Trying to pass state through the redirects and back to the assert route


I want to set a piece of state - just a string will do - when setting up the OktaSignIn widget and then have that state passed somehow in the Okta-initiated request to the assert route.

From what I understand, the way to do this might be by using authParams.state, although I also see that there is a warning advising that authParams.state should be used for CORS validation.

In any case, so far I have not been able to figure out how to get authParams.state to work. I might be missing the right way to read it from the request to the assert route, but I do not see any state that I set this way in that request anyway. Maybe it is in the SAMLResponse? Not sure.

In any case, especially because of that warning that authParams.state should be used for CORS validation, I am not sure that authParams.state is the right way to go.

What is the proper way, if there is one, to pass state through the Okta domain steps of the SSO login flow and back to the assert route? And if there is not one, then is there any improper way to do it?


Are you working on an OIDC application? authParams.state (aka, the ‘state’ parameter included in an /authorize call) only applies to OIDC applications, but your mention of a SAMLResponse makes me wonder if you are working on a SAML app instead.

Whats the end goal for your use case? Have users sign in through your widget and then…?

Thanks @andrea!

I took a look and yes, looks like we are definitely using SAML.

We are already using Okta with SAML to let users log into our main app. However, we also have developed some plugins for the XD and Sketch design tools. In those plugins, we already expose a regular login flow to our users - a user can enter an email/password within the plugin UI and then the plugin will pass those credentials to our back end to authenticate with the back end. Once authenticated, the plugin can then request private user data from the back end.

What we are trying to do now is to add Okta SSO to these plugins so that from the plugins, the user would be able to authenticate with our back end using Okta. I have been trying to implement this new sign-on flow by building it as much as possible on top of our existing Okta SSO for our main app. The flow that I have been trying to implement would hopefully work like this:

  1. The user clicks a link in the plugin UI.
  2. a) The user’s default web browser opens a page being served by our back end and passes it a unique id. This page asks for the user’s domain.
    b) At the same time, the plugin starts to poll an endpoint on our back end, passing it the same unique id.
  3. When the user enters the domain on the page from 2a, if domain matches our data, the browser then shows the user a page with an OktaSignIn widget.
  4. The user enters credentials into the OktaSignIn widget.
  5. The browser redirects to Okta and after some redirects, Okta ends up calling an assert endpoint on our back end.

The idea is that once Okta calls the assert endpoint, at that point our back end should record the fact that the assert endpoint got called and then the polling from step 2b should return some authentication data - then the plugin will be authenticated with our back end.

The problem, though, is that we would need to associate that unique id from step 2 with any given call to the assert endpoint in order to make sure that we are authenticating the right user.

So to make this work, it seems that we would need a way to initially pass in some unique id (not necessarily the same as the one from step 2) to Okta that Okta would then return to our back end when it calls the assert endpoint.

That is why I am wondering if there is any way to pass some sort of custom state into Okta and then have it return this state to the assert endpoint.

Edit: I think that RelayState might have something to do with this.

Thanks again and thanks in advance for any ideas that you might have!