We have an application which can integrate with Okta to enable OpenID logins. We have also configured Okta to allow logins via SAML to enable SSO federation with our ADFS system.
I understand that it it possible to ‘bridge’ between the two using Okta, so that we can enable SAML SSO logins to the OpenID application (with Okta in the middle). I see there is a previous post which originally discussed a similar but reverse situation, and the question was subsequently asked about doing it the same way I need to do it.
However the post didn’t provide much detail, and I am struggling to get this working. Should it be possible to do this? If so, is it possible to get some suggestions about how to do it?
After you have set up the SAML IDP in Okta, please expand the idp and copy the IdP’s ID, for example
Once the IdP ID is copied, please follow the same steps as in the previous topic to configure the OIDC application (step 2.1), adding the SAML IDP’s ID in the {idp} section of the final URL.
However, next question - when the login is intitated from outside the app (ie from Okta), it requires the ‘initiate login URI’ in Okta to be set to the following:
If I set this in the Okta app, then use the final URL to initiate login via the IDP and with the above URI set as the ‘redirect_uri’, I get a 400 error from Okta:
“The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings”
OK, so I go into the Okta app and set this URI as one of the login redirect URIs. However it tells me that ‘The redirect URIs must not contain a fragment identifier.’. I presume it doesn’t like the ‘#’. If I set the URI as ‘https://example.com/%23/users/sign-in’, it accepts it. If I then try to initiate logins with this modified URI as the redirect URI, it still fails with the ‘The ‘redirect_uri’ parameter must be an absolute URI that is whitelisted in the client app settings’. As far as I can tell, the URI in the URL and the URI set as a redirect URI in Okta are the same.
Hi @dragos, I have the same scenario and followed the steps mentioned here and it’s working fine. I have one minor issue and it would be helpful if you could help me to resolve. Let me explain the issue
In my case, Azure AD is my IDP and I have used Okta as a bridge to connect my SAML application to Azure AD. When the application sends SAML login request, Okta correctly redirects to AzureAD login page and after login Okta creates and sends the SAML response to my application and all works fine.
But when my application sends a force login request (In SAML request the force auth is true. I am using this for logout purpose) I am seeing Okta login instead of Azure AD login page. May I know why it goes to Okta login page? it happens only for force auth SAML requests.
Note, I have configured routing rules to point to AzureAD identity provider. Also enabled the Honor Force Authentication settings in Okta application.
Am i missing some settings? or is this the expected behavior? please help me, thanks.