SP redirect to OKTA IDP - I get response 401 Unauthorized

2k views Asked by At

I have configured SAML 2.0 application on OKTA.

For SAML 2.0, Okta (acting as the IDP) supports 2 methods of authentication:

In IDP initiated the flow is:

User goes to Okta (assumption is that the user has an existing Okta session) User clicks on the Chicklet and this sends a SAMLResponse to the configured SP A session is established with the SP User is authenticated

This flow is working

In SP initiated the flow is:

User goes to the target SP first. They do not have a session established with the SP SP redirects the user to the configured Login URL (Okta’s generated app instance url) sending the SAMLRequest. Okta is sent SAMLRequest (assumption is that the user has an existing Okta session) Okta sends a SAMLResponse to the configured SP SP receives the SAMLResponse and verifies that it is correct. A session is established on the SP side. User is authenticated

This flow isn't working: I got 401 Unauthorized "You do not have permission to view this directory or page."

The SP won't redirect to Okta (IDP)

I have tried changing the permissions of the site for 'Everyone' to Full Control, but without success.

1

There are 1 answers

0
Joël Franusic On

Make sure that you have configured your SAML 2.0 application to use the correct Single Sign On service URL.

In Okta, you can determine which Single Sign On URL you should use for SAML SP requests as follows:

  1. Visit the Admin section of your Okta organization page
  2. Click on Applications
  3. Select the application that you are configuring
  4. Click on the Sign On tab for that application

You should see a page similar to the one below:

The "Sign On" tab of a SAML-enabled application in Okta

From this page, either click on the "View Setup Instructions" button or on the "Identity Provider metadata" link to get the URL your SAML SP should be redirecting users to. This URL will be called either the "Identity Provider Single Sign-On URL" or can be found in the SAML metadata file as the "Location" attribute in the "SingleSignOnService" tag.