Okta SAML Relay State Processing On External Webapp Skip to main content
https://support.okta.com/help/answers?id=9062a000000xztwqaw&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ADMIN FDJ - Gilles Morieux - SOGETIADMIN FDJ - Gilles Morieux - SOGETI 

Okta SAML Relay State Processing On External Webapp

Hello,

Context : External On Premise WebApp (launch inside Customer Portal) declared as SAML RP on Okta tenant declared as SP with external IDP 
Federated scenario

So user flow is :
Intranet Portal (launch webapp idp initiated shortcut) --> External IDP (OK)--> Okta SP (OK) ---> External WebApp (KO)

Because Web Customer Portal Integration with WIA SSO, IDP Initiated is required.
Because Web Customer Portal, don't want second (Okta) Portal to be launched.

idp-initiated url is :
https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F
%252Fwww.okta.com%252Fsaml2%252Fservice-provider%252abcdefgh%26RelayState%3Dhttps%253A%252F
%252Fmywebserver.mydomain.com%252Fmywebapp%252F

Okta Behaviour : 
Final webapp redirection is always https://mycompany.okta.com/mywebapp/?fromLogin=true (with http 404)
instead of https://mywebserver.mydomain.commy/mywebapp/

https://mywebserver.mydomain.commy/mywebapp/ is also declared as Default Relay State on Okta SAML App Settings  without efffect

Notes:
- Relay State processing only (inside Okta) on relative path /mywebapp
- Embedded application Link (without federation but with Okta IDP and SP) is working 
- https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F
%252Fwww.okta.com%252Fsaml2%252Fservice-provider%252abcdefgh is working (as indicated opening only okta user portal) 
- autostart app (new browser tab) is working 
- don't want to use app bookmark because 

How to configure Okta SP Relaystate for external RP (webapp) ?
Not found anything on that 

Thanks 
Gilles M. 
James FloresJames Flores (Okta, Inc.)
Hi Giles, 

This type of issue would be best investigated via Okta support. If you'd like us to take a look feel free to open a support case and include a Fiddler trace and SAML trace of your attempted flow. With this informaiton we can better anyanlyze the complete flow and determine where there is an issue. 
ADMIN FDJ - Gilles Morieux - SOGETIADMIN FDJ - Gilles Morieux - SOGETI
Hello,
I finally ended up solving this question
After analyzing okta processing of relaystate application parameter in query string it appears that only the relative path is taken into account
On the other hand, several items in this forum indicate the possibility of creating a bookmark (?)
This link https://support.okta.com/help/Documentation/Knowledge_Article/27685638-Simulating-an-IDP-initiated-Flow-with-the-Bookmark-App
also indicates this possibility (in my use case ?) but basically without clearly explaining how integrating

The solution consists in encoding the relative path of the bookmark application in the last parameter of relaystate.
In my case :
https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F
%252Fwww.okta.com%252Fsaml2%252Fservice-provider%252Fabcdefgh%26RelayState%3D%2Fhome
%2Fbookmark%2F0oaybkjeabcdefg%2F2557

Reminder this topic is not anecdotal it is very structuring in my scenario with external webapp links inside intranet portals and multiple IDP configurations 

Now I have to do the same int he other direction Okta as IDP with external SP ......

Regards,