RelayState / Pass Through

Noticed something strange when testing - I am happy it seems to be working, but that is the part that scares me if I start to relay on it.

I have an ASP.NET MVC app that we are looking to integrate with Okta/SAML/SSO.
This application has MULTIPLE entry points depending on where the user is coming from

Think of it as
App/DefaultLanding
App/AppAEntry
App/AppBEntry
etc.

For LDAP I had two ways of accomplishing this, letting the user get to the endpoint URL, if not authenticated, passing them to the login page and then back to their entry page, or by sending them to the default page which was the login page, looking for the passedApp=A etc on the query string etc.

When we were first trying with Okta in our stage, none of those other entries work. All extra URL information was lost, and the users would all be sent to App/DefaultLanding regardless.

We found out that we should be able to use RelayState as a parameter to act the way passedApp did, out Okta Admins turned this on and I changed my code to look for RelayState as well, but now ALL 3 paths seem to work.

Is this a new feature or change? If seems for our stage/test environment, all information at the end of the URL, where it is direct pathing to subpage, or a series of parameters besides RelayState are being passed through after the Okta authentication.

This would greatly simplify my life - Just concerned it is too good to be true, and nervous on relying on it. I had spend an hour plus talking with Okta staff over this scenario like 4 to 6 weeks ago when they were in Boston, so maybe they saw it had value and implemented it.

It did not work 2 or 3 weeks ago, but does today, so real curious if this is a new feature (if so… Thank you!)

Hi @DavidLaskey thank you for sharing the post. Could you please open a support case with Okta for this issue? Let me know if you are unable to do so. Thanks!

I am not sure if there is anything to open regarding support. I had been looking for passthrough functionality which months ago was not working, but now it is. From what I had been told by our Administrators and Okta staff, what I was seeking was not a “standard configuration” and did not seem like there was a straightforward path, but now it does function as I was hoping, so just trying to determine whether Okta staff I had spoken to had implemented my scenario and its now part of Okta/SAML/SSO, or I am hitting an temporary anomaly and somewhere down the line, this feature will be closed again.

In short, earlier in the year, if a user referenced a full url path going through Okta/SAML/SSO, they would be passed to the static root endpoint of the configuration. i.e. mybaseurl. Now, post authentication or verification of an existing session, the full url is being passed - i.e. mybaseurl/subfolder/page. This functions for directly going to specific pages on the site and not just the root landing page, as well as passing through variables on the query string, both of which were being stripped off earlier.

Hope that clarification helps.

Hi Nikita, not sure I have the ability to open up a support case on this, so would appreciate any help. We are definitely looking for clarification and a response if this functionality will be present going forward

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.