Passing information from an IDP to a Token Inline hook

iunknown · October 25, 2023, 3:53am

What’s the best way to pass information from an external SAML IDP into a Token inline hook?

The most obvious way is for the IDP to set a SAML claim that can be somehow passed onto the hook, but doesn’t seem to be supported unless it’s a new profile.

Is there an Okta recommended approach for this?
If not, if there any information that both the IDP and the token hook gets?

thanks!

andrea · October 25, 2023, 10:52pm

Is the goal to get information from the SAML IdP available in a token issued to an OIDC application?

You could look to map the value from the SAML IdP (you may need to update the Profile Editor for the IdP to get it mapped in, as discussed here) into the Okta User Profile, and from there, map that value into a claim in your custom authorization server.

iunknown · October 26, 2023, 2:21am

Thanks Andrea, but no…I need to get information from my IDP to the Token Inline Hook. The Token hook will update the token before it’s sent back to the user. After more research, I think that I need to use a SAML hook.

That way I could add claims the SAML response in my IDP then update the token before it goes to the Inline hook.

Right?

andrea · November 3, 2023, 12:00am

In order to pass information along to your application/token inline hook, you’ll need to route this information into Okta.

In my earlier response, I gave an example where the SAML IdP contained user profile information that is needed within the target OIDC application. Is that the kind of information you need to pass from your IdP into the token inline hook?

If not, maybe you can provide more details about what you’re working on. E.g. Users need to log into Okta through IdP X so they can access Application Y, where Application Y needs Z.

iunknown · November 3, 2023, 1:51am

Thanks Andrea.

The IDP generates a ‘unique string’ that I need to check for in the Inline hook.

It’s per-session data and doesn’t belong in the users profile. Besides I’ve read that updating the user’s profile can be slow…but that could be wrong.

I figured I could use the SAML Assertion hook, pull the custom claim out of the SAML Response and add it to the Okta Token…then I could check for it in the Inline Hook…but I couldn’t get that to work.

Do you have a sample somewhere showing step by step how an IDP can update a user profile? As a last ditch effort, I tried to get that to work too…with no luck.

I’m missing something that I’m sure is right in front of me.