SP-Initiated SSO Routing Issue

Working on implementing a SP-Intiated SSO where there are 3 pieces involved: Org1 (IdP), Okta, Application.

A user from Org1 will attempt to access Application thru a sign in page hosted either at Okta or Application.
I have a routing rule set up already to send them to the correct Idp at Org1 based on email domain.

When a user authenticates thru their IdP, they get dropped off in the Okta dashboard and not Application. Using the global redirect feature works but will not be valid in the event of multiple Okta applications.

A few questions here:

  1. If using the custom sign in page, how do I sent users from Idp to a specific application instead of the Okta dashboard (assuming there are multiple applications in Okta)

  2. If there are users that have no SSO, how do I validate the credentials entered on the custom sign in page against our Application’s database, which is unfederated and involves basic username/password.
    Basically make a POST call out of the supplied credentials INSTEAD of sending to Okta’s user DB.

  3. If using my application’s login page, can I make api calls from the application to Okta to determine if the incoming user is an SSO user and then forward them through Okta to their Idp and back into a page in my application?

Thank you in advance!

Hi Jeff,

Here’s my attempt at answering your questions:

  1. You can try using IDP Discovery and setting your application url in the requestContext. Please see https://support.okta.com/help/s/article/Relay-state-lost-when-using-IDP-Discovery-in-Sign-In-widget as an example. You may have to add some custom logic to handle multiple target urls for multiple applications or setup multiple custom login pages.
  2. Again can probably use IDP Discovery and routing rules, that user will should fall under the default routing rule which they can authenticate using username/password.
  3. Yes you can make API calls from your application (remember to add it as a Trusted Origin). A useful one might be the webfinger endpoint. https://developer.okta.com/docs/reference/webfinger/#finding-a-user-s-idp

Thank you Warren,
You definitely gave me some useful information. A few follow up questions:

  1. Can that requestContext be done through the url? For example if I am not using the sign-in widget.
  2. The user with no SSO will not have his credientials within Okta, hence the default routing rule will try to validate the user against a user in Okta. The credientials will reside in my application’s db and I would not want to move it to Okta.
  3. This is great. I used the url returned in the response and was able to authenticate the user. Similar to #1. Can I append a parameter to the end of that url where the user would be redirected to after login.
    For reference the url is something like redirectuUrl=… ->
https://${yourOktaDomain}/sso/idps/<IDP_ID>?redirectUrl=<LAND_HERE_AFTER_SSO_WITH_IDP>

To all, I was able to do this using the bookmark app in Okta: https://support.okta.com/help/s/question/0D50Z00008G7VQHSA3/okta-saml-redirect-to-custom-webapp.

Basically set up a bookmark app, assign to all users. Use the app embed link from the bookmark app setting page. That url will prompt user to login to okta -> which is picked up by routing rules to the user’s organization’s IdP -> after authentication goes to bookmark app -> which is configured to go to a custom url on my Application.