This article explains the steps to Single Sign-On (SSO) into a SAML application after federating through an OpenID Connect (OIDC) Identity Provider (IdP) while passing a relay state.
-
OpenID Connect (OIDC)
-
Identity Provider (IdP)
-
SAML Applications
To construct a URL to achieve SSO into a SAML app via OpenID Connect IdP with relay state, follow these steps:
-
Find the Okta domain URL (such as org.okta.com).
-
Obtain the IdP ID from the Security > Identity Providers page on the Okta Dashboard after expanding the provider in question.
-
Find the IDP Login URL for the SAML application. This is located in the app's SAML Setup Instructions.
-
In Step 6, look for the Identity Provider Login URL, which can be appended with a RelayState.
-
-
Optional: A deep link can be included to send users to within the SAML application.
Here's an example URL with dummy values:
https://org.okta.com/sso/idps/0oa1234abcd567?fromURI=https%3A%2F%2Forg.okta.com%2Fapp%2Fappname%2Fexqwertyasdfghj567%2Fsso%2Fsaml%3FRelayState%3Dhttps%253A%252F%252Fapplication.com%252FspecificPage
NOTE: In the URL, replace org.okta.com with the Okta domain URL, 0oa1234abcd567 with the IdP ID, and appname and exqwertyasdfghj567 with the SAML application's specific values. Also, ensure that the RelayState is URL encoded.
Using the above URL, the user can access the SAML application through the OpenID Connect IdP with the relay state.
