IdP Specific Findings
Findings and issues we found while working with specific IdP's
Okta
- In the
What we Provide Yousection, Okta calls theIdentifierAudience URI - In the
What we Provide Yousection, Okta calls theReply/AssertionSingle Sign on URL - Must initiate SSO login attempt from
<tenant>.beauthenticx.comsubdomain - creates a "solicited" login request. - Initiating login from within Okta = "unsolicited" login request -- which we reject - 404 error.
- Okta has an option for Group Attribute statements - do not use. Use the "Attribute Statements" option.
- Input property labels "emailAddress" "firstName" "lastName"
- Okta lets admin user select the available field names to map into these Attributes.
- Binding Type should be HttpRedirect (selection in Org Details/SSO Options)
- SAML Tracer browser extension (Chrome) should be installed on user's browser for troubleshooting; can be removed after testing succeeds.
- Watch out for unprintable/non-ASCII characters - unpredictable in urls provided by Okta.
- If post-authentication redirect takes you to
https://<tenant>.beauthenticx.com/index.htmlcheck configuration within IDP (likely the Reply/Assertion) as that page does not exist.
Updated about 1 month ago