VladN.75943 (Customer) asked a question.
Description:
We are integrating Okta as Identity Provider and Gravitee AM 3.x as a SAML 2.0 Service Provider.
In the SP-initiated login, Gravitee generate a RelayState in JWT format that includes:
{
"p": "idp-id",
"q': "client_id=....&responce_type=code&redirect_uri=..."
}
This allows Gravitee to know which Idp to use (p) and how to resume the log in flow (q)
In IdP-initiated login, Okta can only provide a static Default RelayState string. But this value has limitations in 80 symbols, so it's impossible to use the same value, which Gravitee generate for the SP-initiated log in.
Question:
Is there a way to configure Okta to support a longer RelayState (beyond the current limit) in IdP-initiated login, or another recommended workaround for SPs like Gravitee that require a larger RelayState value?
@VladN.75943 (Customer) From my knowledge the limitation is derived from SAML standard specification itself.
In this case Gravity need to follow SAML standards, that is to use relay state under 80 bytes.
Typically application use their own database where they store this long URL with a generated guide.
For ex - landing.page = uniqueid
And they communicate app.com/uniqueid to okta as relay state. This way application can do an internal check to get the full URL.
If you have control over Gravitee app code, you can impliment the same logic.
no this likely isnt possible. thats an unusual implementation of relayState on Gravitee side. ask if they can just send the URL...since relayState is really designed to just be a URL, not a JWT