How to use Okta IdP metadata in Service Provider Application
I am trying to integrate my spring-framework based application with Okta. I used SAML2.0 template to create custom saml app in Okta console. On "Sign-On" tab clicked on View Instructions link whcih shows Idp URL, Issuer and X509 certificate. But I do not see the instructions on how to use them on SP side. I followed all instaructions on http://developer.okta.com/code/java/spring_security_saml.html link when I created sample app. Sample App works fine. However I see a difference in Idp metadata URL generated on production Okta environment. The view instruction page shows metadata URL without "metadata" at the end and as per sample app instructions we are supposed to copy the link and paste it in as bean value for "HTTPMetadataProvider" in security xml.
Son on http://developer.okta.com/code/java/spring_security_saml.html , point#10 in section "Configuring Okta.." you ask to copy the link and paste it in security xml file. This link looks like "https://example.okta.com/app/abc0defghijK1lmN23o4/sso/saml/metadata" but in the "View setup instructions" page you do not have "metadata" part in Identity Provider Single Sign-On URL . Which one to follow? For sample app, link with metadata worked. But when I am trying to do integration with Production Okta it is not working. I am getting 404 error when I click on the link and open in browser.
Also , in instructions you have X509 cert details. Where and how do I use it in my custom spring application. Where can I see instructions on that?
Sincere apologies for the late answer, we hope you've been able to fix your issue in the meantime, but in case you didn't, here's the information you are likely looking for:
- The Provider Sign Sign-On URL and the the Provider SAML metadata url are different, although the look alike (hence the confusion you may have felt).
The generic format of the SAML sign-on url is: https://[okta_org_url].okta.com/app/[org_name]_[app_name]_[n]/[app_id]/sso/saml
The generic format of the SAML metadata url is: https://[okta_org_url].okta.com/app/[app_id]/sso/saml/metadata
So although the look alike (they both have the Okta internal app id), they are indeed different and should not be confused.
Hence, to answer your first question, the metadata link you should use in your SAML app should be the the link that appears under the "View Setup Instructions" button, not the SSO Url that appears inside the Instructions page.
To answer the second question, we provide the X509 certificate because some development framework will make it easier if you provide them with a cert file. However, you may have noticed that the X509 certificate value is also available XML metadata that's available in the "Optional" section of the instructions page and that's this XML that frameworks, such as Spring, are able to download automatically from the metadata url you provide them with.
In summary, if you only provide the right metadata url to your Spring-enabled application, you're good to go and you don't have to worry about the X509 certificate because the Spring framework is able to access it from the metadata url.
That said, if you have any issue with your Spring app when use your production Okta organization, please contact our support team by opening a case at https://support.okta.com/help/open_case.