SAML pass through reference architecture

This reference architecture describes the components, flow and similar requires for integrating SAML pass through applications and Access Gateway .

Architecture

The SAML pass through architecture is composed of:

Split DNS - Internal users access the SAML aware application using the same DNS name as internet based users, however the address provided is either the IP address of Access Gateway (external or internet based) or the IP address of the SAML aware application (internal users).
Okta SAML application - An Okta based application, used behind the scenes and hidden from the user.
Access Gateway and application - proxies SAML requests. The application itself is hidden from users as it is not used directly.
Okta bookmark application - Used by those who access the application from within their Okta org.

External internet user	Internal user
The user requests application access . Access Gateway intercepts request and redirects to Okta for a SAML assertion. The user sends SAML authorization request to Okta, logs into Okta following Okta policies. Okta Generates a SAML assertion for Access Gateway. The user presents SAML Assertion to Access Gateway; Access Gateway creates an Access Gateway session cookie. Access Gateway proxies request to SAML application. Application requests SAML assertion from Okta. Access Gatewayproxies SAML AuthN Request to browser. Browser sends SAML authorization request to Okta. Okta Generates SAML assertion based on access Policy. Because the user is already logged into Okta no re-authentication is required. The browser sends the SAML assertion to Access Gateway. Access Gatewayproxies SAML assertion to the app. The app reads the SAML Assertion, creates a local session and passes content to Access Gateway Access Gateway passes the application session and content to user.	User Requests application access. App Requests SAML Assertion from Okta. Browser sends SAML AuthN Request to Okta. Okta authenticates user and Generates SAML assertion based on access policy. Browser sends SAML assertion to application. APP Reads SAML assertion, creates a local session and passes content to User.

External internet user

Internal user

The user requests application access .
Access Gateway intercepts request and redirects to Okta for a SAML assertion.
The user sends SAML authorization request to Okta, logs into Okta following Okta policies.
Okta Generates a SAML assertion for Access Gateway.
The user presents SAML Assertion to Access Gateway; Access Gateway creates an Access Gateway session cookie.
Access Gateway proxies request to SAML application.
Application requests SAML assertion from Okta.
Access Gatewayproxies SAML AuthN Request to browser.
Browser sends SAML authorization request to Okta.
Okta Generates SAML assertion based on access Policy.
Because the user is already logged into Okta no re-authentication is required.
The browser sends the SAML assertion to Access Gateway.
Access Gatewayproxies SAML assertion to the app.
The app reads the SAML Assertion, creates a local session and passes content to Access Gateway
Access Gateway passes the application session and content to user.

Component	Description and requirements
Okta Access Gateway	All versions of Okta Access Gateway support SAML pass through.
Access Gatewayapp	Application defined within Access Gateway, but hidden from everyday users.
Okta SAML app	A hidden application used by Okta.
Okta Bookmark app	A book mark application listed in the Okta org.
SAML Application	An internal SAML application, but using the same name as external references, differentiated by split DNS.
External URL	External URL specified by the Public Domain field within Access Gateway. Identical DNS to the internal SAML app, differentiated by external DNS. For example: https://saml-app.example.com