We have hybrid mobile app built by Kendo UI and backend .NET web service. All the calls from UI is through ajax. Now we need to integrate app to OKTA for user authentication, but not sure how to get SAML token from OKTA directly from web service call.

We implemented call to ADFS (active endpoint) from web service to get SAML token by using windows identity framework already and it works.

If anybody can share experience or point out the solution, it will be much appreciated!

You can use the following sequence to obtain the SAML assertion:

1) You can use /api/v1/authn to establish get a sessiontoken. This will require user credentials. A sample request would look like:

{
  "username": "john.doe@foo.com",
  "password": "myPa$$word",
  "relayState": "/myapp/some/deep/link/i/want/to/return/to",
  "options": {
  "multiOptionalFactorEnroll": false,
  "warnBeforePasswordExpired": false
}
}

Response will return a sessionToken value.

2) Now use that value as input, you can use /api/v1/sessions?additionalFields=cookieToken to return a cookieToken

Request will look like this:

{
  "sessionToken": "1234123DGSABDaSDBasdbaasbdasdb-ABCDEAERasdlzxk"
}

Response will contain a cookieToken value

3) Now you can use the app SSO URL that would trigger SAML - and attach the one-time cookietoken at the end to get the SAML assertion. If you paste this URL in the browser, it will actually log you into the SAML-enabled app.

Sample URL would be:

https://myorg.okta.com/home/salesforce/0oa31deg4ABCDEFGHIJ/46?onetimetoken=1234123DGSABDaSDBasdbaasbdasdb-ABCDEAERasdlzxk