This article explains how to handle IdP-initiated authentication passing through a RelayState using the Sign on URL in Okta. The RelayState parameter maintains state information between the IdP and the application during the SSO process.

• Org2Org integrations

When sending a custom RelayState to an application through IdP-initiated authentication, the RelayState parameter needs to be included in the SSO URL.

1. In the Okta dashboard, navigate to the application's settings page for the Hub/Spoke configuration.

2. Under the Sign on > More details section, use the Sign on URL to handle IdP-initiated authentication passing through a RelayState. 

   • See step 4C in the section Configuring Application for Hub/Spoke for more information.

3. An Org2Org URL with a RelayState would have the following format for example:
   
   https://<SubdomainName>.okta.com/app/okta_org2org/<AppKey>/sso/saml?RelayState=https://<SubdomainNameOfHub>.okta.com/app/<APPName>/<AppKey>/sso/saml%3FRelayState%3D<CustomRelayState>

Where:

• • "https://<SubdomainName>.okta.com/app/okta_org2org/<AppKey>/sso/saml" = the Sign On URL of the org2org app from Spoke.
  • "https://<SubdomainNameOfHub>.okta.com/app/<APPName>/<AppKey>/sso/saml" = the Sign on URL of the app from Hub.
  • "%3FRelayState%3D<CustomRelayState>" = the encoded version of "?RelayState=<CustomRelayState>".
  • "<CustomRelayState>" can be any valid URL, such as "https://google.com".

Now, it is possible to use the newly created URL in a bookmark application. After being authenticated into the Hub and the app, users accessing the URL will land on the "<CustomRelayState>".