<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00007KA3wnCADOkta Classic EngineSingle Sign-OnAnswered2024-04-16T13:11:30.000Z2021-12-09T12:35:06.000Z2021-12-13T10:26:03.000Z

xfj48 (xfj48) asked a question.

December 9, 2021 at 12:35 PM
SAML app not using Identity Provider routing rules

In our single sign-on setup, we use Okta as the middleware that federates to Google Cloud (which is our Identity Provider and source of truth). In Okta, we have the Identity Provider routing rules set up to directly use Google Cloud for authentication instead of Okta, since our users don't have Okta accounts. This works correctly for our OIDC apps.

 

The problem is that for a SAML app I'm working on, it doesn't seem that the routing rules are being respected. Sometimes when logging in, the user will be taken to an Okta login screen, which they can't login to. After a failed login, if they retry they'll be taken to the correct Google login screen. Sometimes they get correctly taken to a Google login screen the first time. It seems quite random which login screen they get taken to. Also, after logging out, they are taken to the (incorrect) Okta screen for logging in again.

 

Looking for some kind assistance on this matter. As mentioned OIDC apps work fine, but we're having trouble with SAML.

  • 2 answers
  • 768 views

  • User16254393570754125507 (Okta)

    Hello @xfj48 (xfj48)​,

     

    Thanks for posting.

     

    When there is an External Identity Provider the sign-in process goes like this:

     

    1. In your application, the user clicks a button similar to Sign in with (Identity Provider).
    2. Your application redirects the browser to Okta.
    3. Okta redirects the browser to the Identity Provider.
    4. The user is prompted to sign in at the Identity Provider (if they aren't already) and to accept the permissions required by your app.
    5. The Identity Provider redirects the browser back to Okta.
    6. Okta processes the sign-in request and adds the user to your Okta organization's Universal Directory.
    7. Okta redirects the browser back to your application, just like any other sign-in request.

     

    Based on your comment, the process is failing on step 2, since this redirect to okta and then to the IDP should be transparent for the end-users.

     

    Please take a look at this document to make sure the whole process is correct, it also has a routing rules section:

     

    https://developer.okta.com/docs/guides/add-an-external-idp/google/main/

     

    If you need further assistance I recommend opening a support case where we could discuss more specific details.

     

    Have a great day!

     

    Natalia

    Okta Inc.

    Expand Post

  • xfj48 (xfj48)

    Hi. Thanks for the reply. Posting a solution we received here for the benefit of others:

     

    "Okta Admin Dashboard -> Applications -> Applications -> Kibana app -> General Settings -> SAML Settings. Click on the button found on the right side of the SAML Settings section title named Edit, and then scroll down till you find Honor Force Authentication, and set that to No."

     

    This works correctly in our setup.

    Expand Post
This question is closed.
Loading
SAML app not using Identity Provider routing rules