Add a SAML pass-through app

SAML pass-through apps are a combination of apps in an Okta org, an Access Gateway SAML proxy app, and an associated configuration.


The SAML pass-through architecture is composed of:

  • Split DNS: Internal users access the SAML-aware app using the same DNS name as external users. However, the address provided is either the IP address of Access Gateway, for external users, or the IP address of the SAML-aware app, for internal users.
  • Okta SAML app: An Okta-based application that's hidden from the user.
  • Access Gateway and the Access Gateway application: Proxies SAML requests. The Access Gateway application is hidden from users.
  • Okta bookmark application: Used to access the app by users in an Okta org.

For details see: SAML pass through reference architecture

Before you begin

  • Requires split DNS model, where:
    • The DNS name for the backend server needs to be the same as the Access Gateway DNS name.
    • The internal (non-internet) DNS must resolve to the actual SAML aware application server.
    • The external (internet facing) DNS must resolve to the Access Gateway.

Typical workflow



Add an Okta org group

Create an Okta group to which to assign SAML app users.

Obtain required SAML data

Fetch data provided by the application provider.

Add an Okta SAML application

Create a SAML app to represent the back-end app.

Create an Access Gateway SAML proxy application

Create a SAML proxy app.

Add an Okta bookmark application

Create a bookmark app that users can use to access the SAML app from their Okta org.

Hide applications

Hide the apps that aren't used by the user.

Test the SAML pass through application

Test the application.