Relaying parameters thru embed link to app

trung_nguyen · June 27, 2017, 6:14pm

I have a service, that does the following:

Call authenticate to log the users into the Okta.
Once logged in I’m returning the Embed Link with the sessionToken appended to the url.

I have some dynamic parameters such as where to navigate to after sso in. Is it possible to pass some parameters to the app when using embed sso link?

I have tried the following:

On the auth api, there’s a relay state parameter, i have tried that, but when Okta post the saml xml to the app, there were no relay state in the saml xml and the RelayState form field is empty.
I have also tried appending relayState to the Embed Link, but that didn’t seem to do anything.

PS I do not know what type of sso implementation the app is using SAML, OpenID Connect or whatnot. I’m trying to be agnostic at this level, and the app will have to figure out how to get the relay state depending which sso implementation they have opted for.

mcguinness · June 30, 2017, 3:52pm

This is currently not supported. Protocols like OIDC technically don’t support an IdP init flow and expect the SSO flow to always be initiated by the app which can capture its own state. We currently only support a statically defined RelayState for IdP-init SAML flows as part of app configuration.

Can you elaborate more on what you are trying to achieve in your scenario?

trung_nguyen · June 30, 2017, 4:38pm

I think I figured a workaround, but first let me describe the scenario.

I have two apps in Okta. And the user has logged into app 1 and is currently viewing product 1. They see a link to go to app 2. When the user click on that link, it should sso them into app 2 and carry the context of product 1, so that app 2 can redirect the user to the product page loading product 1.

I’m writing a service to facilitate this. When the user click on the link in app 1, app 1 will call the service to setup the sso process. The service first needs to authenticate the user with Okta to get the sessionToken. Then figure out app 2’s sso implementation type (OIDC or SAML). Then using the SSO URL going to append the context to either RelayState (for SAML) or state (for OIDC). And (app 1) finally return the final url back to client browser.

I should mention that with OIDC, I’m using form_post for response_mode and id_token for response_type.

With SAML, I have an outstanding issue, which is how to programmatically get the SAML SSO URL.

mcguinness · June 30, 2017, 4:57pm

The endpoint is published in SAML metadata (XML) which we publish in the Apps API via a HAL Link

           "metadata": {
                "href": "https://org.example.com/api/v1/apps/0oannpV6aOxxlefI00g3/sso/saml/metadata",
                "type": "application/xml"
            }

trung_nguyen · June 30, 2017, 5:05pm

I was hoping for a rest API.

Loading up that xml requires the service to sign in, which is another credential I have to maintain in addition to the api key.

trung_nguyen · June 30, 2017, 8:52pm

FYI I found a way to get SAML meta thru the api.

Call get appInstance api to get credential.signing.kid
Call {{url}}/api/v1/apps/{{appId}}/sso/saml/metadata?kid={{keyId}}

system · January 12, 2024, 7:05pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.