I’m an engineer at a B2B SaaS. We’re an app or “service provider”, and we offer SAML+SCIM to our customers to provision and sign into our app.
Our customers give us the URL to their IdP metadata URL (https://<company>.okta.com/app/<appId>/sso/saml/metadata) which we need to use for SAML assertions.
Lately, I’ve been noticing our server often gets a 403 response when fetching this URL, though I can open it just fine without any authentication via my browser. Our app runs in Heroku.
Any reason why our server is getting 403s on these URLs despite them being otherwise publicly accessible?
Do you have any logs on Heroku that might help? It sounds like this is more of a server-to-Okta issue, which can be TLS, IP whitelisting, or any other network-related issue or user agent or referrer, than an endpoint-based one.
There are so many reasons why this can happen, although we cannot know for certain if that is indeed the cause.
I would comb the logs deeply to see if there is any handshake, TLs issues, firewall issue, proxy, and rule them all out before, and then move on to the HTTPS layer to see why the 403s are thrown.
It is also a good idea to check your TLS/SSL certificate configuration between the client application and the Okta endpoint; this sounds like there is a TCP issue on your server since this works fine in the browser.