In a Service Provider (SP)-initiated Single Sign-On (SSO) flow, Okta provides a SAML response featuring an InResponseTo field containing the ID of the SP's SAML request. This field is used by the SP for request validation.
However, when using a custom login page for an application, the SAML request parameters are not preserved on the login page, leading to the absence of the InResponseTo field in the SAML response. This can result in SP authentication failure. This article elaborates on the cause of this issue and offers a possible resolution.
- Service Provider (SP)-initiated flow
- Single Sign-On (SSO)
- Custom application login page
- Custom login page with the Okta sign-in widget embedded
The features of a custom login page may not be fully utilizable if the SP necessitates the InResponseTo field to be included in the generated SAML assertion. Here are potential solutions:
-
Consider using Okta's default login page in place of a custom login page.
-
Modify the SP's authentication requirements to accept authentication without the InResponseTo field.
