Problem statement
Auth0 is configured as the Service Provider (SP) and Okta is the Identity Provider (IdP) in a SAML enterprise arrangement. The login flow is SP-initiated.
The Okta IdP is operated by a ‘downstream’ customer and they have enquired about the meaning of the following terms:
- Default RelayState
- Name ID format
- Application username
Solution
-
Default Relay State: Given that the login flow is SP-initiated, the “Default Relay State” field can be left blank. This field is only necessary for the IdP-initiated login flow.
-
Name Id Format: The “Name Id Format” field is what format the nameId is returned to the service provider (Auth0). In this case, the IdP is Okta, and Okta defaults to use ‘email’ as the Name Id Format. If required, it is possible to update the Name Id Format. However, in most cases, setting the field as “unspecified” is sufficient. The default Name Id Format can vary between IdPs and may not always be 'email’.
-
Application Username: The Application Username field defines what field will be required for a user to use as their username during login with this SAML connection. For example, if this field is set to be “Okta Username”, users will need to login with the value of the username field that is set in the Okta (IdP). In many cases, the Okta username is the same as the Okta email, but it depends on whether the user profiles are defined when creating them in the Okta dashboard.