Programmatically using Okta to authenticate with external app



I’m quite new to SAML and Okta, but I believe that we’re using Okta as an IdP in a federated login system. I would like to use a certain user’s Okta credentials to (programmatically) obtain a SAML assertion from Okta that can be used to get an OAuth2.0 token from an external service (a SP in SAML parlance, I think). I have examples (through a saml-tracer dump) of this flow happening from a browser’s perspective, but in that case the SAML assertion from Okta is encoded in some way, embedded in a hidden form, and then autosubmitted (to a different endpoint on the external service than what I need to obtain OAuth2.0 tokens).

What are the steps that I should follow to achieve the same thing in a programmatic way? I.e. what endpoints should I be hitting, and what is the protocol for obtaining a SAML assertion that 1) isn’t embedded in a hidden HTML form and 2) can be passed on to the external service and used for authentication with OAuth2.0?