IdP-initiated SAML allows users to click a button within the SAML provider's dashboard. Doing so will launch the Aqua application. Aqua does not have native support for IdP-initiated SAML; however, we do have a simple workaround.

Aqua's SSO sign-in page allows you to pass a connection name that is unique for your company's application. Using this link, you can create a "bookmark" application within your SAML provider. This feature is supported by most providers, including Okta and OneLogin.

When IdP-initiated SAML is performed (and not supported) you may see an error like the one shown below ("Invalid samlResponse or relayState from identity provider"):

This often occurs because Aqua does not support this type of access. Instead, you need to either use the login direct link (for example: or use the bookmark process described below.

Setup process

The setup will consist of the following:

  1. A standard SAML 2.0 application configured using the setup defined here.
  2. A second "bookmark" application will send users to the /sso entry point which will return users into the first application's SAML flow.

Follow these steps to configure this flow:

  1. Create the first application by following the onboarding steps and working with Aqua Support.
  2. Ensure you can log in via the standard SAML page:
  3. Once you've verified that you can, ask Aqua Support for your unique login link. We will provide a /sso URL with a parameter specific to your organization that will direct your users directly to your SAML provider login without having to type their email addresses.
  4. Create a new "bookmark" application and paste the provided link.
  5. When users click the bookmark application from within the provider dashboard, they will be redirected to the custom Aqua/sso endpoint, which will then initiate the SAML flow.
  6. Optionally, you can hide the first application from the provider dashboard so users can only click the bookmark application.

If you have any questions, please contact Aqua Support.