0

We have read the OKTA guides, but have two unresolved questions:

  1. does OKTA support Artifact binding https://en.wikipedia.org/wiki/SAML_2.0#HTTP_Artifact_Binding
  2. does OKTA/SAML 2.0 support unsolicited Identity Provider (IdP) artifact binding, or is it mandatory to have to be redirected from the Service Provider (SP)?

Regarding the first question

We face a situation where a large quantity of data would have to be transmitted through the user agent, and we are also motivated by security best-practice. Our opinion is that artifact binding is the best security model for SAML 2.0; and will also help reduce load on the user agent. Can OKTA support artifact binding? We haven't been able to find either a positive or negative confirmation in the documentation. Many apologies if this is an oversight on our part.

Regarding the second question

The problem we are solving is that we are integrating with an organisation who have a portal of products they recommend and for which they have organised access via their portal. Each of these products require authentication, making a good case for Single Sign On (SSO). Both sides of the integration would like the user experience to be: click on the link and be logged in to the service. This is different to most of the models for any SAML 2.0 modes of working as the workflow starts at the IdP rather than the SP. Is this possible in OKTA, or at all in SAML 2.0? Again, many apologies if we have missed this in the documentation.

John Whitley
  • 11
  • 1

2 Answers2

0

  1. Check the metadata generated by Okta. If it supports the artifact binding for messages sent to the SP, there will be an ArtifactResolutionService listed in the metadata.

  2. The SAML2 standard supports unsolicited artifact binding. I don't know if Okta does however.

Anders Abel
  • 67,989
  • 17
  • 150
  • 217
0

Doesn't seem that Okta supports this when I check the metadata.

Wikipedia shows what the ArtifactResolutionService item would look like in the metadata:

  <md:IDPSSODescriptor
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>...</ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService isDefault="true" index="0"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
      Location="https://idp.example.org/SAML2/ArtifactResolution"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
      Location="https://idp.example.org/SAML2/SSO/Redirect"/>
    <md:SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://idp.example.org/SAML2/SSO/POST"/>
    <md:SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
      Location="https://idp.example.org/SAML2/Artifact"/>
    <saml:Attribute
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
      FriendlyName="eduPersonAffiliation">
      <saml:AttributeValue>member</saml:AttributeValue>
      <saml:AttributeValue>student</saml:AttributeValue>
      <saml:AttributeValue>faculty</saml:AttributeValue>
      <saml:AttributeValue>employee</saml:AttributeValue>
      <saml:AttributeValue>staff</saml:AttributeValue>
    </saml:Attribute>
  </md:IDPSSODescriptor>

I've looked through Okta's configuration and can't find anyway to enable this so it shows up as an available service.

Appetere
  • 6,003
  • 7
  • 35
  • 46