Configure Okta to mediate between our SP Application and IdP

We are a service provider where SAML has enabled our application to allow IdPs to authenticate users for us. To make sure everyone is on the same page

• Identity Provider (IdP) is an application whose task is to authenticate users.
• Service Provider (SP) is the end-user application that combines identifiers and authentication in IdP
• SAML is a protocol that allows IdPs to make valid identity claims for SP. We use SAML 2.0 ( http://en.wikipedia.org/wiki/SAML_2.0 )

More on federated identity here: http://developer.okta.com/docs/guides/saml_guidance.html

We are currently using Okta as an IdP, but we are faced with a situation where we need to integrate with a separate IdP. We would like our application to communicate only with Okta, and Okta has to deal with talking to this separate IdP and confirming their statements. Due to our specific use case, our application knows which basic IdP should be used, so IdP Discovery is not necessary.

We would like to configure Okta so that the authentication flow is as follows:

• Our application redirects the user to the endpoint in Okta, indicating the use of basic IdP for authentication

• Okta and basic IdP do everything for user authentication and authentication

• Our application receives one response (via HTTP-POST) to our ACS endpoint authenticating the user, signed by Okta p>

From an end-user perspective, they go to service-provider.com, redirected through Okta to base-idp.com, perform the necessary authentication, and then redirected back to service-provider.com. The end user does not know about the middle layer of Okta, with the possible exception of the Okta URL, which appears briefly in the address bar of the browser during redirection.

So far, we have managed to configure incoming SAML in our Okta instance so that users can authenticate to Okta through the basic IdP. We redirect our application to the endpoint indicated on the configuration page of the incoming SAML using SAMLRequest, but this leads users to the Okta dashboard, since the link is intended only for authenticating users in Okta, and not for authenticating users for SP using Okta. See Our Related Configuration:

• The configuration for our application in Okta, which allows us to use Okta as a direct IdP
• Inbound SAML configuration results. We redirect our SAMLRequest to the customer support URL :

How can we customize Okta so that our use case is possible? Ideally, we would like Okta to act as an intermediary or intermediary, checking and transmitting SAML requests / approvals. In particular, we do not need these users to authenticate Okta users; we just need Okta to claim that the user is the one they say is based on the fundamental statement of IdPs.