I notice the SAMLResponses Okta POSTs to our app, always have the same Issuer (<saml2:Issuer ... ), regardless of which was the original IdP where the user authenticated.
Is there a way to figure out the original IdP from a SAMLResponse we receive?
we need to be able to distinguish which was the original IdP as our application supports multiple IdP associated to different users.
I'm not trying to identify the application though. My Application supports multiple IdPs, because different users use different IdPs, for the same Application.
Okta proxies to all those IdPs, so to our app there's 1 SAML IdP, Okta's. That's very helpful because then we only need to verify signature against Okta's public certificate.
But we need to verify user (NameID) matches the original IdP (otherwise a rogue IdP could be lying about having a user that exists in another IdP).
Our app receives (in a POST) Okta's SAMLResponse that has Okta's Issuer ID (which is the same regardless of the user's used IdP), and nothing else in the SAMLResponse seems to allow identifying which was the original IdP where the user logged in.
For example, If there were a way for Okta to give us the original IdP Issuer (or any other Id we can set) in the RelayState (or any extra attribute in the SAML assertion we receive) it would be enough. Is there any way to ask Okta to forward us data from the original IdP SAMLResponse (like Issuer/IdP ID)?