Add SAML pass-through application

SAML pass through applications are a combination of applications in an Okta org, an Access Gateway SAML proxy application and configuration. The architecture, flow and tasks required to create a SAML pass through application are described below.


The SAML pass through architecture is composed of:

  • Split DNS - Internal users access the SAML aware application using the same DNS name as internet based users, however the address provided is either the IP address of Access Gateway (external or internet based) or the IP address of the SAML aware application (internal users).
  • Okta SAML application - An Okta based application, used behind the scenes and hidden from the user.
  • Access Gateway and application - proxies SAML requests. The application itself is hidden from users as it is not used directly.
  • Okta bookmark application - Used by those who access the application from within their Okta org.

For details see: SAML pass through reference architecture

Before you begin

  • Requires split DNS model, where:
    • The DNS name for the backend server needs to be the same as the Access Gateway DNS name.
    • The internal (non-internet) DNS must resolve to the actual SAML aware application server.
    • The external (internet facing) DNS must resolve to the Access Gateway.

Typical workflow



Create a containing group

Collect required SAML

Create Okta SAML application

Create Access Gateway SAML proxy application

Create Okta bookmark application

Hide applications

Test the application