Why Okta SAML not adhere to SAML protocols regarding AssertionConsumerServiceURL?

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z000086YVxgCAGOkta Classic EngineSingle Sign-OnAnswered2022-09-29T13:16:13.000Z2022-09-20T14:31:05.000Z2022-09-29T13:16:13.000Z

MilanD.01195 (Customer) asked a question.

September 20, 2022 at 2:31 PM

Why Okta SAML not adhere to SAML protocols regarding AssertionConsumerServiceURL?

In SAML guidelines https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

section 3.4.1 Element <AuthnRequest>

Element AssertionConsumerServiceURL 2061 says

"Specifies by value the location to which the <Response> message MUST be returned to the requester"

Which I believe Okta is not adhere to,

In my SAML Request, which looks like following,

<?xml version="1.0" encoding="UTF-8"?>

<saml2p:AuthnRequest AssertionConsumerServiceURL="http://localhost:8080/core-demo/login?idpId=OKTA-demo&host=localhost%3A8080" Destination="https://dev-<masked>.okta.com/app/dev-<masked>_coredemo_2/<masked>/sso/saml" ID="_3eabaae6d0c7543c625cc2083133be5a" IsPassive="false" IssueInstant="2022-08-31T10:46:27.514Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">core-demo</saml2:Issuer>

<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" />

</saml2p:AuthnRequest>

AssertionConsumerServiceURL is http://localhost:8080/core-demo/login?idpId=OKTA-demo&host=localhost%3A8080

But response is NOT sent to this URL (http://localhost:8080/core-demo/login?idpId=OKTA-demo&host=localhost:8080), instead it goes to SingleSignOnURL.

If I have same SP creating different AssertionConsumerServiceURL for parameter `hosts` then it's something that OKTA cannot do.

more details here https://support.okta.com/help/s/question/0D54z000082VH9rCAG/okta-saml-configuration-not-respecting-assertionconsumerserviceurl-when-sending-response-back-to-sp?language=en_US

User16594883323548314840 (Okta Integration Network)
4 years ago
Hello @MilanD.01195 (Customer),

Thank you for reaching out!

The best route to pursue regarding your inquiry would be to create a ticket with our support team in order to properly investigate the behavior that you are encountering. Also, I would recommend trying to capture a SAML trace or a HAR file in order for the support team to be able to see the flow and identify the root cause of the issue.

https://help.okta.com/oag/en-us/Content/Topics/Access-Gateway/troubleshooting-with-har.htm
https://developer.okta.com/docs/guides/saml-tracer/main/

Additionally, I have provided below a documentation that contains information about SAML, which might be useful :

https://developer.okta.com/docs/concepts/saml/

Expand Post
- MilanD.01195 (Customer)
  4 years ago
  Hi @User16594883323548314840 (Okta Integration Network) I had created ticket with OKTA and multiple iterations of issue demonstration and legit proof I was asked to pay for Profession services - which I cannot do at this point.
  
  What do you think next steps are?
  
  https://support.okta.com/help/s/case/5004z00001fuvQ8AAI/okta-saml-configuration-not-respecting-assertionconsumerserviceurl-when-sending-response-back-to-sp?language=en_US
  Expand Post
  - MilanD.01195 (Customer)
    4 years ago
    Case Id 01494923
    Expand Post

This question is closed.

Recommended content

Forum

Okta SAML configuration not respecting AssertionConsumerServiceURL when sending response back to SP

Forum

SAML AssertionConsumerServiceURL

Forum

Okta not able to authenticate SAML Response

Forum

It looks like Okta recommennds using WS Fed with .net applications. I was wondering if anyone knows why and if there is any reason SAML can not be used instead with Okta

Loading

Why Okta SAML not adhere to SAML protocols regarding AssertionConsumerServiceURL?