SAML assertion via API Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Nick SteelNick Steel 

SAML assertion via API


Is it possible to get a SAML assertion for an application via the Okta API? We are building some automation around fetching the SAML assertion to authenticate against an application's API which requires that we pass it the SAML assertion to it.  

We currently have it working by screen scraping the response form Okta and parsing the SAML response blob out. Its not elegant and potentially a fragile solution. Ideally we'd like to do it via an API call instead, as far as I can tell from reading the docs, its not something that's supported. Has anyone figured out otherwise?


Madhu Mahadevan - SEMadhu Mahadevan - SE (Okta, Inc.)
Nick SteelNick Steel
Thanks Madhu - 

How woudl this work for applications that have MFA enabled?

api-workday api-workdayapi-workday api-workday
HI Nick,

with the authentication API you *should* be able to do this even with MFA

The sequence would be something like this
$step1 = oktaCheckCreds -oOrg prod -username username@domain.tld -password "d0nut Tella sole"
[ POST ]
    "username":  "username@domain.tld",
    "context":  {
                    "userAgent":  "PowerShell API Wrapper"
    "password":  "d0nut Tella sole",
    "relayState":  "/a/relayState/Value"

$step2 = oktaAuthnQuestionWithState -oOrg prod -stateToken $step1.stateToken -fid $step1._embedded.factors[0].id -answer 'the one that matched'
[ POST ]
    "stateToken":  "00OMiEKt9varTzj-4twcWSYoqtOa9OB2yj9Z0oYkaz",
    "answer":  "the one that matched"


Now with sessionToken in hand

Now what i've described is based on the user being required to perform MFA to authenticate to Okta. Not based on the application configuration.

I'd actually love to get some input on this one from Karl.

If the user isn't forced to perform MFA to authenticate can i perform or force a similar transaction that would produce a sessionToken that would satisfiy an application embed + sessionToken for an application that requied MFA?

Anyway, hopefully that helps.