User16075870178282218094 (Customer) asked a question.
I have a SAML app in Okta that uses AWS Cognito. The current SP-initiated flow is working, but I want to implement IdP-initiated flow so users can click on Okta app to login.
Right now when clicking on the app from Okta dashboard, this error appears "Invalid relayState from identity provider", and per this official docs, IdP initiated workflow isn't supported by AWS Cognito https://support.okta.com/help/s/article/why-amazon-cognito-idp-initiated-from-okta-offer-error-invalid-samlresponse-or-relaystate-from-identity-provider?language=en_US
But AWS Cognito recently released support for IDP initiated flow https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.html
So how do I configure IdP-initiated flow to work?
Hi @User16075870178282218094 (Customer) , Thank you for reaching out to the Okta Community!
If the app is not "Okta Verified" and added to the Okta Integration Network, implementing it with a configuration that would allow IDP initiated login, is not something that you could achieve from the Okta side.
That being said, if your SP initiated login works, you can simply set up a Bookmark app on the user's Okta Dashboard that points to the SP initiated login flow.
You leave the regular app as is, but hide it from the users (see the app General Tab→App Settings→App Visibility) so it does not create confusion. Then also assign them the Bookmark app on which they click on to trigger the login.
In essence, you simulate the flow as mentioned in the article.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Ask the Experts: Okta Device Access Product Team Now Thru 3/22