We have two applications configured to use SAML authentication. SSO fo both the applications works properly when accessed through the browser. We have a scenario where application 1 needs to invoke REST APIs on application 2. This was initially done by configuring application 2 to have a OKTA authentication handler using the metadata from the OKTA configuration of application 1. When the user logs in to application 1 using OKTA, the SAML assertion in the response was used to get an access token from application 2 and the API integration used to work.
With a recent update to the application 2, this reuse of the SAML assertion has been disabled to prevent SAML replay attacks. We are now unable to get the token for invoking the REST APIs.
We have been advised to follow the procedure described in the following document to get the SAML assertion for the second application.
Retrieving a session cookie by visiting an application embed link
For doing this, we will have to popup a form for the user to enter his username and password in order to get the session token, which will then be used to invoke the application embed link to get the SAML assertion for application 2.
Following this process will be counter intuitive for single-sign-on. Is there any other approach in which this issue can be resolved?