Using Okta as a OpenID to SAML bridge

Hello,

We have an application which can integrate with Okta to enable OpenID logins. We have also configured Okta to allow logins via SAML to enable SSO federation with our ADFS system.

I understand that it it possible to ‘bridge’ between the two using Okta, so that we can enable SAML SSO logins to the OpenID application (with Okta in the middle). I see there is a previous post which originally discussed a similar but reverse situation, and the question was subsequently asked about doing it the same way I need to do it.

However the post didn’t provide much detail, and I am struggling to get this working. Should it be possible to do this? If so, is it possible to get some suggestions about how to do it?

Thanks

Hi @simonl

After you have set up the SAML IDP in Okta, please expand the idp and copy the IdP’s ID, for example

image

Once the IdP ID is copied, please follow the same steps as in the previous topic to configure the OIDC application (step 2.1), adding the SAML IDP’s ID in the {idp} section of the final URL.

OK thanks - I think we’re making progress.

However, next question - when the login is intitated from outside the app (ie from Okta), it requires the ‘initiate login URI’ in Okta to be set to the following:

https://example.com/#/users/sign-in

If I set this in the Okta app, then use the final URL to initiate login via the IDP and with the above URI set as the ‘redirect_uri’, I get a 400 error from Okta:

“The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings”

OK, so I go into the Okta app and set this URI as one of the login redirect URIs. However it tells me that ‘The redirect URIs must not contain a fragment identifier.’. I presume it doesn’t like the ‘#’. If I set the URI as ‘https://example.com/%23/users/sign-in’, it accepts it. If I then try to initiate logins with this modified URI as the redirect URI, it still fails with the ‘The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings’. As far as I can tell, the URI in the URL and the URI set as a redirect URI in Okta are the same.

Is there any reason why this won’t work? Thanks