User15790390408613851021 (Customer) asked a question.
Hi Team,
I would like to use SSO between two applications using OKTA. Details are as below :
1. App-A is using SAML configuration.
a. User logs into App-A that uses SAML.
b. Authorization Server (OKTA) validates user and send response to browser. (Authorization server stores cookies ).
c. Cookies are passed to each request.
2. App-B is using OIDC.
a. User logs into App-B
b. Authorization Server (OKTA) stores access token in the browser.
Scenario :
Need to load App-B using iFrame on login to App-A.
· User gets logged into the App-A from SSO okta.
· App-B gets loaded within App-A. But again login page is displayed instead rendering home page of App-B.
· Login should not be displayed again. There should be seamless authentication from App-A to App-B. Because user is already logged-in to the SSO. Both apps are created in OKTA SSO (App-A and App-B)
Is there a bridge between SAML and OIDC.
https://devforum.okta.com/t/okta-as-a-saml-to-openid-connect-bridge/5782
In above document it’s not clear referring to the below line :
“2.1 An OIDC web application that has login redirect URI set to the SAML Embed URL”
Please attach a more screen shots, that help us to configure easily.
Hi Rajesh,
I would assume that if a user logs into App-A via Okta that a session cookie should be set in their browser. If an iFrame is then opened and an /authorize call is done to App-B the session should already exist and a code would be returned to App-B.
I recommend opening a support case for this issue if it is not working as we will require log files to further analyze.
Hi Erik,
Thanks for the instant reply.
The /authorize url mentioned in this document(https://devforum.okta.com/t/how-to-get-id-token-fom-active-okta-session/4804) was really helpful.
I have couple of queries. Please address them.
1.
I would like to pass extra parameters from /authorize url. But i tried passing as /authorize? key1=value1&key2=value2 , after receiving response from okta /authorize i am able to get below response, but key1 and key2 are missing in response.
https://{org.domain.com}/login/okta/callback#id_token={response_id_token}&state=authn
Please let me know how we can pass extra parameters with /authorize url.
2.
Can we call /authorize in App B , I see we can pass parameter "prompt=none" with /authorize so login page will not be poped up.
Any working /authorize url with disabled pop up will be helpful.
3.
when i use below Request url with response type=code, I am getting error as "The response type is not supported by authorization server"
Request url : https://{org.domain.com}/oauth2/v1/authorize?response_type=code&client_id={client_id}&redirect_uri={registered_call_back_url}&state=authn&scope=openid&nonce=abcd
Response : https://{org.domain.com}/login/okta/callback#state=authn&error=unsupported_response_type&error_description=The+response+type+is+not+supported+by+the+authorization+server.+Configured+response+types:+%5Bcode,+id_token%5D.
4.
In Java, I would like to use "com.okta.jwt.JwtVerifiers" library to verify token. reference link https://github.com/okta/okta-jwt-verifier-java
a. When i login with credentials to /okta/login , the token will be issued with iss=https://{yourOktaDomain}/oauth2/default, and below code will work.
AccessTokenVerifier jwtVerifier = JwtVerifiers.accessTokenVerifierBuilder()
.setIssuer("https://{yourOktaDomain}/oauth2/default")
.setAudience("api://default") // defaults to 'api://default'
.setConnectionTimeout(Duration.ofSeconds(1)) // defaults to 1s
. setRetryMaxAttempts(2) // defaults to 2
.setRetryMaxElapsed(Duration.ofSeconds(10)) // defaults to 10s
.build();
b. When i use /authorize url in iFrame, /authorize url will set iss to "https://{yourOktaDomain}" its missing to append "/oauth2/default"
Why there is difference in issuer url (iss). That looks like incompatibilty to me. Is there any way to resolve this ?
kindly address above queries.
Thanks,
Rajesh