Okta as a Service Provider - how to redirect users after IDP sign in Skip to main content
https://support.okta.com/help/answers?id=9062a000000dfpvqaw&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Benjamin MullenBenjamin Mullen 

Okta as a Service Provider - how to redirect users after IDP sign in

We have a 3rd party IDP hooked up to Okta, so Okta is both SP to that IDP and the IDP for downstream applications. IDP > Okta > apps

When signing in with the 3rd party IDP, the user always lands on the Okta homepage. Is there a way to pass a redirect url so that when one of our users requests authentication to a downstream app and logs in via the IDP, Okta redirects them appropriately after login?
Best Answer chosen by Benjamin Mullen
Benjamin MullenBenjamin Mullen
Just got a hold of IDP Discovery functionality in our preview environment. This will solve the issue perfectly.

Fingers crossed for quick path to production release.

All Answers

HenkJan de VriesHenkJan de Vries
Hi Benjamin,

i think your looking for this:

http://saml-doc.okta.com/SAML_Docs/Configure-SAML-2.0-for-Org2Org.html

In short you need a bookmark app that send the user to the Okta and redirects you with a RELAYSTATE to the app in that Okta. 

another topic was resolved with that info: https://support.okta.com/help/answers?id=9062A000000bmLlQAI&feedtype=SINGLE_QUESTION_DETAIL&dc=Okta_Application_Network&criteria=BESTANSWERS&

Hope it helps,

regards,
Benjamin MullenBenjamin Mullen
Thanks, but those sources mention Okta to Okta - our IDP is a 3rd party and using a bookmark to construct a relaystate url doesn't help us as the users are not yet logged into any Okta org. These users go to an app (downstream SP), get prompted with an Okta login page, but then click a link to go to a 3rd party IDP and login. That link disrupts the authentication flow, and therefore lands the user back on the Okta homepage after login.

Similar to the topic above, I want to be able to set a RelayState when communicating with the 3rd party IDP, but it doesn't appear that this is in the IDP configuration settings. If I could set a RelayState on the link the user clicks on the Okta login page, it could allow the user to pass through to their desired application. I tried a simple query string parameter, but that doesn't work.
HenkJan de VriesHenkJan de Vries
are the 2 iDP's federated? because only than a relaystate would work, and as im reading your comment, you have users log into okta.
Benjamin MullenBenjamin Mullen
Okta trusts the IDP, it has been configured correctly through the IDP Okta admin screen. We're not having users log into Okta explicitly, but because Okta is the IDP for downstream systems, that is where they land.

If we allow Okta to default to our 3rd party IDP, the scenario works perfectly: the user goes to a downstream app, is redirected to Okta, then to our IDP, which logs into Okta, and then Okta redirects to the target app.

But we're not ready to make this IDP our default, so users get redirected to the Okta login page, at which point we need a method of logging them in through the 3rd party IDP and getting them back to their target application.
Benjamin MullenBenjamin Mullen
Just got a hold of IDP Discovery functionality in our preview environment. This will solve the issue perfectly.

Fingers crossed for quick path to production release.
This was selected as the best answer