I am trying to integrate my app with other SAML SSO apps. It appears that the others use SSO via an sid cookie that gets populated the first time logging in through okta. I did not write these apps. I am assuming this is how they work because i see the sid cookie in my browser after login.
My app does a successful login (authn request + response). At this point, there is an sid cookie in the browser that is empty. Is okta supposed to populate this cookie? Am I missing a step? Do I need additional configuration?
Depending on your org and flow, Okta should be setting a sid or an idx cookie *on the Okta domain to track the user’s session within the Okta org. If your users are being logged into your SAML application through Okta, they will be required to complete primary authentication unless they already have a valid Okta session.
For a SAML application in an Okta Classic org, I would expect this sequence of requests to log the user in:
- /authn (this might require multiple, separate requests if the user needs to complete MFA challenges)
a. once primary auth is completed, the status will be SUCCESS and a sessionToken will be returned in the final /authn request
b. the user will NOT have an Okta session cookie set at this point, you must exchange this sessionToken for a session at one of the supported endpoints - include the sessionToken you received as a query parameter for an app embed link
a. after this step, an Okta session cookie will be created on the Okta org and the user will be redirected back to your SAML app