I took a look and yes, looks like we are definitely using SAML.
We are already using Okta with SAML to let users log into our main app. However, we also have developed some plugins for the XD and Sketch design tools. In those plugins, we already expose a regular login flow to our users - a user can enter an email/password within the plugin UI and then the plugin will pass those credentials to our back end to authenticate with the back end. Once authenticated, the plugin can then request private user data from the back end.
What we are trying to do now is to add Okta SSO to these plugins so that from the plugins, the user would be able to authenticate with our back end using Okta. I have been trying to implement this new sign-on flow by building it as much as possible on top of our existing Okta SSO for our main app. The flow that I have been trying to implement would hopefully work like this:
- The user clicks a link in the plugin UI.
- a) The user’s default web browser opens a page being served by our back end and passes it a unique id. This page asks for the user’s domain.
b) At the same time, the plugin starts to poll an endpoint on our back end, passing it the same unique id.
- When the user enters the domain on the page from 2a, if domain matches our data, the browser then shows the user a page with an OktaSignIn widget.
- The user enters credentials into the OktaSignIn widget.
- The browser redirects to Okta and after some redirects, Okta ends up calling an assert endpoint on our back end.
The idea is that once Okta calls the assert endpoint, at that point our back end should record the fact that the assert endpoint got called and then the polling from step 2b should return some authentication data - then the plugin will be authenticated with our back end.
The problem, though, is that we would need to associate that unique id from step 2 with any given call to the assert endpoint in order to make sure that we are authenticating the right user.
So to make this work, it seems that we would need a way to initially pass in some unique id (not necessarily the same as the one from step 2) to Okta that Okta would then return to our back end when it calls the assert endpoint.
That is why I am wondering if there is any way to pass some sort of custom state into Okta and then have it return this state to the assert endpoint.
Edit: I think that RelayState might have something to do with this.
Thanks again and thanks in advance for any ideas that you might have!