Unencoded special characters in Uniform Resource Identifiers (URIs) cause deep links in Service Provider (SP)-initiated flows to fail for Okta Access Gateway (OAG)-enabled applications. Resolve this issue by encoding the reserved characters according to the RFC 3986 standard. When this issue occurs, users experience broken or unresponsive deep links during SP-initiated authentication.

• Okta Access Gateway
• Okta Classic Engine
• Okta Identity Engine (OIE)

Based on RFC3986,  there are special characters that should not be used by themselves and should be encoded. The following are reserved and should not be used without being encoded:

reserved    = gen-delims / sub-delims
gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

All of the below is unreserved and allowed in a URI:

unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"

(The above are copied from the RFC link)

How does the application encode URI special characters for Okta Access Gateway?

The application team must encode the URI special characters based on the RFC 3986 standard. Ensure that the application encodes all reserved characters before passing the URI in the SP-initiated flow.

For help with encoding this, the HTML URL Encoding Reference can be used.