Server is getting 403 when fetching IdP SAML metadata

I’m an engineer at a B2B SaaS. We’re an app or “service provider”, and we offer SAML+SCIM to our customers to provision and sign into our app.

Our customers give us the URL to their IdP metadata URL (https://<company>.okta.com/app/<appId>/sso/saml/metadata) which we need to use for SAML assertions.

Lately, I’ve been noticing our server often gets a 403 response when fetching this URL, though I can open it just fine without any authentication via my browser. Our app runs in Heroku.

Any reason why our server is getting 403s on these URLs despite them being otherwise publicly accessible?

Do you have any logs on Heroku that might help? It sounds like this is more of a server-to-Okta issue, which can be TLS, IP whitelisting, or any other network-related issue or user agent or referrer, than an endpoint-based one.

There are so many reasons why this can happen, although we cannot know for certain if that is indeed the cause.

I would comb the logs deeply to see if there is any handshake, TLs issues, firewall issue, proxy, and rule them all out before, and then move on to the HTTPS layer to see why the 403s are thrown.

It is also a good idea to check your TLS/SSL certificate configuration between the client application and the Okta endpoint; this sounds like there is a TCP issue on your server since this works fine in the browser.

  1. Check if your server IP is whitelisted on your server side can help too in some cases. Okta IP address allow listing | Okta

I would simply try to curl it to see if it succeeds and dump it to see if there are any added headers that could make a difference.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.