1

We have hybrid mobile app built by Kendo UI and backend .NET web service. All the calls from UI is through ajax. Now we need to integrate app to OKTA for user authentication, but not sure how to get SAML token from OKTA directly from web service call.

We implemented call to ADFS (active endpoint) from web service to get SAML token by using windows identity framework already and it works.

If anybody can share experience or point out the solution, it will be much appreciated!

wenjun chen
  • 11
  • 3
  • I've done this in Java. You can read more about this in [http://stackoverflow.com/questions/37140940/authenticate-to-sharepoint-through-okta-from-back-end-service](http://stackoverflow.com/questions/37140940/authenticate-to-sharepoint-through-okta-from-back-end-service) – Hritcu Andrei Feb 03 '17 at 14:46

1 Answers1

1

You can use the following sequence to obtain the SAML assertion:

1) You can use /api/v1/authn to establish get a sessiontoken. This will require user credentials. A sample request would look like:

{
  "username": "john.doe@foo.com",
  "password": "myPa$$word",
  "relayState": "/myapp/some/deep/link/i/want/to/return/to",
  "options": {
  "multiOptionalFactorEnroll": false,
  "warnBeforePasswordExpired": false
}
}

Response will return a sessionToken value.

2) Now use that value as input, you can use /api/v1/sessions?additionalFields=cookieToken to return a cookieToken

Request will look like this:

{
  "sessionToken": "1234123DGSABDaSDBasdbaasbdasdb-ABCDEAERasdlzxk"
}

Response will contain a cookieToken value

3) Now you can use the app SSO URL that would trigger SAML - and attach the one-time cookietoken at the end to get the SAML assertion. If you paste this URL in the browser, it will actually log you into the SAML-enabled app.

Sample URL would be:

https://myorg.okta.com/home/salesforce/0oa31deg4ABCDEFGHIJ/46?onetimetoken=1234123DGSABDaSDBasdbaasbdasdb-ABCDEAERasdlzxk

Stephen Lee
  • 106
  • 3
  • 1
    I am trying this approach to authenticate to a SharePoint server, but when I call the /api/v1/sessions?additionalFields=cookieToken endpoint with the sessionToken returned from /api/v1/authn, the response is always 403 -Forbidden ["Invalid session"], i,e, { "errorCode": "E0000005", "errorSummary": "Invalid session", "errorLink": "E0000005", "errorId": "oaew0udr2ElRfCnZvBFt075SA", "errorCauses": [] } – Mike May 10 '16 at 12:56
  • Is this still actual? – T.S. Aug 24 '22 at 17:12
  • Give you +1 because generally it worked. But there still mystery on how to get SAML cleanly. I was able to get a page containing `SAMLResponse`. But how to get it cleanly? using API – T.S. Aug 25 '22 at 00:53