<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000082VH9rCAGOkta Classic EngineAuthenticationAnswered2022-09-06T14:36:29.000Z2022-08-31T11:06:07.000Z2022-09-06T14:36:29.000Z

MilanD.01195 (Customer) asked a question.

August 31, 2022 at 11:06 AM
Okta SAML configuration not respecting AssertionConsumerServiceURL when sending response back to SP

I have been implementing SAML 2.0 and testing different IDP providers including OKTA and RedHat, Azure, Keycloak.

 

 

 

There's a key difference I noticed between other SAML 2.0 auth providers and Okta that Okta doesn't respect the AssertionConsumerServiceURL value from SAML AuthNRequest after authentication when sending response back to SP (Service Provider)

 

 

 

Here's a representation,

 

following is an AuthN request generated by SP,

 

 

 

<?xml version="1.0" encoding="UTF-8"?>

 

<saml2p:AuthnRequest AssertionConsumerServiceURL="http://localhost:8080/core-demo/login?idpId=OKTA-demo&amp;host=localhost%3A8080" Destination="https://dev-<masked>.okta.com/app/dev-<masked>_coredemo_2/<masked>/sso/saml" ID="_3eabaae6d0c7543c625cc2083133be5a" IsPassive="false" IssueInstant="2022-08-31T10:46:27.514Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

 

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">core-demo</saml2:Issuer>

 

<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />

 

</saml2p:AuthnRequest>

 

 

 

Notice the value of AssertionConsumerServiceURL is "http://localhost:8080/core-demo/login?idpId=OKTA-demo&amp;host=localhost%3A8080" containing 2 extra parameters idpId and host.

 

 

 

After authentication, when Okta goes back to SP, it goes without these extra parameters that SP needs. Generally SAML auth provider should send SAML Response back to SP using AssertionConsumerServiceURL.

 

 

 

Workaround

We can set Single Sign On URL with extra parameters in the URL like "http://localhost:8080/core-demo/login?idpId=OKTA-demo&host=localhost:8080"

So far doing same workaround in Recipient URL or Destination URL doesn't do the trick.

 

  • 2 answers
  • 1.31K views

    • MilanD.01195 (Customer)

      Hi Matthew. Thanks for the answer.

       

      Can you please advice if the URL can contain parameters that looks like one in my question, idpId=OKTA-demo&host=localhost:8080

       

      However I am getting error upon saving the configuration,

      "Requestable SSO URLs must not contain query or fragment parameters."

      Can you please shed some more light on what I am hoping to achieve.?

       

      Thanks.

       

      Expand Post
This question is closed.
Loading
Okta SAML configuration not respecting AssertionConsumerServiceURL when sending response back to SP