IdP-Initiated SAML allows users to click a button within the SAML provider's dashboard which will then launch the Aqua application. Aqua does not have native support for IdP-initiated SAML, however, we do have a simple workaround.



Aqua's SSO sign-in page allows you to pass a connection name that is unique for your company's application. Using this link, you can create a "bookmark" application within your SAML provider. This feature is supported by most provider's including Okta and OneLogin.

When IdP-initiated SAML is performed (and not supported) you may see an error like the below ("Invalid samlResponse or relayState from identity provider"):

This often occurs because Aqua does not support this type of access. Instead, you need to either use the login direct link (for example: or use the bookmark process described below.

Setup Process

The setup will consist of the following:

  1. A standard SAML 2.0 application configured using the setup defined here.
  2. A second, "bookmark" application will send users to the /sso entry point which will kick users back into the first application's SAML flow.

To configure this flow, please follow these steps:

  1. Create the first application by following the onboarding steps and working with Aqua support.
  2. Ensure you can log in via the standard SAML page:
  3. Once you've verified that you can, ask Aqua Support for your unique login link. We will provide a /sso URL with a parameter specific to your organization that will direct your users directly to your SAML provider login without having to type their email addresses.
  4. Create a new "bookmark" application and paste the provided link.
  5. When users click the bookmark application from within the provider dashboard, they will be redirected to the custom Aqua /sso endpoint which will then initiate the SAML flow.
  6. Optionally, you can hide the first application from the provider dashboard so users can only click the bookmark application.

If you have any questions, please contact support.