Common Access Gateway flows
Requests can be initiated to a service provider or using an Okta tenant. The following diagrams represent these sequence flows.
IDP, Service provider and general flows
| Step |
Description |
|---|---|
| 1 |
User signs in to Okta. |
| 2 |
Okta send user identity SAML assertion to Access Gateway. |
| 3 |
Access Gateway adds required application attributes |
| 4 |
Protected web resource receives request, and returns response to Access Gateway |
| 5 |
Access Gateway performs any required rewrites and returns response. |
| Step | Description |
|---|---|
| 1 | User requests application access. |
| 2 | Access Gateway intercepts request and redirects to Okta for SAML assertion. |
| 3 | User (browser) sends SAML AuthN Request to Okta, logs into Okta following Okta policies. |
| 4 | On success, Okta Generates a SAML assertion for Access Gateway. |
| 5 | User (browser) presents SAML assertion to Access Gateway. |
6 | Access Gateway forwards request to protected web resource. |
| 7 | Protected web resource receives request, and returns response to Access Gateway |
8 | Access Gateway performs any required rewrites and returns response. |
Access Gateway flows go through a number of steps for each request after a flow is initiated. The following diagram and state transition description describes this flow.
| State | Description | Error | Success |
|---|---|---|---|
| Initial | Starting state, where request has yet to be made. | ||
| Domain served | DNS entry points to Access Gatewaybut Domain not served by Access Gateway. | Unknown host Status code:400 The requested host:'domain.tld' is not being served by this Access Gateway. | Continue |
| Session does not exists | Session does not exist, perform defined application login behavior. | Failed authentication, Okta supplied page. | Continue |
| Validate session integrity | Validate session according to session integrity behavior. | Error, as defined in behavior. Or one of:
| Continue |
| Create session | Access Gateway session is created. Attributes populated and stored into session cache. | N/A | Continue |
| Evaluate deep linking
| Advanced > Deep linking (Disabled). | N/A | Route to the specified post login url. |
Advanced > Deep linking (Enabled). | N/A | Route to the provided URL Normally http://domain.tld/somepath. | |
Evaluate policy | Evaluate policy for selected URI | 403 (Access denied via policy) | 403 (Access denied via policy) |
Forward request | rewrite request and forward to protected resource | Application dependent. | |