I have configured SAML 2.0 application on OKTA.
For SAML 2.0, Okta (acting as the IDP) supports 2 methods of authentication:
In IDP initiated the flow is:
User goes to Okta (assumption is that the user has an existing Okta session) User clicks on the Chicklet and this sends a SAMLResponse to the configured SP A session is established with the SP User is authenticated
This flow is working
In SP initiated the flow is:
User goes to the target SP first. They do not have a session established with the SP SP redirects the user to the configured Login URL (Okta’s generated app instance url) sending the SAMLRequest. Okta is sent SAMLRequest (assumption is that the user has an existing Okta session) Okta sends a SAMLResponse to the configured SP SP receives the SAMLResponse and verifies that it is correct. A session is established on the SP side. User is authenticated
This flow isn't working: I got 401 Unauthorized "You do not have permission to view this directory or page."
The SP won't redirect to Okta (IDP)
I have tried changing the permissions of the site for 'Everyone' to Full Control, but without success.
Make sure that you have configured your SAML 2.0 application to use the correct Single Sign On service URL.
In Okta, you can determine which Single Sign On URL you should use for SAML SP requests as follows:
You should see a page similar to the one below:
From this page, either click on the "View Setup Instructions" button or on the "Identity Provider metadata" link to get the URL your SAML SP should be redirecting users to. This URL will be called either the "Identity Provider Single Sign-On URL" or can be found in the SAML metadata file as the "Location" attribute in the "SingleSignOnService" tag.