Okta SAML Relay State Processing On External Webapp

ADMIN FDJ -B.67824 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM

Hello,

Context : External On Premise WebApp (launch inside Customer Portal) declared as SAML RP on Okta tenant declared as SP with external IDP

Federated scenario

So user flow is :

Intranet Portal (launch webapp idp initiated shortcut) --> External IDP (OK)--> Okta SP (OK) ---> External WebApp (KO)

Because Web Customer Portal Integration with WIA SSO, IDP Initiated is required.

Because Web Customer Portal, don't want second (Okta) Portal to be launched.

idp-initiated url is :

https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F

%252Fwww.okta.com%252Fsaml2%252Fservice-provider%252abcdefgh%26RelayState%3Dhttps%253A%252F

%252Fmywebserver.mydomain.com%252Fmywebapp%252F

Okta Behaviour :

Final webapp redirection is always https://mycompany.okta.com/mywebapp/?fromLogin=true (with http 404)

instead of https://mywebserver.mydomain.commy/mywebapp/

https://mywebserver.mydomain.commy/mywebapp/ is also declared as Default Relay State on Okta SAML App Settings without efffect

Notes:

- Relay State processing only (inside Okta) on relative path /mywebapp

- Embedded application Link (without federation but with Okta IDP and SP) is working

- https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F

%252Fwww.okta.com%252Fsaml2%252Fservice-provider%252abcdefgh is working (as indicated opening only okta user portal)

- autostart app (new browser tab) is working

- don't want to use app bookmark because

How to configure Okta SP Relaystate for external RP (webapp) ?

Not found anything on that

Thanks

Gilles M.

james.flores1.4616875318781074E12 likes this.

james.flores1.4616875318781074E12 (Okta, Inc.)
Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:29 AM
Hi Giles,

This type of issue would be best investigated via Okta support. If you'd like us to take a look feel free to open a support case and include a Fiddler trace and SAML trace of your attempted flow. With this informaiton we can better anyanlyze the complete flow and determine where there is an issue.
Expand Post
ADMIN FDJ -B.67824 (Customer)
Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:29 AM
Hello,
I finally ended up solving this question
After analyzing okta processing of relaystate application parameter in query string it appears that only the relative path is taken into account
On the other hand, several items in this forum indicate the possibility of creating a bookmark (?)
This link https://support.okta.com/help/Documentation/Knowledge_Article/27685638-Simulating-an-IDP-initiated-Flow-with-the-Bookmark-App
also indicates this possibility (in my use case ?) but basically without clearly explaining how integrating

The solution consists in encoding the relative path of the bookmark application in the last parameter of relaystate.
In my case :
https://idpserver.mydomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%253A%252F
%252Fwww.okta.com%252Fsaml2%252Fservice-provider%252Fabcdefgh%26RelayState%3D%2Fhome
%2Fbookmark%2F0oaybkjeabcdefg%2F2557

Reminder this topic is not anecdotal it is very structuring in my scenario with external webapp links inside intranet portals and multiple IDP configurations

Now I have to do the same int he other direction Okta as IDP with external SP ......

Regards,
Expand Post

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies