PrateekT.00945 (Customer) asked a question.
Hi Okta Support,
I am currently integrating SSO through an Okta SAML App Integration with my own application. I've noticed that after I've authenticated through Okta log in widget and the SAML Response gets sent from Okta to the SSO Url, the "Origin" Header in that Request is null. On our application, we would like to have CRSF protection, which means we would only allow requests from a white list of specified origins. We need some way to verify that any incoming requests are from the allowed origins, and we rely on the "Origin" Request Header to be set in order to determine the origin of the request. However, since the "Origin" Request Header is null we cannot currently verify incoming SAML Responses from Okta.
Is this a known issue? Is there any configuration in my Okta SAML App Integration that I'm missing, which could make our Okta SAML App actually populate the "Origin" Header when sending the SAML Response to SSO URL instead of just null?
Thanks,
Prateek
Hi @PrateekT.00945 (Customer) , Thank you for reaching out to the Okta Community!
Just tested the SAML flow with a random app (non-valid parameters) I've set up in my environment with default SAML settings and the Origin header had the proper information.
Please see my apps settings below and compare with what you have, maybe something is missing.
https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_SAML.htm
*In case it matters - I've validated the assertion with a SAML Tracer extension in my browser.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.