Hello
we have two applications we develop in-house we recent want to tire together by implementing SSO via Okta.
So we had our C# desktop application use OpenID Connect, and it get token-id and access-token,
and on the other side, other our team implemented SAML authentication against same Okta instance for their web application
The point is that we need from inside our Win32 Application (that with OpenID Connect) to open a browser and launch a WebApp, obviously bypassing the logon sequence
but this does not happen, as it seems that there is OpenID Connect API to authorize a session but we need a session token, which we don’t have
We also tried other idea - to keep the browser we use during very first logon we have with Okta when we authenticate Win32 application with OpenID Connect. But when we throw there SAML url of the WebApp it asks again for login/password
What are the ideas?
How does your OIDC application handle login? Does it redirect to Okta (via an /authorize request) so users can complete authentication and receive an Okta session (a session cookie will be set in their browser for this)?
If not, this is likely the best strategy for you as, once there is an Okta session in the user’s browser, unless the target application/org has re-auth or additional factor verification requirements, the user can log into any other application they are assigned within Okta without them needing to complete auth all over again. That you are not seeing this behavior makes me assume the login is handled some other way (e.g. an embedded login page or some other flow that does NOT set that session cookie).
1 Like
Hi
This is OIDC application, so during /authorize request we do open a system browser that upon success redirects to our callback.
But the point is that if we manually put the url of web app (the other app we integrate via saml with Okta), it goes to login page.. something missing..
Should we add something to our OIDC app in Okta so it will generate also saml content there?
Does both the OIDC app and the SAML app use the same domain for login? I’m curious if thats why the session isn’t recognised during the second login: OIDC app logged in via one domain and the SAML app is logged in via a different domain.
Thanks for your reply.
I think it seems there was an issue (bug) with the web application
So you say it should work
Without knowing too many details, yes, I believe this should be working without prompting the user to authenticate.
Just to confirm, when you are sent to the login, are you shown the full login form (including the prompt to provide the username) or are you only see a prompt to authenticate with a factor (password or some other authenticator)? I’m curious if your SAML app could be sending forceAuthn: true in its request and is causing the user to be prompted to re-authenticate. You may want to check if that is happening.