2

Our company maintains a Web App composed of a front-end and a back-end in (Node.js), and we support the standard username/password login authentication. A couple of our partners have requested we support SAML SSO, so their end-users can access our web app through a link on their respective portals without the need to login again.

Question: Do we need to turn our app into a full-fledged service provider (SP) by implementing a SAML sdk/library in our front-end and back-end?

Or is it possible to use a 3rd party authentication provider like Okta to handle the SAML nitty-gritty behind the scenes and then redirect the end user to our app, with possibly a token (JWT?) so we can retrieve the user info from Okta?

I've read everything I could find on Okta's site, and here, and couldn't find a definitive answer, either yes it's possible (with example) or no you can't do that.

Improve this question

1 Answer 1

Reset to default
1

Like you already mentioned in your question, there are 2 possible ways to do it.

  1. Update your application to support SAML login flow with your app as SP, in which case you will not need to use any 3rd party auth provider

  2. If you don't want to get into the SAML nitty-gritty, you can use a 3rd party provider like Okta as an intermediary that will consume the SAML responses from the IdP (used by your external customers) and then convert that assertion into an Open ID token (JWT). In this case, Okta will act as an IdP (Authorization server) to your web app and generate ID tokens. Your app will then need to implement the Open ID connect login flow. You can refer to http://developer.okta.com/code/javascript/okta_sign-in_widget_ref for this.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks, can this flow be automated so there is no user interaction, like clicking on the app, at the Okta level? Ideally, the end user click on a button in their company's portal and eventually end up logged in our company's app seamlessly.
Well, there can't be a situation where there is "no user interaction" as the user will have to click on the app link/button as you said, but the user must also have already authenticated himself with his own identity provider. If he's not already authenticated, we won't be able to generate a SAML response in your case, as the IdP needs to know some info about the user to generate a response.
In your case, let's say the external customers have their own active directory credentials within their company's network to login. When the user tries to login to your web app, Okta will intercept that request and send an SAML Authentication request to the IdP (Active Directory). If the user hasn't already logged in, AD will ask the user to login to generate a SAML response. If the user had already logged into his AD account, the experience is seamless, in the sense, the user won't need to login again to access you app. Hope this makes sense.
I guess I misunderstood your question. You meant to ask if the user will have to click on the app at Okta level. I believe that can be made possible i.e you won't have a 2nd redirection needed. I'm not completely sure about it. I will ask around and let you know. Full disclosure: I work at Okta.
Thanks Vijet, Let me clarify my question. Here's the ideal scenario: The end-user logs into their company's internal network AD, opens up their portal, then clicks on a button to launch our webapp. The SAML authentication is handled between Okta and the end-user's IdP, and once the user is authenticated, Okta launches our WebApp passing in the user info using some secure method our WebApp already supports (such as Open Connect ID, or simple SWA). In theory, the end-user wouldn't even now Okta is brokering the authentication between their portal and our webapp.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.