,
"signatureAlgorithm": "RSA_SHA256",
"digestAlgorithm": "SHA256",
"honorForceAuthn": true,
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"spIssuer": nil,
"requestCompressed": false,
"attributeStatements": [
{
"type": "EXPRESSION",
"name": "id",
"namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"values": [
"user.id"
]
},
{
"type": "EXPRESSION",
"name": "email",
"namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"values": [
"user.email"
]
}
],
"allowMultipleAcsEndpoints": false,
"acsEndpoints": []
}
}
)
Array(response).flatten.first # returns an array for some reason
rescue => e
puts e
end
end
end
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.