SAML pass through reference architecture

This reference architecture describes the components, flow and similar requires for integrating SAML pass through applications and Access Gateway .

Topics:

Architecture

The SAML pass through architecture is composed of:

  • Split DNS - Internal users access the SAML aware application using the same DNS name as internet based users, however the address provided is either the IP address of Access Gateway (external or internet based) or the IP address of the SAML aware application (internal users).
  • Okta SAML application - An Okta based application, used behind the scenes and hidden from the user.
  • Access Gateway and application - proxies SAML requests. The application itself is hidden from users as it is not used directly.
  • Okta bookmark application - Used by those who access the application from within their Okta org.

Flow

External internet user Internal user
  1. The user requests application access .
  2. Access Gateway intercepts request and redirects to Okta for a SAML assertion.
  3. The user sends SAML authorization request to Okta, logs into Okta following Okta policies.
  4. Okta Generates a SAML assertion for Access Gateway.
  5. The user presents SAML Assertion to Access Gateway; Access Gateway creates an Access Gateway session cookie.
  6. Access Gateway proxies request to SAML application.
  7. Application requests SAML assertion from Okta.
  8. Access Gatewayproxies SAML AuthN Request to browser.
  9. Browser sends SAML authorization request to Okta.
  10. Okta Generates SAML assertion based on access Policy.
    Because the user is already logged into Okta no re-authentication is required.
  11. The browser sends the SAML assertion to Access Gateway.
  12. Access Gatewayproxies SAML assertion to the app.
  13. The app reads the SAML Assertion, creates a local session and passes content to Access Gateway
  14. Access Gateway passes the application session and content to user.
  1. User Requests application access.
  2. App Requests SAML Assertion from Okta.
  3. Browser sends SAML AuthN Request to Okta.
  4. Okta authenticates user and Generates SAML assertion based on access policy.
  5. Browser sends SAML assertion to application.
  6. APP Reads SAML assertion, creates a local session and passes content to User.

Components and requirements

Component Description and requirements
Okta Access Gateway All versions of Okta Access Gateway support SAML pass through.

Access Gatewayapp

Application defined within Access Gateway, but hidden from everyday users.

Okta SAML app A hidden application used by Okta.
Okta Bookmark app A book mark application listed in the Okta org.
SAML Application An internal SAML application, but using the same name as external references, differentiated by split DNS.
External URL External URL specified by the Public Domain field within Access Gateway.  Identical DNS to the internal SAML app, differentiated by external DNS.
For example: https://saml-app.example.com