Losing Session between API Calls?

So I am writing a java function that will log into OKTA and navigate to an App and grab the JSESSION from cookie…

I have this fully working in postman using the following APIs
POST https://xxxx.okta.com/api/v1/authn (Body has login pwd and I retrieve the sessionToken from the response body

Next using this sessionToken I am calling

(GET or POST) https://xxxx.okta.com/login/sessionCookieRedirect?token={sessionToken}&redirectUrl=https://xxxx.okta.com/app/{application}/exk2v2ll38qwu8X2q1t7/sso/saml

The html page I obtain from the last call in Postman has the SAMLResponse that I can grab for next step. But using JAVA the second call returns me to the login screen

The next step uses the SAML Response

I’ve done a few API projects in JAVA so i’m fairly familiar with all the basics but, this has been eluding me for too long. Am I missing something?

Any help appreciated.

If the goal is to log the user into a SAML app with a sessionToken, what about using the App Embed Link to get a session instead of /login/sessionCookieRedirect?

Note that these requests are meant to be browser redirects (so that Okta can set the session cookie for the user on the Okta domain).

Thanks, I currently do not have an API Key that is required for that call. going to check with OKTA team if i can get that to try.

Yes I understand what it is for end goal once I have the SAML it to go to the application and grab the JSESSION ID from the cookies. The APIs that we are calling in the aforementioned application requires the JSESSION ID so this is how we are grabbing it and storing it for next calls to the application APIs (PS This is a weird one off application, our other corporate apps use okta tokens and that is working fine.)

As i mentioned, this is all working perfectly in Postman, just cant get it to work properly in JAVA.

is that JSESSIONID cookie one that your integration is setting, or is the JSESSIONID that gets set on the Okta domain?

From the application. Once I Have the SAMLresponse I use that to log into the Application and grab the JSESSION then.

So, I Tried the Embed link and that acts the same, it goes to login page instead of embed link.

After more testing I found that the sessionToken created from my first call can be pulled and used in postman for the second call and it works fine. (this on a different machine so its not a session problem)

This actually puts me more at a loss. Why would the 2nd API Call

/login/sessionCookieRedirect OR The Embed Link both work in postman but neither work in java.

in both cases I’m being sent back to okta login page instead of expected destination.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Your description makes it sound like maybe the Okta session doesn’t exist within the users browser. Do you see a sid or idx cookie set on the Okta domain when you make the second request?