Issue: Deep Links for Work Item Approval Fail on First Click Due to SSO Session Handling

dheerajk27 · August 7, 2025, 5:15am

Problem

When approvers receive deep links (e.g., via email) for approval actions in IdentityIQ, the first click fails to navigate correctly due to SSO authentication.

Expected Behavior: After logging in via SSO, the user should land directly on the deep-linked page (e.g., a specific Work Item or Certification).
Actual Behavior: After SSO completes, the hash-based routing part (#/commonWorkItem/...) is dropped. Users are redirected to:

https://mylocal.sailpoint.com/identityiq/workitem/commonWorkItem.jsf

instead of the full deep link:

https://mylocal.sailpoint.com/identityiq/workitem/commonWorkItem.jsf#/commonWorkItem/0aad020a980f145f81987dc745d92f93

Only on subsequent clicks does the full deep link load properly.

Impact

This issue causes confusion and a poor user experience for approvers and reviewers, especially when they expect a one-click action from email links.

Solution: Use Redirect URLs with Query Parameters

To preserve the full deep link during and after SSO authentication, embed redirect URLs instead of direct hash-based links.

These URLs ensure the routing parameters are passed and respected after authentication is complete.

Work Item / Approval

Direct Link

https://mylocal.sailpoint.com/identityiq/workitem/commonWorkItem.jsf#/commonWorkItem/0aad020d980f12a68198821e24d94186

Redirect URL

https://mylocal.sailpoint.com/identityiq/ui/rest/redirect?rp1=/workitem/commonWorkItem.jsf&rp2=commonWorkItem/0aad020d980f12a68198821e24d94186

Email Template Format

https://mylocal.sailpoint.com/identityiq/ui/rest/redirect?rp1=/workitem/commonWorkItem.jsf&rp2=commonWorkItem/$id

Access Request Tracking

Direct Link

https://mylocal.sailpoint.com/identityiq/identityRequest/identityRequest.jsf#/request/0000250304
Redirect URL

https://mylocal.sailpoint.com/identityiq/ui/rest/redirect?rp1=/identityRequest/identityRequest.jsf&rp2=/request/0000250304
Email Template Format

https://mylocal.sailpoint.com/identityiq/ui/rest/redirect?rp1=/identityRequest/identityRequest.jsf&rp2=/request/$identityRequestName

Access Review (Certification)

Direct Link

https://mylocal.sailpoint.com/identityiq/certification/certification.jsf#/certification/0aad020897c01eff8197c07f97850024
Redirect URL

https://mylocal.sailpoint.com/identityiq/ui/rest/redirect?rp1=/certification/certification.jsf&rp2=/certification/0aad020897c01eff8197c07f97850024
Email Template Format

https://mylocal.sailpoint.com/identityiq/ui/rest/redirect?rp1=/certification/certification.jsf&rp2=/certification/$certificationItem

Summary

To ensure deep links function properly on the first click post-SSO, always use the redirect pattern:

/identityiq/ui/rest/redirect?rp1=<basePage>&rp2=<routingPath>

This approach ensures:

Seamless SSO experience
Proper page routing
Improved user experience

Topic		Replies	Views
After SSO Authentication Deep Link is not working IIQ Discussion and Questions identityiq , access-requests	2	35	August 7, 2025
Work Item email links not working when SAML SSO enabled and fresh login IIQ Discussion and Questions identityiq	6	56	August 12, 2025
sailpoint.tools.GeneralException: quickLink is required IIQ Discussion and Questions identityiq , access-requests	3	163	March 24, 2025
Deeplink URL for Custom Quicklink IIQ Discussion and Questions	2	2209	July 19, 2023
Deep link to trigger custom QuickLink (custom Workflow) IIQ Discussion and Questions workflows , identityiq , plugins	2	192	September 9, 2024