SAML IdP Initiated Login with Okta as SP

I’m trying to use a custom SAML Identity Provider to access our Okta Admin portal. What we want to implement is an IdP Initiated flow, where Okta serves as SP and our IdP acts as IdP and initiates the login flow to the Admin portal.

I’ve already configured the SAML Identity Provider and the routing rule for this provider, but the login request with a SAML Response containing a SAML Assertion returns this page:

I cannot see any events associated with this request that were recorded in the System Log of our Okta Organization.

Some things that we’ve already (unsuccessfully) tried:

  • We can confirm that requests are arriving to Okta OK, as changing --data-urlencode to --data-raw leads to a System Log with the message “The incoming message is not a valid SAMLResponse”
  • We used an external tool to validate that the SAML Response is OK: SAML Response Validator - Validate SAML Metadata, Signatures & Certificates
  • We tried doing some modifications to the SAML Response, with no success

I know that using an external SAML IdP to access the admin console is possible, as I’ve done it before using Auth0 as my IdP in an SP initiated flow. But is it possible to do the same with an IdP Initiated flow? If so, what am I doing wrong?

Many thanks

This may help, at least it’s something that you can try.

If you are using a Chrome based browser then you may want to check out one of the many SAML extensions found here which may help you resolve the issue. Your guess is as good as mine as to which extension would be best to use.

If you or your team has access to the underlying programming code then what programming languages are you using and which libraries?

I was finally able to complete this flow. The issue was using cURL instead of a browser to POST the SAML Assertion to the ACS URL. Once this was done with a browser, the error dissapeared.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.