Skip to content

Latest commit

 

History

History
45 lines (32 loc) · 3.14 KB

README.md

File metadata and controls

45 lines (32 loc) · 3.14 KB

When you have a frontend and backend with different domains and you're using Okta as your Identity Provider (IdP) for SAML-based authentication, the authentication flow typically involves the following steps:

  1. Initial Request from Frontend:

    • The user accesses a protected resource or initiates the login process on the frontend application.
  2. Frontend Redirect to Backend:

    • The frontend sends a request to the backend to initiate the SAML authentication process. This request could include a unique identifier or a redirect URL back to the frontend after authentication.
  3. Backend Generates SAML Request:

    • Upon receiving the request from the frontend, the backend generates a SAML authentication request to be sent to Okta. This request includes details like the Service Provider's (SP) entity ID, the Assertion Consumer Service (ACS) URL, and a unique request identifier.
  4. Redirect to Okta Login:

    • The backend redirects the user's browser to Okta's SAML login URL, passing the SAML request as a query parameter.
  5. User Authenticates on Okta:

    • The user enters their credentials on Okta's login page and completes the authentication process.
  6. Okta Generates SAML Response:

    • After successful authentication, Okta generates a SAML response (SAML assertion) containing user identity information.
  7. Redirect to Backend ACS:

    • Okta redirects the user's browser back to the ACS URL provided in the SAML request, which is one of the endpoints on your backend. This step may also include the SAML response as a POST request body.
  8. Backend Processes SAML Response:

    • The backend receives the SAML response from Okta.
    • It validates the SAML response's signature using Okta's public certificate or metadata.
    • If the SAML response is valid, it extracts user identity information from the SAML assertion.
  9. Backend Establishes Session:

    • Using the user identity information obtained from the SAML assertion, the backend establishes a session for the user.
    • It generates a session ID or token, associates it with the user's session, and stores any necessary user data.
  10. Backend Redirects to Frontend:

    • After the session is established, the backend redirects the user's browser back to the frontend application.
    • This redirect typically includes the session ID/token as a parameter or in a secure cookie.
  11. Frontend Receives Session Information:

    • The frontend receives the session ID/token from the backend.
    • It stores the session ID/token securely in memory or as a secure cookie.
  12. Subsequent Requests from Frontend:

    • For all subsequent requests from the frontend to the backend, the frontend includes the session ID/token as a bearer token or in the headers.
    • The backend validates the session ID/token and authorizes the user for each request.

This flow allows you to securely authenticate users across different domains while centralizing session management and user authorization in your backend. Okta handles the user authentication part, while your backend processes the SAML response, establishes user sessions, and validates subsequent requests from the frontend.