Menu
We are a Service Provider who has SAML enabled our app to allow for IdPs to authenticate users for us. To make sure everyone is on the same page
More information on federated identity here: http://developer.okta.com/docs/guides/saml_guidance.html
We are currently only using Okta as an IdP, but have run into a situation where we need to integrate with a separate IdP. We would like to have our app only communicate with Okta and have Okta deal with talking to this separate IdP and validating their assertions. Due to our particular use case, our app knows what underlying IdP should be used, so no need for IdP Discovery.
We would like to configure Okta so that the authentication flow is as follows:
Our app redirects the user to an endpoint in Okta indicating to use the underlying IdP for authentication
Okta and the underlying IdP do whatever necessary to authenticate the user and validate the authentication
Our app gets a single response (via HTTP-POST) to our ACS endpoint authenticating the user, signed by Okta
From the end user perspective, they navigate to service-provider.com, are redirected through Okta to underlying-idp.com, perform the necessary authentication, and then are redirected back to service-provider.com. The end user is unaware of the middle Okta layer, with the possible exception of an Okta URL briefly appearing in the browser address bar during redirects.
So far, we have been able to set up Inbound SAML in our Okta instance so that users can be authenticated in Okta via the underlying IdP. We have our app redirect to the endpoint given in the Inbound SAML configuration page with the SAMLRequest, but this brings users to an Okta dashboard since the link is just for authenticating users in Okta, not to authenticate users for a SP using Okta. See our relevant configuration:
How can we configure Okta so that our use case is possible? Ideally, we would like Okta to serve as a middleman or mediator, checking and passing along SAML requests/assertions. Specifically, we don’t need these users to be authenticated Okta users necessarily; we just need Okta to assert the user is who they say they are based on the underlying IdP’s assertion.
539
In the Administration Console of your IAS, navigate to ‘Applications & Resources’ then click on the ‘Applications’ tab and configure an application or choose an existing one. Option A: Click on the ‘Conditional Authentication’ option on the ‘Trust’ tab of your application. Set your Okta as ‘ Default Identity Provider ‘.
Note: in Okta there is no predefined Identity Authentication application, you have to create and configure it manually. For more information about configuration on the Okta side, refer to official Okta documentation: Create a SAML integration using AIW (Application Integration Wizard).
In Okta navigate to the ‘Sign On’ tab, then cl ick the ‘Identity Provider metadata’ hyperlink to download the metadata in .xml format. In this scenario, the Identity Authentication acts as a proxy to delegate the authentication to the corporate identity provider.
OKTA checks for the external user information in the SAML assertion and sends these details to Custom API application to identify the user OKTA will initiate the PKCE flow to provide access to the custom application
Kinda sounds like you need the IdP Discovery capability that Okta has on the roadmap later this year combined with their inbound SAML setup with relationships with the other IdP. I believe it's possible to sort of implement this with a custom login page. They've mentioned doing this with professional services, but personally I'd feel a lot better about it when they've built IdP discovery into the platform.
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
