Is this the expected outcome when both Identity Provider (IdP) initiated flow and Service Provider (SP) initiated flow are configured and required for an application?
Solution: The end user can choose to authenticate through Okta or through the application with user name and password.
A . Yes
B . No
Answer: A
Explanation:
Once the user is redirected to Okta they’ll need to enter their Okta credentials, unless they had already authenticated into Okta in a previous session within the same browser. In either case, a successful authentication request will redirect the user back to the SP’s Assertion Consumer Service (ACS) URL with an embedded SAML response from Okta.
At a minimum, the response will:
✑ Indicate that it is indeed from Okta and hasn’t been altered, and contain a digital signature proving such. This signature will be verified by the SP using a public key from Okta that was previously uploaded to the SP as a certificate.
✑ Indicate that the user has authenticated successfully into Okta
✑ Indicate who the user is via the NameID, a standard attribute used in SAML assertions.
https://support.okta.com/help/s/article/Beginner-s-Guide-to-SAML?language=en_US