Hello! I think inherently this would be a difficult task and maybe even go against best practice. In the end, whether you have a user input their credentials or if you do it under the hood - you will need to submit user credentials to Okta at some point. So this would mean the credentials the user submitted to login to App A:
- Would need to match the credentials of their Okta user.
- You would be saving their unhashed password to then submit to Okta.
Between our authn and sessions apis you certainly can create an Okta session, so maybe if #1 holds true you could run those api calls at the point of the user logging into App A.
My suggestion would be to try and refactor your App A login to log a user directly into Okta. This would make Okta your single source of truth and then SSO would be much more streamlined.