Configuring the Okta Template WS Federation Application
Okta provides a WS-Federation template app through which you can create WS-Fed enabled apps on demand.
When using this template application, Okta acts as the IDP (identity provider) and the target application will be the SP (service provider).
For WS-Fed, Okta (acting as the IDP) supports SP-initiated authentication. The following is the authentication flow:
There is additional configuration required on the target app (SP) with which you are configuring WS-Fed. Okta provides this information in our WS-Fed app instructions (accessible from the Sign on tab in the WS-Fed app screen). The instructions contain the following: realm, issuer, passive URL (normally only needed in the SP-initiated flow mentioned above). This is app dependent. We recommend you check with your SP vendor to see if turning on WS-Fed is an all-or-nothing feature.
The realm name must be unique for the IdP. Not all relying parties support the usage of a generated, unique endpoint on a per-party basis. The WS-Federation Template App supports two realm modes.
In both configurations, the issuer of the SAML Assertion is always the app instance key; for example
Configuring Template WS-Fed
The first thing you'll need to do is to add the Template WS-Fed app to your org. You must add the private app first as a super user.
Configuring WS-Fed in the Target Application (SP)
In order for WS-Fed to work, you must perform some additional steps in the target application (SP).
Note: We recommend that you call the vendor for your SP and determine if enabling SAML is an all or nothing option. Okta provides all of the necessary configuration information you need to make in the target SP.
To access this information, do the following:
Assign a user to the app and verify that they are able to authenticate successfully.