kr7sd (kr7sd) asked a question.
SAML AssertionConsumerServiceURL
I have a SAML application I want to configure as an SP using Okta as IDP. It's working fine using the standard application setup provided in the developer account. But this requires hard-coding the assertion consumer service URL. ("Single sign on URL" in Okta-speak)
This won't quite work for my use case, I need to use the AssertionConsumerServiceURL attribute in my AuthnRequest to specify where to redirect the user after authentication. This is part of the SAML 2 core spec in section 3.4.1. My AuthnRequests will be signed.
Is this possible with Okta? Has anyone done it?
Hi Peter,
Custom SAML applications have the option to enable additional URLs under "Requestable SSO URLs" as documented below:
https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm
Here is also another article from a customer that had the same question
https://support.okta.com/help/s/question/0D50Z00008G7V2x/does-okta-support-assertionconsumerserviceurl-as-the-destination-for-posting-saml-assertion?language=en_US
You can also find additional information on our Developer website
https://developer.okta.com/docs/concepts/saml/
Best regards,
Radu
Technical Support Engineer
Okta Global Customer Care
Thank you Radu, I also found the requestable URLs and it works great but what I'm looking for is a way to not need to list them all. My reading of the SAML spec is I can pass in either the AssertionConsumerServiceUrl or AssertionConsumerServiceIndex attribute and the IDP should honor it, so long as the AuthnRequest is signed.
Please pass this along as an enhancement request.
For now, I'm happy that it's working, with the caveat that every requestable URL must be configured into the Okta app.