Requestable SSO URLs allow Single Sign-On (SSO) for multi-tenant applications with differing domain names, all while employing the same Entity ID and Identity Provider (IdP). This article delves into the intricacies of Requestable SSO URLs, elucidating their configuration in Okta and explicating their function in both Service Provider (SP) initiated and IdP-initiated workflows.

Consider a scenario with a multi-tenant application. In certain situations, the same Entity ID is utilized, harmonizing with the same IdP. The multi-tenancy is discerned by the domain name (for example, 'abc.example.com', 'xyz.example.com'). The desire is to diversify the SSO URLs based on the tenant initiating the request. Configuration can be achieved by:

• Setting "Audience Restriction" to the Entity ID, 'example.com'.
• Designating the SSO URL to 'https://abc.example.com/sam/sso'.
• Enabling the "Allow this app to request other SSO URLs".
• Adding 'https://xyz.example.com/saml/sso' to Requestable SSO URLs.

The specific ACS URL request can either be made directly by specifying the URL in the request or by indexing. In SP-initiated flows, the default Single Sign-On URL specified in the application will be employed in the IdP-initiated flows.

In essence, Requestable URLs are the service provider's ACS URLs with varying domains and index values. Certain multi-tenant applications adhere to this framework.

• Security Assertion Markup Language (SAML)
• Custom SAML Application
• Requestable SSO URLs
• Single Sign-On (SSO)

When using a custom SAML application that is using multiple Requestable SSO URLs, follow the video or steps to configure these URLs.

1. Navigate to Applications > Application and search for the application.

2. Go to the General Tab of the app > click the Edit button located in the SAML Settings section.

3. Click Next on the new page that appears.

4. On the new page that appears, click on the Show Advanced Settings link.
   
    

5. After the advanced settings menu is expanded, the Other Requestable SSO URLs option becomes visible.

6. Click on the Add Another button in order to start adding the URLs.

NOTE: Each of the Requestable SSO URLs must have different index values.

Dynamics of Requestable SSO URLs in SP and IdP Flows

• SP-Initiated Flow: A specific Assertion Consumer Service (ACS) URL can be requisitioned either by direct specification in the SAML request or through index referencing. Some vendors may exclusively support index-based requests. The ACS URL is pivotal in managing the SAML responses from the IdP.

• IdP-Initiated Flow: In such flows, the default URL deployed is the Single Sign-On URL determined in the application since the onus of initiating the SSO lies with the IdP.

NOTE: When using SP-initiated sign-in flows, input the ACS URLs for any other requestable SSO nodes required by the app integration. This facility empowers applications to elect the SAML Response destination. Define both a unique URL and an index for each ACS URL endpoint. If the SAML AuthnRequest messages don't specify either an index or URL, the SAML Response is directed to the ACS identified in the Single Sign-On URL field. Upon activating Signed Requests, Okta will purge any predefined static SSO URLs and will extract the SSO URLs from the authenticated SAML request. It's pivotal to note that static and dynamic SSO URLs cannot coexist.