Add SAML pass through application

SAML pass through applications are a combination of applications in an Okta org, an Access Gateway SAML proxy application and configuration. The architecture, flow and tasks required to create a SAML pass thought application are described below.

Architecture and process flow


The SAML pass through architecture is composed of:

  • Split DNS - Internal users access the SAML aware application using the same DNS name as internet based users, however the address provided is either the IP address of Access Gateway (external or internet based) or the IP address of the SAML aware application (internal users).
  • Okta SAML application - An Okta based application, used behind the scenes and hidden from the user.
  • Access Gateway and application - proxies SAML requests. The application itself is hidden from users as it is not used directly.
  • Okta book mark application - Used by those access the application from within their Okta org.

Process flow

External internet user Internal user
  1. User Requests application access
  2. Access Gateway intercepts request and redirects to Okta for SAML assertion.
  3. User sends SAML AuthN Request to Okta, logs into Okta following Okta policies.
  4. Okta Generates a SAML assertion for Access Gateway.
  5. User presents SAML Assertion to Access Gateway; Access Gateway creates an Access Gateway session cookie.
  6. Access Gateway proxies request to application.
  7. Application requests SAML assertion from Okta.
  8. Access Gatewayproxies SAML AuthN Request to browser.
  9. Browser sends SAML AuthN request to Okta.
  10. Okta Generates SAML assertion based on access Policy.
    Since user is already logged into Okta no re-authentication is required.
  11. Browser sends SAML assertion to Access Gateway
  12. Access Gatewayproxies SAML assertion to App
  13. APP Reads SAML Assertion, creates a local session and passes content to Access Gateway
  14. Access Gateway passes application session and content to user.
  1. User Requests application access.
  2. App Requests SAML Assertion from Okta.
  3. Browser sends SAML AuthN Request to Okta.
  4. Okta authenticates user and Generates SAML assertion based on access policy.
  5. Browser sends SAML assertion to application.
  6. APP Reads SAML assertion, creates a local session and passes content to User.

Before you begin

  • Requires split DNS model, where:
    • The DNS name for the backend server needs to be the same as the Access Gateway DNS name.
    • The internal (non-internet) DNS must resolve to the actual SAML aware application server.
    • The external (internet facing) DNS must resolve to the Access Gateway.

Typical workflow



Create a containing group

Collect required SAML

Create Okta SAML application

Create Access Gateway SAML proxy application

Create Okta bookmark application

Hide applications

Test the application

Related topics