How to use the API Create Session With Session Token

joelbloch · May 3, 2023, 1:01pm

Hello,

I create a middleware in javascript and drive Okta through APIs.
I configure a SAML Application on Okta and want to redirect the user to the embed link, for the user to be authenticated on Okta, then redirected to the target SAML Application.

If I use a primary authentication API to get a session token, then redirect the user with axios.redirect to the application embed link with a sessionToken URL parameter, it works.
However, once a user has logged into Okta that way, I cannot figure out how to remove the session token in the browser: the session Cookie is set after the user is redirected to Okta, and it seems it is not captured by the axios framework. Hence I cannot logout or manage the session afterwards.

So I want to create a user session through the Create Session With Session Token.
However, after I get the session id, I redirect the user to the SAML Application embed link, and this time the user is not automatically signed in: the okta login prompt shows up.

What is the best way to redirect to a SAML Application embed link, and still have the possibility to log out from the okta session afterwards?

Thanks!

andrea · May 3, 2023, 5:51pm

Once the Okta session cookie is set, SSO into the SAML application via the App Embed Link should be automatic (user should not be prompted to complete primary authentication).

Can you confirm which endpoints you are using the create the session? Do you have a custom domain in your org? Could the Okta session be getting set on the *okta.com default domain, while the SAML app embed link uses a custom domain (or vice versa)?

joelbloch · May 4, 2023, 8:19am

Hello Andrea,

I have a development tenant, in the form of mytenantname.okta.com

I configure a session policy allowing the user to authenticate with password only.
When the user logs in with username and password, my middleware calls the following API:

POST https://{{oktaDomain}}/api/v1/authn

I get a sessionToken.
When I redirect to the embed link of the SSO application with the sessionToken as an URL parameter, it works fine.

My problem is to log this user out of Okta and delete the cookie.
To simplify the usecase: I call the 2 following APIs:

//I retrieve the session token:
POST https://{{oktaDomain}}/api/v1/authn
//I try to access the session:
GET or DELETE https://{{oktaDomain}}/api/v1/sessions/me

The second call ends in 404 whether it is a get or post.

I reproduce this problem with:

Postman, where the cookies are automatically sent in the second request.
Nodejs Axios framework, with the flag withCredentials being set to true on every request.

So my question turns down to: when I get a sessionToken with an authentication API, how can I log the user out from Okta?

Thanks!

andrea · July 6, 2023, 8:28pm

It’s possible access to third party cookies (on Okta’s domain) from your application’s domain are getting blocked based on the end-users browser settings, see FAQ How Blocked Third Party Cookies Can Potentially Impact Your Okta Environment | Okta Help Center.