Auth0 Home Blog Docs

Using Okta as an Idp for an SPA


I have a React SPA which uses Auth0 for authentication. One of my clients uses Okta for SSO, and I want to configure a connection for SSO to my application from Okta.
I have configured the enterprise connection using . I tested the connection and It works.

I am now trying to integrate the connection with my SPA. my SPA uses the lock widget (version 11) and is not using a custom domain (authenticates via The lock widget is embedded in my SPA (I am not using the hosted login page). I cannot seem to get this working, and couldn’t find a guide for it anywhere. There are a few things I am not sure I need:

  1. should I enable the SAML2 Addon? If so, what should I set as the application callback URL? (I set up the connection in Okta as SAML, according to the guide I mentioned above)

  2. when authenticating, I am having 2 issues:
    If this is a idp initiated authentication, the authentication seems successful (I see it in the log), but then I am redirected to my application login page (with the lock widget) which requests me to login (there is also an additional request parameter code=<random code>
    If I try to initiate the connection through my application’s dashboard, the lock widget identifies my domain as a SSO domain and attempts to initiate an SSO with Okta. It accesses Okta but fails with the error: “The InResponseTo attribute does not match the id in the AuthNRequest” (in Okta I see it as a success)

What am I doing wrong? is there some configuration required in the lock widget in order to enable the integration? If not is there a guide I can follow on integrating SSO via Okta with my SPA?

Thanks in advance!


Update - I resolved the issue on regular authentications - I did not set the connection to use my custom domain…
However the issue where the idp initiated authentication doesn’t authenticate still persists. any ideas?


Hi @gal

When setting up the IdP initiated authentication (aka IdP-Initiated SSO) you need to set the response_type to token id_token.

In your Lock Widget config you must also set the _enableIdPInitiatedLogin flag to true.

You can find more information in these docs.

Hope this helps!


Hi @charsleysa, that helped! now I am at a point where I get a JWT from auth0, but it contains a ‘at_hash’ field. Should I pass the access token to the backend from the frontend and use it too? or is there a way to set auth0 to use it?


Hi @gal

How you send the access_token to the backend is up to you / the API developers but the standard is to include it in the every HTTPS request using the Authorization header with the format Bearer <access_token>.

1 Like
closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.