Common Access Gateway flows

Requests can be initiated to a service provider or using an Okta tenant.  The following diagrams represent these sequence flows.

IDP, Service provider and general flows

Flow through Access Gateway initiated by IDP

Step

Description

1

User signs in to Okta.

2

Okta send user identity SAML assertion to Access Gateway.

3

Access Gateway adds required application attributes
to header and forwards request to protected web resource.

4

Protected web resource receives request, and returns response to Access Gateway

5

Access Gateway performs any required rewrites and returns response.

Flow through Access Gateway initiated by IDP

Step

Description

1

User requests application access.

2Access Gateway intercepts request and
redirects to Okta for SAML assertion.
3User (browser) sends SAML AuthN Request to Okta,
logs into Okta following Okta policies.
4On success, Okta Generates a SAML assertion for Access Gateway.
5User (browser) presents SAML assertion to Access Gateway.

6

Access Gateway forwards request to protected web resource.

7

Protected web resource receives request, and returns response to Access Gateway

8

Access Gateway performs any required rewrites and returns response.

Access Gateway flows go through a number of steps for each request after a flow is initiated. The following diagram and state transition description describes this flow.


StateDescriptionErrorSuccess
InitialStarting state, where request has yet to be made.
Domain servedDNS entry points to Access Gatewaybut Domain not served by Access Gateway.Unknown host Status code:400 The requested host:'domain.tld' is not being served by this Access Gateway.Continue
Session does not existsSession does not exist, perform defined application login behavior.Failed authentication, Okta supplied page.Continue
Validate session integrityValidate session according to session integrity behavior.

Error, as defined in behavior. Or one of:

  • App is offline - App is disabled (503)

    App is in maintenance - App is in maint mode (503)

Continue
Create sessionAccess Gateway session is created. Attributes populated and stored into session cache.N/AContinue
Evaluate deep linking

 

Advanced > Deep linking (Disabled).N/ARoute to the specified post login url.

Advanced > Deep linking (Enabled).

N/A

Route to the provided URL Normally http://domain.tld/somepath.

Evaluate policy

Evaluate policy for selected URI

403 (Access denied via policy)

403 (Access denied via policy)

Forward request

rewrite request and forward to protected resource

Application dependent.

Related topics

Reference architectures

About Access Gateway DNS use

About Access Gateway high availability

About Access Gateway prerequisites