Relay parameters to Okta and retrieve from IDP flow

Question

I am trying to implement SSO with Okta in Python Flask but I don't see anywhere in their docs where I could pass in a parameter and retrieve it back in a successful login response. I currently 2 endpoints modeled after https://github.com/jpf/okta-pysaml2-example/blob/master/app.py.

A SP initiated method which gets the parameter I'm passing in and sends a SAML request to Okta.

An IDP initiated method, where on a valid login, Okta sends a SAML response and I redirect to a URL where I want to append the initial parameter passed in. Is this possible?

Answer 1

Where the user goes post sign-in is determined by the Relay State. It's an opaque value, so any parameter you want to set can be part of that. For simplicity, Relay State could be an encoded URL. Alternatively, it could be something your SP knows how to translate/decrypt to redirect the user to the next state (i.e., page).

For SP-initiated requests, you (the SP) provide the Relay State.

For IDP-initiated requests, you should be able to set the default relay state. Specifically for okta, set the Default Relay State under Application - Settings - Sign On Methods for the application in question.

(If you want okta to send you to different places, say "main" vs. "admin console" part of your SP application, you either need multiple okta applications, or you send the user to the same place & your SP figures out where to send them "next", perhaps based on logged in user name, or via an Attribute Value Assertion included with the authentication response.)