Okta sign-in widget does not complete sign-in after authentication with IDP
We are using the Okta Sign-in Widget with the OIDC Authorization Code flow, and we have enabled the IDP Discovery feature. In the Okta Console, we have configured an IDP Routing Rule to redirect certain usernames to authenticate via an Azure AD IDP. We have tested the connection and thew routing rule works correctly when we sign in directly to the Okta console, however when we use the widget in our own app the authentication workflow is never completes- and instead it redirects back to our login screen at the start of the transaction. From what I can see, the following steps are happening:
- User navigates to our app login screen and enters their username
- Okta performs IDP discovery and redirects the browser to the Azure AD authn page with a SAMLRequest
- User enters their credentials on Azure AD
- Azure AD authenticates user and redirects the browser back to Okta’s SAML ACS URL with a SAMLResponse
- Okta verifies the SAMLResponse successfully
- When we do this on the Okta console, after it is verified the user is successfully authenticated to the console
- When we do this on our app, the browser is redirected from our Okta org URL back to our app,
but the redirect does not contain any authorization code, so we are unable to authenticate the user.
Are there any other configuration requirements to enable a successful SSO workflow using the Sign-in Widget? It looks like perhaps the redirectUri parameter is not being used by Okta, but this parameter seems to work when we use the widget for primary authentication.