SAML pass through reference architecture

This reference architecture describes the components, flow and similar requires for integrating SAML pass through applications and Access Gateway .

Topics:

Architecture

The SAML pass through architecture is composed of:

  • Split DNS - Internal users access the SAML aware application using the same DNS name as internet based users, however the address provided is either the IP address of Access Gateway (external or internet based) or the IP address of the SAML aware application (internal users).
  • Okta SAML application - An Okta based application, used behind the scenes and hidden from the user.
  • Access Gateway and application - proxies SAML requests. The application itself is hidden from users as it is not used directly.
  • Okta bookmark application - Used by those who access the application from within their Okta org.

Flow

External internet user Internal user
  1. User Requests application access
  2. Access Gateway intercepts request and redirects to Okta for SAML assertion.
  3. User sends SAML AuthN Request to Okta, logs into Okta following Okta policies.
  4. Okta Generates a SAML assertion for Access Gateway.
  5. User presents SAML Assertion to Access Gateway; Access Gateway creates an Access Gateway session cookie.
  6. Access Gateway proxies request to application.
  7. Application requests SAML assertion from Okta.
  8. Access Gatewayproxies SAML AuthN Request to browser.
  9. Browser sends SAML AuthN request to Okta.
  10. Okta Generates SAML assertion based on access Policy.
    Since user is already logged into Okta no re-authentication is required.
  11. Browser sends SAML assertion to Access Gateway
  12. Access Gatewayproxies SAML assertion to App
  13. APP Reads SAML Assertion, creates a local session and passes content to Access Gateway
  14. Access Gateway passes application session and content to user.
  1. User Requests application access.
  2. App Requests SAML Assertion from Okta.
  3. Browser sends SAML AuthN Request to Okta.
  4. Okta authenticates user and Generates SAML assertion based on access policy.
  5. Browser sends SAML assertion to application.
  6. APP Reads SAML assertion, creates a local session and passes content to User.

Components and requirements

Component Description and requirements
Okta Access Gateway All versions of Okta Access Gateway support SAML pass through.

Access Gatewayapp

Application defined within Access Gateway, but hidden from everyday users.

Okta SAML app A hidden application used by Okta.
Okta Bookmark app A book mark application listed in the Okta org.
SAML Application An internal SAML application, but using the same name as external references, differentiated by split DNS.
External URL External URL specified by the Public Domain field within Access Gateway.  Identical DNS to the internal SAML app, differentiated by external DNS.
For example: https://saml-app.example.com