Recently, I helped one partner with an issue of single sign-on(SSO) login based on our APS 3 Legged Authorization, usually, our team don't touch the workflow of SSO very much, this should be automatically supported by APS 3 Legged Authorization process, but with the investigation with partner and Authorization team, I think this worth a blog post to talk briefly about SSO integration.
First of all, we do hear from our customers, particularly technology admins, they expect to integrate SSO to have easy and secure access to Autodesk resources, Autodesk listened to the voice and made the SSO integration to all Autodesk standard plan customers as announced at https://adsknews.autodesk.com/en/news/single-sign-on-now-available/.
How to get started with SSO implementation, please check and follow Single Sign-On Setup Guide to help yourself, all the details should be covered there.
As for our APS developers, if your Application leverages APS 3 Legged Authorization token, basically, the SSO login will be supported out of box, the only thing your customer need to do is to setup their domain with SSO according to Single Sign-On Setup Guide, then, any users of that customer should be able to login to the APS Application by SSO directly.
Now let's talk about the SSO login issue one partner faced recently, firstly, here are the typical SSO login workflow as follow including some hidden steps(step 4 and 5):
- Customer initiate the user login via GET authorize
- Redirect user to https://accounts.autodesk.com for filling email
- If filling enterprise SSO email, user will be redirected to IDP login
- Once finished IDP login, SAML assertion happened from IDP -> OKTA firstly
- After OKTA processing, OKTA -> Autodesk for SAML assertion via https://accounts.autodesk.com/enterprisesso/callback?code=XXXX&state=YXXXXX(this request was new included around October, 2023)
- Then it's the time from Autodesk -> Customer, redirecting to the callback URI for generating the access token from authorization code by POST token
Actually, the step 5 was added recently, and is the exact reason that caused the SSO login issue, the code implementation on partner side mistakenly caught the wrong code( by catching/parsing request https://accounts.autodesk.com/enterprisesso/callback?code=XXXX&state=YXXXXX) from Step 5, and try to exchange an access token with this wrong code, which result to an error of "The authorization code is invalid or has expired" unfortunately.
As long as you find the root issue, the fix is as simple as just ignoring the request(https://accounts.autodesk.com/enterprisesso/callback?code=XXXX&state=YXXXXX) which is supposed be handled by Autodesk.