Common Access Gateway flows
Requests can be initiated to a service provider or using an Okta tenant. The following diagrams represent these sequence flows.
IDP, Service provider and general flows
Step |
Description |
---|---|
1 |
User signs in to Okta. |
2 |
Okta send user identity SAML assertion to Access Gateway. |
3 |
Access Gateway adds required application attributes |
4 |
Protected web resource receives request, and returns response to Access Gateway |
5 |
Access Gateway performs any required rewrites and returns response. |
Step | Description |
---|---|
1 | User requests application access. |
2 | Access Gateway intercepts request and redirects to Okta for SAML assertion. |
3 | User (browser) sends SAML AuthN Request to Okta, logs into Okta following Okta policies. |
4 | On success, Okta Generates a SAML assertion for Access Gateway. |
5 | User (browser) presents SAML assertion to Access Gateway. |
6 | Access Gateway forwards request to protected web resource. |
7 | Protected web resource receives request, and returns response to Access Gateway |
8 | Access Gateway performs any required rewrites and returns response. |
Access Gateway flows go through a number of steps for each request after a flow is initiated. The following diagram and state transition description describes this flow.
State | Description | Error | Success |
---|---|---|---|
Initial | Starting state, where request has yet to be made. | ||
Domain served | DNS entry points to Access Gatewaybut Domain not served by Access Gateway. | Unknown host Status code:400 The requested host:'domain.tld' is not being served by this Access Gateway. | Continue |
Session does not exists | Session does not exist, perform defined application login behavior. | Failed authentication, Okta supplied page. | Continue |
Validate session integrity | Validate session according to session integrity behavior. | Error, as defined in behavior. Or one of:
| Continue |
Create session | Access Gateway session is created. Attributes populated and stored into session cache. | N/A | Continue |
Evaluate deep linking
| Advanced > Deep linking (Disabled). | N/A | Route to the specified post login url. |
Advanced > Deep linking (Enabled). | N/A | Route to the provided URL Normally http://domain.tld/somepath. | |
Evaluate policy | Evaluate policy for selected URI | 403 (Access denied via policy) | 403 (Access denied via policy) |
Forward request | rewrite request and forward to protected resource | Application dependent. |