Single application can support both SPA and SAML?

Questions
#1

We created our applications as SPA(OIDC) in Okta and they are good so far. But recently there is a requirement to support SAML authentication as well for some new set of users. How can we support both these flows for our applications? Does Okta provide any specific way to do that?

Below is my understanding until now.

  1. I need to create a new app for SAML authentication.
  2. Create a web page before the login page asking for the end user’s email.
  3. Validate the email through a lookup table and then direct the user to respective authentication flow(either SPA or SAML).
#2

Hi @VAMSI_VEGESNA,

OIDC and SAML are two different standards for federated authentication. In Okta, you could create an application that follows OIDC (SPA/web app…) or an application of type SAML, you cannot create a single application that supports both these standards in Okta.

1 Like
#3

Hi @VAMSI_VEGESNA

You would need to create an ACS endpoint inside your application which will receive the incoming SAMLResponse from Okta. Based on this SAMLResponse, you will need to create a session for the user inside the application. You can find more details about SAML here.

In short, this are the steps required to implement SAML inside your application:

  • create a SAML application in Okta
  • implement SAML in your application
    • Okta does not offer a proprietary SAML SDK, however you can use a third party SAML SDK specifically for the language in which the application was made
  • configure the SAML SDK in your application with the values from Okta (issuer, public certificate, IDP SSO URL, etc.)
  • implement a method in the application to validate the SAMLResponse coming from Okta using the SAML SDK and, after verification, create a session for the user
1 Like
#4

Thanks for the inputs. As per my understanding, irrespective of SAML or OIDC authentication Okta takes care of everything in the background and sends us the required tokens(access token and id token) and all for maintaining user sessions.

So I am thinking for both SPA and SAML I can have the same ACS code and flow using access tokens. My application is not required to be compatible with SAML. Am I correct?

#5

Yeah, it’s your choice which SSO mechanism to support. If you want to be fancy, then support both :slight_smile: