Suggested approach for adding Okta SAML as a login provider to existing app?

Hi there, I and my team are new to Okta, so looking for some guidance on getting started here as I’m feeling a bit lost with all the options.

Here is what our scenario is :

  • We have an .NET Framework 4.X MVC front-end
  • This front end talks to our API backend running IdentityServer4, and passes JWT tokens back and forth to enable authentication for our site. The front end does not use any authentication providers natively, it interacts with our API to obtain these tokens. We have authentication attributes where needed that validate the JWT’s are still valid. The user store, accounts, passwords, etc is accessed via our API layer that our front-end makes calls to.

We now have a situation where a 3rd party client/partner, with an existing Okta user store of their own, wants to establish a SAML based SSO into our site. So, they would like to have a URL on our page that redirects their user to Okta, which then redirects to a callback link on our site w/ some identifying info sent with the SAML, and our API will associate that with a user on our side and log them in as explained above.

Here’s where things get murky for me and I’m wondering what the best approach is.

With every example I’ve seen so far for working with Okta + SAML, it is configuring the front-end to add an Identity Provider, and secure the entire application with this SAML IdP. That is not what we want to do. We have our own pre-built authentication

What we want to do is validate the login being passed back to us, extract the user info, and then log them in to our in-house account.

I’m wondering would this be a use for the Okta API’s in this case?

Hoping to get some suggestions on how to fit in this authentication approach with our existing structure. Any hints towards Okta documentation or write-ups that talk about how to handle this would be greatly appreciated.

Thanks

1 Like

If your front-end does not do any SSO (authentication) and all work is done by your back-end, then I do not see any issues implementing SAML on the back-end.

You would send partner users to their Okta for authentication and Okta will return back a SAML assertion, which you can parse on your back-end and create a session for the user. Then your front-end will receive JWT to talk to other services from your back-end.

Am I missing something?

Yes, but as I mentioned, every library/package I’ve seen so far insists on taking over and acting as the authentication provider for the app. I simply need the functionality to parse the SAML assertation. So far I’ve only found this one ‘library’ ( GitHub - jitbit/AspNetSaml: Very simple SAML 2.0 consumer module for ASP.NET/C# ) . Which is a little disconcerting that there’s only one option out there.

I can’t recall what I used recently to parse a SAML assertion (though it was done in Java). But I’m totally with you on that path.

Also, did you evaluate a possibility to have an external SAML provider configured in your Okta tenant (assuming you are using Okta too). Then you’d still use your own OIDC/OAuth integration