Okta SAML Relay State Processing On External Webapp
Context : External On Premise WebApp (launch inside Customer Portal) declared as SAML RP on Okta tenant declared as SP with external IDP Federated scenario
So user flow is : Intranet Portal (launch webapp idp initiated shortcut) --> External IDP (OK)--> Okta SP (OK) ---> External WebApp (KO)
Because Web Customer Portal Integration with WIA SSO, IDP Initiated is required. Because Web Customer Portal, don't want second (Okta) Portal to be launched.
idp-initiated url is : https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F %252Fwww.okta.com%252Fsaml2%252Fservice-provider%252abcdefgh%26RelayState%3Dhttps%253A%252F %252Fmywebserver.mydomain.com%252Fmywebapp%252F
Okta Behaviour : Final webapp redirection is always https://mycompany.okta.com/mywebapp/?fromLogin=true (with http 404) instead of https://mywebserver.mydomain.commy/mywebapp/
https://mywebserver.mydomain.commy/mywebapp/ is also declared as Default Relay State on Okta SAML App Settings without efffect
Notes: - Relay State processing only (inside Okta) on relative path /mywebapp - Embedded application Link (without federation but with Okta IDP and SP) is working - https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F %252Fwww.okta.com%252Fsaml2%252Fservice-provider%252abcdefgh is working (as indicated opening only okta user portal) - autostart app (new browser tab) is working - don't want to use app bookmark because
How to configure Okta SP Relaystate for external RP (webapp) ? Not found anything on that
This type of issue would be best investigated via Okta support. If you'd like us to take a look feel free to open a support case and include a Fiddler trace and SAML trace of your attempted flow. With this informaiton we can better anyanlyze the complete flow and determine where there is an issue.
Hello, I finally ended up solving this question After analyzing okta processing of relaystate application parameter in query string it appears that only the relative path is taken into account On the other hand, several items in this forum indicate the possibility of creating a bookmark (?) This link https://support.okta.com/help/Documentation/Knowledge_Article/27685638-Simulating-an-IDP-initiated-Flow-with-the-Bookmark-App also indicates this possibility (in my use case ?) but basically without clearly explaining how integrating
The solution consists in encoding the relative path of the bookmark application in the last parameter of relaystate. In my case : https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F %252Fwww.okta.com%252Fsaml2%252Fservice-provider%252Fabcdefgh%26RelayState%3D%2Fhome %2Fbookmark%2F0oaybkjeabcdefg%2F2557
Reminder this topic is not anecdotal it is very structuring in my scenario with external webapp links inside intranet portals and multiple IDP configurations
Now I have to do the same int he other direction Okta as IDP with external SP ......