ACS URL from Okta App when added by multiple different Okta clients Skip to main content
https://support.okta.com/help/answers?id=9062a000000bmdiqay&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Brent GraceyBrent Gracey 

ACS URL from Okta App when added by multiple different Okta clients

I'm trying to fully wrap my head around the scnerio's discussed here:

http://developer.okta.com/standards/SAML/#single-idp-vs-multiple-idps

Our platform will be the use case described: " ... many SaaS ISVs needing to integrate with customers’ corporate identity infrastructure. "

My question is about the specific scenario when many of our Platform's client use Okta as their SAML IdP's.

In order to support clients on our platform who use Okta as their IdP, we will create an Okta Application.

If there are two different clients on our platform; both of which use Okta as their IdP, who both add our Okta Apllication within their individual Okta accounts - will the ACS URL always be the same for these two Okta clients? Or can our platform provide a unique URL for each Okta client to set when they add our Application within Okta?

Thanks,

Brent

 

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Brent
If I understand your scenario, that is a choice you can make. In fact, the article you linked to has a paragraph starting with "A key consideration involves the ACSurl endpoint on the SP side where SAML responses are posted" that describes your options.
Thanks,
Gabriel
Brent GraceyBrent Gracey

Hi Gabriel

Thank you for your response. If I want separate clients to hit a different ACSurl endpoint on the SP side, and if the end users are managing their SAML IdP in Okta; can a single `Okta Application` (https://www.okta.com/resources/find-your-apps/?tags=SAML) provide different sub-domains on the ACS url?

If so; could you link me to the docs which detail how this is achieved?

 

Thanks

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Brent
In Okta, each Okta App points to a single ACS URL, see:
https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard#Config_SAMLSettings
So, you could create one App for every ACS URL.

An alternative might be to pass an attribute in the SAML assertion that identifies the client.
Thanks.
Brent GraceyBrent Gracey

Hi Gabriel, thanks for the further information you provided.

I had a look at the GSuite Okta App that our company has added to its SSO which it manages in Okta. I noticed there is a field: "Your Google Apps company domain." I hadn't spotted that before; but it seems like the setting I was looking for.

User-added image
 

Except of course; I need it to be available in an new Okta App created by us. So is there a way to acheive that?

 

Thanks,
Brent

Gabriel SrokaGabriel Sroka (Okta, Inc.)
Hi Brent
There are 2 ways to add an SP to an Okta IdP. One way is to use the OAN and pick a ready-made app,e g G Suite. The other way is to use the SAML Wizard to create a new integration. See:
https://support.okta.com/help/articles/Knowledge_Article/Using-the-App-Integration-Wizard
Brent GraceyBrent Gracey

Ah right - the penny drops! Great - thinking I'm starting to get it. Thanks for all your assistance.

 

Brent