[IdP] IDP initiated login in Okta

[IdP] IDP initiated login in Okta

  
Forge Component
(26)
Published on 4 Jul by Telmo Martins
26 votes
Published on 4 Jul by Telmo Martins

I have configured IDP in Okta successfully and can log in via Okta when I direct my browser to the eSpace default URI.

However, I am trying to allow IDP initiated login also, where the user is logged into the Okta homepage and can see the SAML application. When the user clicks on the SAML application, it directs to the https://XXX.outsystemscloud.com/IdP/SSO.aspx and then raises an "UNABLE TO PROCESS REQUEST
No SAML message found" message. Debugging the code seems to be expecting that the SAML response maps to a previous request in the database.

Have I configured this incorrectly or is there further code required to support IDP initiated login?

Thanks

Hi Ian,

The current version by default does not allow an IdP-initiated login (due that validation). That was also reported in the past as the next version that is coming up will cover that as a configuration option. For the moment you need to override and customize the IdP screen preparation on the IF widget "ResponseId exists?".

PS - Using this component with Auto User-provision activated on a multi-tenancy environment with IdP-initiated login needs to be done carefully due the IdP connector for this specific scenario cannot check the right tenant which the user is supposed to Login as it will use the current tenant.

Regards

Hi Telmo,


You want to say, if we use IDP with Okta we will not get SAML response.


Thanks,

Rajat


Hi Rajat,

Meanwhile the latest version on the IdP component already supports login initiated by the IdP server. It's disabled by default but on the component configuration page you can activate it.

Regards

Hey Everyone,

I am also facing the same issue when i try to login from SSO page. 

Telmo Martins you have mentioned, we can configure it from "Component configuration" Page, Could you please tell me the property name?

Thanks a lot.


Hi,

On the Back-office configuration page, open the third tab (SP Connector internal settings), and activate the checkbox with label "Allow IdP Server Initiated Login". Having this activated you may want to configure "Login Default URL" value, which is configured on the same tab (as is explained on the tool-tip of the checkbox)

Regards