<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000AH7BsfCQFOkta Classic EngineSingle Sign-OnAnswered2024-10-31T22:12:53.000Z2024-10-17T16:56:00.000Z2024-10-31T22:12:53.000Z

User17291839438602565861 (Customer) asked a question.

October 17, 2024 at 4:56 PM
Add multiple callback URLs to a SAML application?

We have multiple domain names that can be used to sign-in to a SAML application, but Okta only supports one Single Sign-on URL and Audience URI.

 

Is it possible to add multiple callback URLs to a SAML application, or is creating a second SAML application the only way to handle multiple domains?

 

We can't do that because the application we're trying to use can only support a single SAML configuration itself.

 

Another option I found was to add multiple URLs and try to edit the Audience Restriction field which appears on the General tab, however this field isn't present after clicking Edit, so I'm unsure whether that is even possible.

 

Thanks in advance for any insights/suggestions!

  • 5 answers
  • 1.14K views

  • Mihai N. (Okta, Inc.)

    Hi @User17291839438602565861 (Customer)​ , Thank you for reaching out to the Okta Community! 

     

    The following article might help with your use case: 

    How to Add Additional Requestable SSO URLs in a Custom SAML App

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Ask Us Anything about Workflows now thru 10/31

    Expand Post

  • User17291839438602565861 (Customer)

    Hi, I did look into that originally, but the issue is that here we're talking about two different domains, not just subdomains. In the linked article we have "https://abc.example.com/sam/sso" and "https://xyz.example.com/saml/sso", with the Audience Restriction set by the Entity ID of "example.com".

     

    In our case, we're trying to achieve a similar but different thing where the subdomain stays the same, but the top level domain changes, for example we want "https://abc.example.com" and "https://abc.somethingelse.com" to both be accepted.

    Expand Post
    Selected as Best

    • Mihai N. (Okta, Inc.)

      Hi @User17291839438602565861 (Customer)​ , in this case, it's not going to be supported. Even if you create a separate app in Okta it will generate a new cert and Okta entity Id for that particular instance, so your app will have to support multiple IDP instances.

      If you can get you different URLs to point to the same SSO URL (example App embed link, found under the General tab of your app integration in Okta) you might be able to improvise something by leveraging a single app assigned to all the necessary users, but keep it hidden.

      Then you would also assign different Bookmark apps with the additional URLs to the users which they would use to trigger the authentication process.

      Example:

      1. create functional main SAML app with https://abc.example.com/sam/sso ,leveraging the "Do not display application icon to users" option.
      2. assign it to all users that require access to it.
      3. Create Bookmark app1 with URL for "https://xyz.example.com" - which would redirect to the embed link of the main SAML app and assign it to Group 1.
      4. Create Bookmark app2 with URL for ""https://abc.somethingelse.com" - which would redirect to the embed link of the main SAML app and assign it to Group 2.

      ...and so on.

       

      Hope my answer helps! 

       

      --

      Ask Us Anything about Workflows now thru 10/31

      Expand Post

      • User17291839438602565861 (Customer)

        Yeah that would possibly work, but the application doesn't support multiple IDP instances sadly.

         

        Could we edit the Audience Restriction field? If I click Edit, then go to the second step, there's a list of fields we can configure under "General", but Audience Restriction is not one of them. Is that field derived from something else?

        Expand Post

      • Mihai N. (Okta, Inc.)

        The generic template app does not allow for this type of customization.

        The only other rout, would be to add your own custom version of the app to the Okta Integration Network catalog. If you are the owner/vendor, you could work with our Okta Integrations team to create an app with the required features.

        More details here:

        Adding a New Application to the Okta Integration Network

        Publish an OIN integration 

         

         

        Regards.

        --

        Ask Us Anything about Workflows now thru 10/31

        Expand Post

Loading
Add multiple callback URLs to a SAML application?