State missing when using Okta SSO

I have Auth0 SPA with expressJS application, that uses google as IdP and we are adding support for Okta.
the Google login flow is working fine, but using Okta and following the instructions from Auth0 docs: “Configure Okta SAML app integration” we have issues.

The user has a button in the Okta dashboard that redirects to our login page: https://login.[APP_DOMAIN]/login/callback?connection=[CONNECTION]

If the user is not logged in already, than after the authentication process and it’s redirects are done the user is redirected to:
https://[APP_DOMAIN]/authorize?code=[CODE] without state, response_type, scope and other query params I see when connecting with google, and the user gets the following message:
{"statusCode":400,"message":"state missing from the response"} and indeed there is no state in the url params.

if the user refreshes the page, the app is loaded normally and the user data is fetched as if everything is fine.

if the user was already authenticated before clicking the button in Okta’s dashboard, the follow works fine without error messages.

what is needed to do for the login flow with Okta IdP to work flawlessly, pass the state, and not to end with the “state missing” error message?

thanks,
Amit

Hi @amit.leshem

Welcome to the Auth0 Community!

Please allow me some time to look into the issue and I will be back with more information.

Thank you for your patience!
Gerald

Hi @amit.leshem

Thank you for your patience!

Based on the behaviour that you mentioned, you are certainly on the right track and I believe there might be two things that need to be tweaked in order to make the flow function correctly:

  • within your Application, add the connection hint ( see the following documentation : Login and get user info ) so that, when login is triggered, the connection parameter is sent to Auth0 via loginWithRedirect;
  • within your Okta Admin dashboard, the URL that your Application points to should contain the connection name as a query parameter. As an example, if your App is named " okta-saml", the URL in Okta should look something like this : https://[APP_DOMAIN]/login?connection=okta-saml

Let me know if this helped get the flow functioning correctly!

Best regards,
Gerald