Custom Form Login with SAML SSO Session Issue

I have a SAML application set up in Okta. The application is a .Net application and has a custom login page. When a user signs in on the page the app uses the credentials to make a call to the authentication client to grab a session token. It then makes a call to get a session cookie using the session redirect link (https://${yourOktaDomain}/login/sessionCookieRedirect?token={sessionToken}&redirectUrl={redirectUrl} where the redirectUrl is the idp sso url for the saml application).

The above will work some of the time initiating the user’s session by setting a session cookie in the browser and then using sso to go to the application. Other times though it will just redirect back to the custom login page. When it does this I noticed in the network traffic that the session cookie is not being set when calling the sessionCookieRedirect url with a valid token.

Does anyone have any insight into this or any suggestions?

I appreciate any help :slightly_smiling_face:

Hi @jdeaton

Can you please check if the hostname in the redirectUrl (eg https://google.com) is whitelisted in your tenant’s Trusted Origins sectio (Admin >> Security >> API >> Trusted Origins) with “Redirect” option enabled? Also, can you please check that both token and redirectUrl are correctly sent when the error occurs?

If the error persists, can you please capture the X-Okta-Request-Id response header in order to further check? This header is a fingerprint of the operation that occurred on the back-end level.

@dragos Sorry to just be getting back to you, was taking some time off.

So the hostname is our okta environment as the application is a saml application using okta as the idp. The redirectUrl just points to the sso url for the application.

The token and the redirect url appear to be formatted the correctly whether the request is able to retrieve a session cookie or not.

x-okta-request-id: XnOthJUqrfuGOyst6sbihAAACWs for request where session cookie does not get set

Hi @jdeaton

Thank you for providing the request ID. I’ve checked on our end and I can confirm that there are two requests sent consecutively to /login/sessionCookieRedirect, one which goes correctly and another one which fails, both at the same timestamp. I’ve sent you a private message with both events.

The session token passed as a query parameter can be used only once to create a session and, once it’s used, it becomes automatically invalidated.

This is usually caused by a network delay in the browser, which blocks a request after it was sent to Okta. Can you please check if you have any network configuration or plugins in the browser which can affect this functionality? Also, can you please test accessing the SAML application from a different browser on the same device and from a device which is outside of your current network?

@dragos

I used an incognito window on google chrome and internet explorer, connected to my company’s vpn and disconnected from it and I am able to reproduce the issue in every case. I have been testing in a local environment, but I can reproduce in our other environments as well. Also we have had multiple users experiencing the issue in our prod environment.

Hi @jdeaton

As this is affecting your production environment, can you please open a support case with us through an email to support@okta.com describing the issue, so that one of our Support Engineers can assist you in resolving this issue?