Requestable SSO URLs, from SP perspective Skip to main content
https://support.okta.com/help/answers?id=9062a000000quuqqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Andrew TrustedPeerAndrew TrustedPeer 

Requestable SSO URLs, from SP perspective

Not seeing any documentation on Requestable SSO URLs, so looking to better understand them:

I have multi-tenant application which (in a particular case) uses the SAME entityid, with the same IdP. Multiple tenancy is determined by domain name, for example 'abc.example.com', and 'xyz.example.com'

I want my SSO URLs to differ (i.e., use different domain names) depending on which tenant is making the request. If request originates from 'abc.example.com', my SSO URL is 'https://abc.example.com/saml/sso'

It appears I can do this by setting:
  • 'Audience Restriction' to be my entity id, 'example.com',
  • SSO URL to 'https://abc.example.com/sam/sso', 
  • enable "Allow this app to request other SSO URLs"
  • add to Requestable SSO URLs, 'https://xyz.example.com/saml/sso'
Then in my request, I set entitiy id to 'example.com' -- for both of my domains -- and set service.sp.endpoints.assertion_consumer_service to 'https://abc.example.com/saml/sso' for one domain, and 'https://xyz.example.com/saml/sso' for the other domain.

While each of the two requestable SSO URLs must have different index values, it does not appear I need to do anything about specifying and index in the request. Right?

What is the purpose of the Index? For IdP-initiated login, how does IdP / Okta "know" which URL to use by default?

 
Best Answer chosen by Andrew TrustedPeer
Alexandru PredaAlexandru Preda (Okta, Inc.)
Hi Andrew,

The request for a specific ACS URL can be done directly via requesting the URL in the request you send or by requesting the Index for the URL, as some vendors does not support request by URL.

The request of a specific ACS URL is only done in an SP intiated flow, as the IDP intiated flow the defaul URL used wil be the Single sign on URL defined in your application. 

Thank You,

Alexandru Preda
Technical Support Engineer
Okta Global Customer Care