This article describes the utility of SAML Deep Links, which can automatically redirect a user to a specific Okta app upon successful authentication via a third-party Identity Provider (IdP). It outlines the process for setting up this redirect, including the use of specific URL structures and RelayState parameters.
- Deep Links
- Security Assertion Markup Language (SAML)
There may be situations where the user's journey should be streamlined by automatically directing them to a specific Okta application after they have successfully authenticated with a third-party IDP. This can enhance the user experience by removing additional navigation steps and can be achieved using SAML Deep Links.
- Assemble a deep link pointing directly to the desired Okta application. An example of this might look like:
https://{org}.okta1.com/sso/saml2/0oapwt88Y42z9oYqs0g3/app/raincloud59_test_1/exkpyktH3AG1L7L9d0g3/sso/saml?RelayState=anyUrlEncodedValue
This link is made up of the following components:
-
- Service Provider Assertion Consumer Service (SP ACS) URL.
- Deep Link (typically, the Single Sign-On (SSO) URL as noted in the SAML app's sign-on instructions).
- Inbound RelayState (optional and should be URL encoded). Note that no additional query parameters are supported.
-
Redirect the user to the IdP with the RelayState parameter included in the URL (this parameter should be URL-encoded).
-
The user logs into the IdP and is redirected back to Okta.
-
Okta processes the SAMLResponse from the IdP and redirects the user to the URL specified in the deep link, which will automatically open the designated app (also passing along the initial RelayState if provided).
This process ensures that users are seamlessly directed to specific applications, thereby enhancing their experience and the overall flow of the authentication process.
Example of a SAML deep link:
https://${OktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue
NOTE: No additional query parameters are supported.
