Okta IDP Initiated RelayState
Asked Answered
P

2

7

Can anyone tell me how to pass RelayState for an IDP initiated SSO connection. We have the SSO working but would like to deep link to a page within the service provider's application. They have instructed us on the RelayState to pass but I can't figure out how to format the URL for Okta. We are using the app embedded link and would like to append RelayState to the query string.

Prithee answered 17/6, 2016 at 13:22 Comment(0)
U
2

To start IdP initiated SAML with Okta you need to use the IdP SSO URL with ?RelayState= appended to the url, not the app embed url.

You can find the IdP SSO URL url by clicking "View Setup Instructions" on the Sign On tab for the application in the admin console.

An example (don't forget to URL encode the query string): https://thomas-kirk.oktapreview.com/app/salesforce/kqk5e18ZGRXWPQXOCNBQ/sso/saml?RelayState=%2F_ui%2Fcore%2Fchatter%2Fui%2FChatterPage

Unpaidfor answered 20/6, 2016 at 13:6 Comment(2)
I guess you meant "appended TO the app embed url". BTW, that's mostly the case. Sometimes, you'd have to use FireFox and SAML Tracer to retrieve the actual SAML url Okta uses (it's not always the app embed url) and that url usually ends with "/sso/saml". If your app embed url does not end with "/sso/saml", I suggest the use of SAML Tracer to verify the "real" url Okta uses (the app embed url or another url the app embed url redirects to).Alas
@RaphaelLondner thanks for the typo correction! Also, I think the typo caused confusion in what I was suggesting. If the app is SAML there should always be an IdP SSO URL viewable by clicking "View Setup Instructions" on the Sign On tab for the application in the admin console. I am not suggesting use of the app embed url. If it isn't listed there (for what ever reason), you are correct in using a network trace to discover the url.Unpaidfor
V
3

For IdP initiated SSO (where you login to IdP first, then access SP), you can modify the RelayState under General SAML settings, like: edit default relaystate for IdP initiated sso

Note the app embed url is for IdP initiated SSO only, it shouldn't be used for SP initiated SSO as its IdP SSO URL.

When user accesses SP directly (without login to IdP first), it starts a SP initiated SSO. That's where you can append the ?RelayState=your_deep_link to the IdP SSO URL, so that after you login on IdP, it returns the deep link back to SP for you to redirect to.

And like @Thomas Kirk said, "you can find the IdP SSO URL url by clicking "View Setup Instructions" on the Sign On tab for the application in the admin console."

Vestige answered 2/5, 2017 at 18:47 Comment(2)
What happens to the relayState set by the SP in the SP-Initiated SSO flow if Okta sets it? Does it just get reset to null? (newbie disclaimer -- I'm learning about how deep links work with SAML right now)Incantatory
The "Default Relay State" set by Okta won't affect the relayState set by SP in SP-Initiated SSO flow.Vestige
U
2

To start IdP initiated SAML with Okta you need to use the IdP SSO URL with ?RelayState= appended to the url, not the app embed url.

You can find the IdP SSO URL url by clicking "View Setup Instructions" on the Sign On tab for the application in the admin console.

An example (don't forget to URL encode the query string): https://thomas-kirk.oktapreview.com/app/salesforce/kqk5e18ZGRXWPQXOCNBQ/sso/saml?RelayState=%2F_ui%2Fcore%2Fchatter%2Fui%2FChatterPage

Unpaidfor answered 20/6, 2016 at 13:6 Comment(2)
I guess you meant "appended TO the app embed url". BTW, that's mostly the case. Sometimes, you'd have to use FireFox and SAML Tracer to retrieve the actual SAML url Okta uses (it's not always the app embed url) and that url usually ends with "/sso/saml". If your app embed url does not end with "/sso/saml", I suggest the use of SAML Tracer to verify the "real" url Okta uses (the app embed url or another url the app embed url redirects to).Alas
@RaphaelLondner thanks for the typo correction! Also, I think the typo caused confusion in what I was suggesting. If the app is SAML there should always be an IdP SSO URL viewable by clicking "View Setup Instructions" on the Sign On tab for the application in the admin console. I am not suggesting use of the app embed url. If it isn't listed there (for what ever reason), you are correct in using a network trace to discover the url.Unpaidfor

© 2022 - 2024 — McMap. All rights reserved.