I’m trying to configure Okta as the IdP and Auth0 as the SP. My plan is to have the user go through Okta for authentication, then get redirected to Auth0, and finally end up with a JWT issued by Auth0 which I can then use in my web application (which is defined as a “Regular Web Application” in Auth0).
I have looked at the instructions here but I don’t understand the Okta instructions well enough. When I use the AIW in Okta to configure a SAML integration to Auth0, I am immediately prompted to provide these pieces of information:
Where do I get this information for my Auth0 tenant? For example: how do I get the Single Sign On URL, and Audience URI? What’s the DefaultRelayState?
When I go into Auth0 and select Authentication > Enterprise > SAML, I get prompted for a Signin URL (which I assume must be from Okta).
I must be getting this so badly wrong. Help?
On the Okta side, the Single Sign-on URL is where the SAML assertion will be sent, so this needs to be your Auth0 tenant’s login callback URL. If you need to support IdP Initiated SSO, you’d also need to add a query string parameter with your connection’s name you created on the Auth0 side that connects to Okta, this is also called the Assertion Consumer Service URL (lots of names for the same thing, helpful right? ):
Replacing the parts in capitals with your tenant’s details.
This is detailed here, point 3: Configure Auth0 as SAML Service Provider
Audience URI, aka Entity ID would be “urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME”
Replacing the values in captials with your Auth0 tenant’s details
(Point 4 on the above link)
Default relay state is where the user should be sent to after they login, in an SP initiated flow Auth0 will send a RelayState to Okta for you, so this default value on the Okta side shouldn’t be used in practice so I believe you can leave it blank when working with Auth0.
For IdP initiated a RelayState isn’t expected and Auth0 will send the user to the first allowed callback for the Application you have set as the default for the SAML connection’s IDP initiation settings tab. This can be also customised via the Query string field on the IdP-initiated settings tab
I hope that has helped clear things up, this Okta doc may be useful to you too for their side of the config:
On the Auth0 side, the Signin URL is indeed going to be an Okta URL which initiates the login, this should look something like:
Many thanks, good sir!
So if I have the Signin URL configured in Auth0 side (i.e. your last paragraph), that will allow my web application to redirect the user to Okta to complete authentication?
I test out your instructions.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.