Okta sign-in widget does not complete sign-in after authentication with IDP

Okta sign-in widget does not complete sign-in after authentication with IDP

We are using the Okta Sign-in Widget with the OIDC Authorization Code flow, and we have enabled the IDP Discovery feature. In the Okta Console, we have configured an IDP Routing Rule to redirect certain usernames to authenticate via an Azure AD IDP. We have tested the connection and thew routing rule works correctly when we sign in directly to the Okta console, however when we use the widget in our own app the authentication workflow is never completes- and instead it redirects back to our login screen at the start of the transaction. From what I can see, the following steps are happening:

  1. User navigates to our app login screen and enters their username
  2. Okta performs IDP discovery and redirects the browser to the Azure AD authn page with a SAMLRequest
  3. User enters their credentials on Azure AD
  4. Azure AD authenticates user and redirects the browser back to Okta’s SAML ACS URL with a SAMLResponse
  5. Okta verifies the SAMLResponse successfully
    • When we do this on the Okta console, after it is verified the user is successfully authenticated to the console
    • When we do this on our app, the browser is redirected from our Okta org URL back to our app,
      but the redirect does not contain any authorization code, so we are unable to authenticate the user.

Are there any other configuration requirements to enable a successful SSO workflow using the Sign-in Widget? It looks like perhaps the redirectUri parameter is not being used by Okta, but this parameter seems to work when we use the widget for primary authentication.

2 Likes

Any follow up regarding this issue?
I’m facing a similar problem using the Okta Sign In widget with the Authorization Code flow where the user is redirected to our Okta org portal instead of our application.

I managed to get the user redirected back to our app by passing idpDiscovery.requestContext (https://support.okta.com/help/s/article/Relay-state-lost-when-using-IDP-Discovery-in-Sign-In-widget?language=en_US) in the widget config with the redirectURI but no authorization code is embedded in the redirect which prevents from authenticating the user.

What are you setting the requestContext to?

Since IDP Discovery will handle creating the user’s session in Okta, the location you send the user to will need to handle SSO into your application by making the authorize request for an already logged in (to Okta) user.